1

Antitrust Admonition

Texas RE strictly prohibits persons participating in Texas RE

activities from using their participation as a forum for engaging in

practices or communications that violate antitrust laws. Texas

RE has approved antitrust guidelines available on its website. If

you believe that antitrust laws have been violated at a Texas RE

meeting, or if you have any questions about the antitrust

guidelines, please contact the Texas RE General Counsel.

Talk with Texas RE

March 19, 2020

2

Coronavirus Response Page

Talk with Texas RE

March 19, 2020

Kenath Carver

Manager, CIP Compliance Monitoring

Supply Chain Risk Management

Top 16 Commonly Asked Questions

Talk with Texas RE

Date

4

Supply Chain Risk Management Effective Date

Talk with Texas RE

March 19, 2020

July 1, 2020

Canada Day

Creative Ice Cream Flavors Day

International Chicken Wing Day

International Joke Day

National Postal Worker Day

CIP-013-1

CIP-005-6

CIP-010-3

5

CIP-013-1 R1 Part 1.1

Talk with Texas RE

March 19, 2020

6

Question 1

Should a registered entity consider applying the Supply Chain Risk Management Standards to low impact BES Cyber Systems, Protected Cyber Assets (PCAs), Electronic Access Control or Monitoring Systems (EACMS), or Physical Access Control Systems (PACS)?

Talk with Texas RE

March 19, 2020

7

Answer 1

● Project 2019-03 Cyber Security Supply Chain Risks

PACS and EACMS

• CIP-005-7 Parts 2.4 and 2.5

• CIP-010-4 Part 1.6

• CIP-013-2 R1 Parts 1.1 and 1.2

● NERC Supply Chain Risk Assessment

Recommendation

• “Include low impact BES Cyber Systems with remote electronic access

connectivity in future modification of Supply Chain Standards.”

Talk with Texas RE

March 19, 2020

8

Questions 2, 3, & 4

What does the term “vendor” mean?

Is a reseller applicable to Part 1.1?

Could a registered entity be considered a “vendor” if they are providing non-reliability services?

Talk with Texas RE

March 19, 2020

9

Answers 2, 3, & 4

Supplemental Material

The term vendor(s) as used in the standard is limited to those persons,

companies, or other organizations with whom the Responsible Entity,

or its affiliates, contract with to supply BES Cyber Systems and

related services. It does not include other NERC registered entities

providing reliability services (e.g., Balancing Authority or Reliability

Coordinator services pursuant to NERC Reliability Standards). A

vendor, as used in the standard, may include: (i) developers or

manufacturers of information systems, system components, or

information system services; (ii) product resellers; or (iii) system

integrators.

Talk with Texas RE

March 19, 2020

10

Question 5

Is it necessary to implement CIP-013-1 R1 Part 1.1 for resellers if the contract is directly with the vendor?

Talk with Texas RE

March 19, 2020

11

Answer 5

● Part 1.1 identification and assessment of cyber security risks.

A registered entity should identify and assess any cyber

security risks that may be involved in purchasing such

applicable hardware or software from the vendor that it is

contracted with.

● Although the primary focus should be on the vendor you are

contracted with, cyber security risks associated with the

reseller should not be ignored as part of your cyber security

risk identification and assessment.

Talk with Texas RE

March 19, 2020

12

Question 6

Should a registered entity identify and assess cyber security risks related to the vendor and/or product or service?

Talk with Texas RE

March 19, 2020

13

Answer 6

Both should be done to conduct an accurate cybersecurity risk

identification and assessment.

Vendor questionnaire

Product or service questionnaire

Talk with Texas RE

March 19, 2020

14

Question 7

Does a registered entity need to mitigate identified and assessed cyber security risks?

Talk with Texas RE

March 19, 2020

15

Answer 7

FERC Order No. 829

The security objective is to ensure entities consider cyber security risks

to the BES from vendor products or services resulting from: (i)

procuring and installing vendor equipment and software; and (ii)

transitions from one vendor(s) to another vendor(s); and options for

mitigating these risks when planning for BES Cyber Systems.

Talk with Texas RE

March 19, 2020

16

Question 8

Prior to July 1, 2020, what if a registered entity has Cyber Assets that were purchased in bulk and stored as inventory, then after July 1, 2020, some or all are commissioned as a BCA? Does the registered entity have to implement CIP-013-1 R2?

