Tony Purgar CIP Compliance Workshop Baltimore, MD August 19-20, 2009 1.

Tony PurgarCIP Compliance Workshop

Baltimore, MDAugust 19-20, 2009

1

Background

Overview – Initial TFE Program Proposal (dated March 16, 2009)

Overview - “Compliance Process Bulletin #2009-006 Interim Approach to Technical Feasibility Exceptions” (dated July 1, 2009)

Where Are We Today?◦ “Joint NERC and RE Proposal to Implement TFE

Evaluations”

Next Steps

2© ReliabilityFirstCorporation

January 18, 2008: FERC issued Order No. 706 approving mandatory Reliability Standards for CIP and directed NERC to establish a procedure for the submission, review, audit and approval of Technical Feasibility Exceptions (TFEs)

◦ Specifically, NERC as the ERO was directed “to develop a set of conditions or criteria that a responsible entity must follow when relying on the technical feasibility exception contained in specific requirements of the CIP Reliability Standards.”

◦ Also, “technical feasibility exceptions should be reported, justified and subject to approval by the ERO or relevant Regional Entity.”


March 16, 2009: NERC posted a “Request for Comments on Proposed Procedure for Requesting and Receiving Technical Feasibility Exceptions to NERC CIP Standards and Related Amendments to NERC Rules of Procedure” - Initial TFE Program Proposal◦ April 30, 2009: Comments due◦ April-May, 2009: Over 50 different sets of comments

were received Review of comments and evaluation of additional

approaches is ongoing


May 16, 2009: Order No. 706-A issued◦ FERC “expects Regional Entities to process and

evaluate requests for technical feasibility on a fair and consistent basis.”

◦ NERC would have discretion to develop uniform procedure (i.e. revision to NERC RoP) to establish level of consistency in processing TFEs


July 1, 2009: NERC released “Compliance Process Bulletin #2009-006 Interim Approach to Technical Feasibility Exceptions”◦ Provides guidance to REs and affected Registered

Entities concerning applicability & implementation of NERC CIP Standards that refer to “technical feasibility” and/or “technical limitation” pending the adoption of permanent program to address TFEs.


Applicable only to specific requirements in CIP-002 through CIP-009

Proposed process was a modification to the NERC Rules of Procedure

Modeled after the Self Report of Non-Compliance with Mitigation Plan

An “Exception” not an “Exemption” from Compliance


Applicable Requirement: A Requirement of a CIP standard that expressly provides either◦ (i) that compliance with the terms of the

Requirement is required where or as technically feasible, or

◦ (ii) that technical limitations may preclude compliance with the terms of the Requirement

Covered Asset: A Cyber Asset or Critical Cyber Asset that is subject to an Applicable Requirement


Eligible Reviewer: A person who has the required security clearances or other qualifications, or who otherwise meets the applicable criteria, to have access to classified National Security Information, NRC Safeguards Information, or Protected FOIA Information, as applicable to the particular information to be reviewed.

Expiration Date: The date on which a TFE expires, as specified in the approved TFE Request or in a Notice of Revocation.


National Security Information (NSI): Information classified by an Executive Order, whose compromise would cause some degree of damage to the national security.

Protected FOIA Information: Required Information, held by a governmental entity, that is subject to an exemption from disclosure under FOIA (5 U.S.C. §552(e)) or any similar state or local statutory provision which would be lost were the Required Information to be placed into the public domain. ◦ [NOTE: This definition should be interpreted to include

any Canadian or provincial provisions similar to FOIA.]


Region: The geographic boundaries of a Regional Entity.

Regional Entity: The organization that has compliance enforcement authority for the Critical Asset supported by the Covered Asset that is the subject of the TFE request.

Responsible Entity: A user, owner or operator of the Bulk Electric System that is registered in the Compliance Registry and is responsible for complying with an Applicable Requirement, as specified in the Applicability section of the CIP Standard.


Safeguards Information (SGI): Safeguards information is a special category of sensitive unclassified information authorized by Section 147 of the Atomic Energy Act to be protected. ◦ Safeguards information concerns the physical protection of

operating power reactors, spent fuel shipments, strategic special nuclear material, or other radioactive material.

Senior Manager: The person assigned by the Responsible Entity, in accordance with CIP Standard CIP-003-1 Requirement R2 (or subsequent versions), to have overall responsibility for leading and managing the Responsible Entity’s implementation of, and adherence to, the CIP Standards.


