In this series of articles, I’ll explore the NERC CIP Standards applicable to low impact Bulk Electric System (BES) Cyber Systems. These articles are my opinions only – consider them to be my advice to you. Most of this advice will reference the enforceable language of the Reliability Standards, and I’ll quote the applicable wording or provide links to the applicable documents. The enforceable language of the standards will always govern, and if you think my advice conflicts with this language, please let me know.

In providing this advice, I will tell you what you must accomplish and what you should accomplish with your compliance program. But I cannot tell you how to be compliant. How you implement these standards is individual to each organization.

I’m going to assume you are new to the CIP Standards. I will begin with some foundational material before progressing to more advanced topics and provide links that may be useful for your own reference library.

The designation of a management official to be responsible for an entity’s cyber security program has been included in every version of the North American Electric Reliability Corporation (NERC) cyber security standards. The best statement of reason for this may be the Federal Energy Regulatory Commission (FERC)’s determination in FERC Order 706 at P381: “The Commission’s intent is to ensure that there is a clear line of authority and that cyber security functions are given the prominence they deserve.”

With this background in mind, let’s take a close look at the NERC Glossary of Terms definition of CIP Senior Manager:

“A single senior management official with overall authority and responsibility for leading and managing implementation of and continuing adherence to the requirements within the NERC CIP Standards, CIP-002 through CIP-011.”

“A single senior management official”

The designation of the CIP Senior Manager may be the most important single decision in your program. Your CIP Senior Manager is the person you task with ensuring the CIP standards are applied to your operational systems. You can think of your CIP senior manager as the equivalent of a chief information security officer, but for operational assets rather than information assets. Your CIP senior manager should understand both security issues and compliance issues and be able to communicate those issues to executives in understandable terms.

The senior management official must be just one person, not a team, group, or other multi-person entity. The senior management official must be identified by name, not as just a role or job title.

If you have multiple NERC registrations (multiple NCR numbers), you are allowed to have a different CIP Senior Manager for each registration.

“with overall authority and responsibility”

The intent of this phrase is that one and only one person has accountability for Critical Infrastructure Protection (CIP) compliance. In effect, any failure of the compliance program is, in some way, a failure of the CIP Senior Manager. This makes clear the requirement for the manager to be highly-enough placed in the organization that every facet of the CIP compliance program is under the manager’s authority. It also requires that the CIP Senior Manager’s authority span all of the business units at an entity. This helps to prevent “silos” of compliance, where differing business units have what amounts to separate compliance programs.

“for leading and managing”

The CIP Senior Manager is not only expected to approve a few documents but is expected to be the head of the corporate CIP compliance program. The designated person is expected to be both a leader and a manager, to both inspire and to be certain that the job is done using the appropriate resources across the entity.

“implementation of and continuing adherence to the requirements” of the CIP Standards

Implementation is particularly important for newly registered entities. How will your entity become compliant with the standards? What will the applicable security controls look like? What will the internal controls look like? And, for “continuing adherence,” how will we implement these requirements in a sustainable and auditable manner?

What your organization MUST do

Identify a CIP Senior Manager

You must identify a single CIP Senior Manager by name. You must also comply with the implied requirement to provide a date of designation. An audit team will need to see evidence that you have had a CIP Senior Manager identified for the entire audit period. If your evidence does not include a date of designation, the audit team will not be able to obtain reasonable assurance that you have had a CIP Senior Manger identified for the entire audit period. See Part 5 of this series, Quality Evidence (coming soon), which will include an example of a CIP Senior Manager designation.

Grant responsibility and authority

Assigning responsibility is easy. Granting authority is hard. The CIP Senior Manager must have both. The CIP Senior Manager must also have adequate resources to be able to perform the function, or the grant of authority will be perceived as just for show. The CIP Senior Manager must have the staff and budget to be able to perform effectively.

