NERC CIP v7 Standards and Requirements-CIP-002-5.1 - BES Cyber System Categorization
CIP-002 R1 - Each Responsible Entity shall implement a process
... [Show More] that considers each of the following assets for purposes of parts 1.1 through 1.3: Control Centers and backup Control Centers, Transmission stations and substations, Generation resources, Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements, Special Protection Systems that support the reliable operation of the Bulk Electric System; and For Distribution Providers
CIP-002 R1.1 - Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset;
CIP-002 R1.2 - Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset;
CIP-002 R1.3 - Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required).
CIP-002 R2.1 - Review the identifications in Requirement R1 and its parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1,
CIP-002 R2.2 - Have its CIP Senior Manager or delegate approve the identifications required by Requirement R1 at least once every 15 calendar months, even if it has no identified items in Requirement R1.
CIP-003-7 - Security Management Controls
CIP-003 R1 - Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics:
CIP-003 R2 - Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.
CIP-003 R3 - Each Responsible Entity shall identify a CIP Senior Manager by name and document any change within 30 calendar days of the change.
CIP-003 R4 - The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are used. Where allowed by the CIP Standards, the CIP Senior Manager may delegate authority for specific actions to a delegate or delegates. These delegations shall be documented, including the name or title of the delegate, the specific actions delegated, and the date of the delegation; approved by the CIP Senior Manager; and updated within 30 days of any change to the delegation. Delegation changes do not need to be reinstated with a change to the delegator.
CIP-003 Attachment 1 Section 2 - Lows Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2) the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s) implemented for Section 3.1, if any.
CIP-003 Attachment 1 Section 3 - Lows Electronic Access Controls: For each asset containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity shall implement electronic access controls to:
3.1 Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity for [Show Less]