Strict Compliance: Compliance with the terms of an Applicable Requirement without reliance on a Technical Feasibility Exception

Technical Feasibility Exception or TFE: An exception from compliance with the terms of an Applicable Requirement on grounds of technical feasibility or technical limitations in accordance with one or more of the criteria defined within the TFE Basis for Approval

TFE Request: A request submitted by a Responsible Entity in accordance with the published Interim TFE process for an exception from Compliance with an Applicable Requirement


When Strict Compliance with an Applicable Requirement:

Is not technically feasible

Is not operationally feasible

Is precluded by technical limitations

Could adversely affect the reliability of the Bulk Electric System to an extent that outweighs the reliability benefits of Compliance with the Applicable Requirement


While technically and operationally feasible, cannot be achieved by the Compliance Date due to such factors as:◦ Scarce technical resources

◦ Limited availability of required equipment or components

◦ Need to construct, install, or modify equipment during planned outages


Would pose safety risks or issues that outweigh the reliability benefits of Strict Compliance

Would conflict with, or cause the Responsible Entity to be non-compliant with a separate statutory or regulatory requirement that cannot be waived

Would incur costs that exceed the benefits of Compliance


Responsible Entity is required to implement and maintain an alternate approach to achieving compliance through the use of compensating and/or mitigating measures

TFE will typically be approved for a limited duration◦ Normally requires expiration date

Compliance with applicable requirement is expected

◦ Open-ended TFE allowed under limited conditions if justified, with periodic review to perpetuate TFE


Separate submission for each TFE request◦ For each Applicable Requirement pertaining to each

Covered Asset.

Can group multiple, similar Covered Assets into one submission◦ Same or multiple locations

◦ Same basis for TFE

◦ Same compensating and mitigating measures

◦ Similar proposed Expiration Dates


Responsible Entity name

Contact information, including how NERC may arrange to view confidential information

Location of Covered Asset

Applicable Requirement

Narrative discussion and analysis of the basis for approval

Narrative discussion and analysis of compensating and mitigating measures, including how and to what extent the measures will reduce risk


List of confidential information to be reviewed onsite along with criteria to be an Eligible Reviewer

Proposed implementation and reporting schedule

Proposed plan and time schedule for terminating TFE and achieving Strict Compliance◦ Detailed steps and milestone schedule for achieving Strict

Compliance, or

◦ Specific research, design, analytical, testing, or other activities, with schedule, to determine a means to achieve Strict Compliance


Justification for requesting TFE with no expiration date

If Expiration Date is longer than one year, a proposed schedule for submitting reports to NERC on continuing need and justification for TFE◦ Reports must be submitted at least annually

Statement, signed by the Sr. Manager, acknowledging that the Sr. Manager has read and understands the TFE request and recommends approval


Preliminary Review to confirm all requirements of submission are satisfied◦ Unique identifier assigned

◦ If Submission is complete, NERC sends notice accepting TFE as complete

◦ If Submission is incomplete, NERC sends notice rejecting the TFE NERC shall indentify missing content. Responsible Entity may resubmit


Substantive Review for Approval/Disapproval◦ 60-day review period, can be extended

◦ If not approved, disapproved, or extended within review period, TFE automatically disapproved

◦ Notice of Approval or Disapproval (with option to appeal)

◦ NERC shall perform wide-area analysis collaborating with other Regional Entities and Responsible Entities


Reason for Disapproval stated in notice

NERC may state revisions to TFE that would result in approval of TFE Request if resubmitted◦ NERC not required to identify revisions

Requester has 30 days from time of notice to ◦ Resubmit TFE with NERC identified revisions, or ◦ Submit a mitigation plan to achieve Strict Compliance

Mitigation Plan processing shall follow CMEP


Findings of Violations and Imposition of Penalties will be deferred during TFE Review◦ Deferment starts with acceptance as complete◦ Deferment ends with notice of approval or

effective date of disapproval

Once TFE is approved, deferment continues as long as the TFE remains in effect and/or progress to Strict Compliance remains on schedule


Responsible Entity to submit timely periodic and other reports as specified in approved TFE request◦ Covers progress implementing

Compensating and/or mitigating measures Steps, research, analysis to achieve strict compliance


TFE can be revoked if progress milestones not met, mitigation not maintained, or reports not submitted◦ TFE amendment can be requested, if needed◦ No guarantee amendment will be accepted

NERC may initiate Revocation Investigation◦ Can revoke TFE prior to Expiration Date - may

become Alleged Violation◦ Can advance Expiration Date◦ Can impose additional requirements


Responsible Entity can amend a pending TFE Request at any time the TFE is under review by NERC◦ Provide additional information◦ Revise required information

Can resubmit the entire TFE as amended or only the portion being amended if easily separable

May result in extension of review period


Responsible Entity may submit amendment to approved TFE requesting revision to any TFE requirement. ◦ For example:

Revised compensating/mitigating measures Extension to implementation schedule Extension of Expiration Date

May submit entire TFE or only amended portions


Responsible Entity must include:◦ Narrative explanation of the amendment◦ Reason and purpose of the amendment◦ Reasons approved TFE requirements cannot be met