Initial implementation

Your CIP Senior Manager must have the responsibility and authority to implement the program required to adhere to the NERC CIP Standards, especially if your program is in development, and to implement revisions to the program as the standards are updated and as they become applicable.

Ongoing compliance

Compliance is like security. It’s a process, not an end state. Your CIP Senior Manager must have the responsibility and authority to maintain continuous CIP compliance.

What your organization SHOULD do

The purpose of a good CIP compliance program is to monitor your operational technology (OT) cyber security program to ensure all security processes are performed in an appropriate and timely manner. To this end, your CIP Senior Manager should also have authority over your OT cyber security program. I discuss this concept in more detail in my article “The role of the executive in CIP compliance.”

What your CIP Senior Manager MUST do

Your CIP Senior Manager must be both a leader and a manager.

This means leading their team to find new and creative ways to perform CIP compliance and improve security. This also means managing their team to ensure all compliance tasks are completed correctly, completed on time, and that evidence of completion is captured.

At the low impact level, your CIP Senior Manager has two required functions to perform:

1. Approve the cyber security policies developed pursuant to CIP-003-8 (Security Management Controls) R1 at least once every 15 calendar months; and
2. Either:
   a. Approve the list of assets containing low impact BES Cyber Systems pursuant to CIP-002-5.1a (BES System Categorization) R2 at least once every 15 calendar months, or
   b. Delegate the approval of this list (see next section).

What your CIP Senior Manager MAY do

In one of the few optional requirements in the NERC CIP Standards, your CIP Senior Manager can delegate certain actions of the CIP Senior Manager’s required tasks. CIP-003-8 R4 tells us how this may be done.

The CIP Senior Manager may delegate authority for approvals required by a CIP standard that contains the language, “CIP Senior Manager or delegate.” This language appears only three places in the NERC CIP Standards: CIP-002-5.1a R2 (approval of CIP-002-5.1a R1 identifications), CIP-007-6 R2 (Part 2.4 extensions to patch management mitigation plan timeframes), and CIP-013-2 R3 (approval of supply chain cyber security risk management plans). Note that of these three, only CIP-002-5.1a R2 is applicable to low impact.

If the CIP Senior Manager does not choose to delegate any authority, no action is needed. An audit team will be able to verify that delegation did not occur because all approvals that could have been delegated will be performed by the CIP Senior Manager. I suggest that, for completeness, you document the decision of the CIP Senior Manager that no authority will be delegated.

If the CIP Senior Manager does choose to delegate authority, then you must have a documented process for these delegations . This process must include documenting the name or title of each delegate, the specific action or actions delegated (preferably including the applicable CIP standard and requirement), and the date of delegation. The process must require the approval of each delegate by the CIP Senior Manager.

The process must also require that changes to any delegation be documented within 30 days. If your process calls for documenting the delegate by name, then be careful to catch any personnel changes within 30 days of the change. If your process calls for documenting the delegate by title, then watch out for organizational changes such as reorganizations or promotions that result in a title change. Be sure to keep all change records so you can demonstrate who was the approved delegate at any time during an audit period.

Once the delegation process is in place, be sure to review the resulting evidence of the delegations and the actual approvals by any delegate.  I’ve seen cases where a delegation was made by title, but the delegate did not include their title on the signed document. I’ve also seen cases where the delegate’s name in the delegation document did not match the way the delegate signed the approval. Either of these cases could cause an audit team to need additional evidence. Ensure you can demonstrate that the person performing the approval is delegated that authority per your process. The most effective method of doing this I’ve seen is to attach a copy of the delegation to each document the delegate signs.

What your CIP Senior Manager SHOULD do

In addition to leading and managing your CIP program, the CIP Senior Manager is in a unique place to communicate the challenges and benefits of operational technology cyber and physical security to executive management, and to bring executive management’s views to the compliance and security staff.

The CIP Senior Manager should also keep a finger on the pulse of compliance in the organization. I’ll go into my recommendations for the CIP Senior Manager as I cover the remaining topics in this series.