Talk with Texas RE

March 19, 2020

17

Answer 8

● Any procurement on and after July 1, 2020, of BES Cyber

Systems from vendor products or services resulting from: (i)

procuring and installing vendor equipment and software; and

(ii) transitions from one vendor(s) to another vendor(s) are

subject to CIP-013-1.

Talk with Texas RE

March 19, 2020

18

Question 9

Should a registered entity include a provision for an after-the-fact cyber security risk identification and assessment under emergency situations?

Talk with Texas RE

March 19, 2020

19

Answer 9

● CIP-013-1 is applicable to any procurement regardless of the

scenario, including an emergency.

● The registered entity should consider including language in its

plan to address the potential for the use of purchasing cards in

emergency situations.

● The registered entity should consider conducting an after-the-

fact cybersecurity risk identification and assessment and

implement any mitigations of the procurement.

Talk with Texas RE

March 19, 2020

20

Question 10

How often should a registered entity re-assess a vendor?

Talk with Texas RE

March 19, 2020

21

Answer 10

Based on a given registered entity’s plan

With every procurement

Existing assessments could be leveraged

When certain “triggers” are met such as being bought and sold

Annually, bi-annually, etc.

Talk with Texas RE

March 19, 2020

22

Question 11

Can a registered entity use a third-party service to conduct a vendor cyber security risk identification and assessment?

Talk with Texas RE

March 19, 2020

23

Answer 11

Third-party services could be used to complement a registered

entity’s own cyber security identification and risk assessment.

Talk with Texas RE

March 19, 2020

24

CIP-013-1 R1 Part 1.2

Talk with Texas RE

March 19, 2020

25

Question 12

What if the registered entity’s vendor cannot adhere to one or more sub-parts (1.2.1-1.2.6)?

Talk with Texas RE

March 19, 2020

26

Answer 12

● Registered entities should document and implement controls

for Part 1.2 in the absence of vendor adherence.

● For example, if the registered entity’s vendor is not notifying it

of vendor-identified incidents, then a control that monitors US-

CERT, ICS-CERT, E-ISAC, and NERC Alerts could be

implemented.

Talk with Texas RE

March 19, 2020

27

Question 13

Could a registered entity provide a redacted (due to confidentiality issues relating to the contract and associated communications) executed contract, attestation(s) from vendor and internal supply chain personnel, and internal processes/procedures as evidence of implementation for CIP-013-1 R2?

Talk with Texas RE

March 19, 2020

28

Answer 13

● An executed contract demonstrating Part 1.2 was addressed

could be sufficient to demonstrate compliance if the registered

entity also provides additional supporting evidence such as

processes/procedures, email communications, and

attestations.

● The registered entity should not reveal any sensitive or

proprietary information that would cause a breach of contract.

Talk with Texas RE

March 19, 2020

29

CIP-005-6 R2 Part 2.4

Talk with Texas RE

March 19, 2020

30

CIP-005-6 R2 Part 2.5

Talk with Texas RE

March 19, 2020

31

Question 14

Does a registered entity have to demonstrate evidence that method(s) are implemented?

Talk with Texas RE

March 19, 2020

32

Answer 14

● Evidence of the capability

● Level 2 Sample Sets

Logs

Configurations

Screenshots

● Live Demonstrations

Talk with Texas RE

March 19, 2020

33

CIP-10-2 R1 Part 1.6

Talk with Texas RE

March 19, 2020

34

Question 15

If the registered entity’s “method to do so” is not available, does the registered entity need to demonstrate evidence?

Talk with Texas RE

March 19, 2020

35

Answer 15

● Evidence must be provided to demonstrate the “method to do

so” was not available.

Change Request Tickets

• Dated evidence

Logs

Talk with Texas RE

March 19, 2020

36

Question 16

Is open-source software in scope for CIP-013-1 and CIP-010-3?

Talk with Texas RE

March 19, 2020

37

Answer 16

● A registered entity should implement its cyber security risk

identification and assessment for all procurements of open-

source software on all applicable systems.

● A registered entity should implement a method to verify the

identity of the source and the integrity of the open-source

software on all applicable systems.

● Document controls implemented that minimize the risks

associated with open-source software

Talk with Texas RE

March 19, 2020

38

Questions?

Talk with Texas RE

March 19, 2020