NERC will review for completeness and accept or reject the submission

If complete, NERC will perform substantive review to approve or disapprove

Approved TFE replaces previous TFE


Notice Required to NERC◦ At least 30 days prior to Expiration Date

◦ Signed and dated by Sr. Manager

◦ Asserts Responsible Entity has or will be able to achieve Strict Compliance by Expiration Date

Audit of Strict Compliance included in next Compliance Audit, even if not originally planned in the audit program


Hearing can be requested before the Compliance and Certification Committee (CCC)◦ Dispute rejection or disapproval of TFE request

◦ Dispute rejection or disapproval of proposed amendment

◦ Dispute Revocation Notice

Adverse final order of the CCC can be appealed to the Board of Trustees Compliance Committee (BOTCC)


“Interim Guidance” document◦ Background

◦ Approach

◦ Submittal Requirements

◦ Regional Activities

◦ TFE Disapproval

◦ TFE Compliance


Posted July 1, 2009 as guidance to REs and affected Responsible Entities for addressing TFEs pending the adoption of permanent program.

Interim process is required to address TFEs for requirements for which certain Responsible Entities reached the “C-Compliant” stage on July 1, 2009 per the CIP Implementation Plan.


Without formal TFE process, REs will need to address TFEs in context of CIP Audits, Investigations and Spot-Checks

Responsible Entities asserting TFE must provide documentary support for the assertion of the TFE.◦ Basic information and particulars of TFE

◦ Information justifying appropriateness of TFE

◦ Information concerning mitigating and compensating measures to be implemented with TFE to reduce risk to reliability of BES.


Responsible Entities should submit TFE through an appropriately secure means acceptable to RE◦ Secure Portal◦ Encrypted e-mail

Should be submitted prior to time the Responsible Entity receives notice of a CIP audit or spot-check, ideally at time Responsible Entity is in “C-Compliant” stage of implementation


REs to provide time for TFE submission to Responsible Entities that will reach “C-Compliant” stage for specific requirements OR that received CIP audit / spot-check notices prior to July 1, 2009

REs should receive TFE request at least 30 days prior to site visit of any audit or spot-check


Identification of Standard & Requirements for which the TFE is being asserted

Description of assets, critical assets, and critical cyber assets affected by TFE, including vendor documentation detailing specific limitation of relevant equipment


Explanation of why TFE is necessary

Documentation of date TFE was approved by Senior Manager or delegate(s)

Description of mitigating and compensating measures taken by Responsible Entity to address all risks to reliability of BES


If applicable, list of which other Regions the Responsible Entity is seeking TFE request

Time period for which TFE is to remain in place◦ Specify Effective date and Actual or Expected End date

Evidence that the TFE assertion is in fact required based on factors outlined in the proposed Appendix 4D to the RoP, in TFE Program Proposal◦ Refer to “TFE Basis for Approval” section of this

presentation


Documentation and evidence of implementation plan that achieves a comparable level of security to the requirement for which TFE is being claimed

Remediation plan and timeline for eliminating use of TFE or evidence that remediation by certain date is not feasible due to technical limitations or other just cause.


Auditors will consider the “Basis for Approval” factors and any evidence to determine whether compliance could be found based on TFE assertion◦ Mitigating and Compensating measures will be

evaluated


Auditors required to document Audit or Spot Check Reports that include (when applicable):◦ Whether Registered Entity asserted a TFE request

◦ Basis for accepting TFE as part of findings of compliance

◦ Basis for rejecting TFE as part of findings of possible violations “Contrary to current practice, any spot-check report

documenting one or more TFEs MUST be submitted to NERC”


If TFE rejected, Auditors to send notice of disapproval and reasons for disapproval◦ May suggest revisions that, if made, would lead to

approval

◦ Shall specify effective date


Revised TFE may be submitted during period from notice date to effective date◦ If re-submitted as specified, Auditors issue notice

of approval and consider TFE in findings

◦ If not re-submitted, case enters Enforcement space as possible violation


If Responsible Entity is found in Compliance based on TFE, finding will remain in effect until earlier of: ◦ Responsible Entity’s next audit;

◦ Subsequent compliance action identifies a failure to comply with mitigation, compensating or remediation plans submitted with TFE request;

◦ Effective date of formal program adopted to review and approve TFEs, at which time the Responsible Entity would be expected to formally submit TFE request through formal program


NERC and REs are closely collaborating to develop an efficient, secure and manageable permanent TFE program

“TFE Program Proposal” and “Interim Guidance” documents provide the framework for a permanent TFE program

“Interim Guidance” is official pending updates or the adoption of a permanent TFE Program

Latest Submission = Joint NERC and RE Proposal to Implement TFEs


Background

Applicability

TFE Requests and Responsibilities of Registered Entities

Procedures for Evaluation of a TFE Request (Regional Entities and NERC)

Regional Entities’ Roles and Responsibilities

NERC’s Roles and Responsibilities


Per Orders 706 & 706-A, NERC/REs defined these characteristics for the proposed TFE program:◦ Produce the information needed to review and approve

TFE Requests;

◦ Be straightforward and not unduly burdensome to NERC, REs and Responsible Entities;

◦ Maintain security of sensitive information per §1500 of NERC RoP;

◦ Leverage existing resources at NERC & REs;

◦ Minimize processing burden due to large volumes of TFEs

◦ Clearly define roles/responsibilities of NERC, REs and Responsible Entities


NERC will be responsible for oversight, implementation and consistency of TFE Program implementation, including oversight at the Regional Entity

NERC and REs shall:◦ Establish uniform processes & tools to receive,

catalogue and approve TFE requests Using existing NERC and Regional Entity Systems Ensuring CEII and other confidential information is

secure at all times per §1500 of NERC RoP

◦ Approve common templates and electronic forms

◦ Maintain list of requirements eligible for TFE Requests Including evaluation and proposal of class-type TFEs

applicable to broad classes of devices & equipment50© ReliabilityFirstCorporation

Requirements eligible for TFE Request:◦ CIP-005-1/R2.4◦ CIP-005-1/R2.6◦ CIP-005-1/R3.1◦ CIP-005-1/R3.2◦ CIP-006-1/R1.1◦ CIP-007-1/R2.3◦ CIP-007-1/R3.2◦ CIP-007-1/R4◦ CIP-007-1/R4.1◦ CIP-007-1/R5.3◦ CIP-007-1/R6.◦ CIP-007-1/R6.3.

NERC will revise this list as Reliability Standards are revised and approved by FERC.

Added based on recent discussions with FERC and the REs


Responsible Entity expected to prepare TFEs that:◦ Achieve goals of eligible requirement

◦ Mitigate any potential impacts to reliability of BES

◦ Provide for timely transition to Compliance w/o TFE


TFE Request - Submittal Process (Part A & Part B)◦ Part A:

Signifies notice to RE of a TFE Request

Submitted electronically via Form/Template through a secure portal or alternate format designated by RE

Documents detailed information for REs to determine if TFE should be accepted on interim basis

Documents data for NERC to develop wide-area Annual Report to FERC and for NERC’s oversight of TFE process

Shall be confidentially posted to a RE db and available for review by NERC and other REs to ensure consistency

Used by RE to implement electronic system for receiving and cataloguing TFE requests


TFE Request - Submittal Process (Part A & Part B)◦ Part B: Detailed information for determining if TFE

should be granted including: Documents, drawings & other information needed for details

and justification of TFE

Description of mitigating measures in use to meet the purpose of the Std/Requirement while TFE is in effect

◦ Available onsite for RE/NERC review during audit, spot-check or other compliance inquiry In special cases, RE can require all or portion of information

is filed with RE, provided this can be done securely with NO compromise of sensitive information

◦ Must be completed at same time as Part A.


Initial (Preliminary) TFE Review◦ Completed within 60 days of submittal◦ Upon completion, RE to notify Responsible

Entity: TFE accepted on interim basis TFE deficient but could be accepted with changes TFE denied with justification

If deficient, RE to provide instruction to make TFE acceptable◦ 30 days to resubmit minor correction◦ 60 days to resubmit major correction


Final (Substantive) TFE Review◦ Starts after Interim Acceptance and is completed

within 360 days of submittal

◦ Review verifies supporting documentation and that Responsible Entity is performing compensating measures to eliminate TFE

◦ Review will be at Entity site or via alternate means with adequate protection of sensitive data

◦ Review will conclude one of the following: Final Approval Conditional Approval subject to certain changes being

made in a specific timeframe Revocation


RE can request additional time to complete review (no more than 60 days)

RE to provide final report to NERC within (30) days after detailed review and closure

REs to manage Enforcement process, and as needed, the Hearing process when TFE not accepted OR when entity fails to implement outlined measures

Appeals of rejected TFEs to be addressed via normal Compliance process and hearings, if necessary


August, 2009◦ Joint Proposal to be finalized

◦ TFE Package to posted for public comment Joint Proposal New proposed Appendix 4D to the NERC RoP Part A Electronic Form with Instructions


September, 2009◦ Comments on TFE Package due

◦ Updated Interim Guidance to be posted

◦ Part A Form implemented to start accepting TFE Requests

◦ Development of permanent TFE Program to continue

◦ Revisions to NERC’s RoP, the CMEP and a new Appendix 4D to NERC’s RoP (based on Initial TFE Program Proposal)

To be filed with FERC for approval


Tony Purgar CIP Compliance Workshop Baltimore, MD August 19-20, 2009 1.

Documents

Transcript of Tony Purgar CIP Compliance Workshop Baltimore, MD August 19-20, 2009 1.