For this installment of our series on how utilities can automate operations and planning processes, we get to say something unusual: NERC and its regional entities just made your life easier.
As compliance managers know, regulatory compliance doesn’t just fall to NERC. In the past, this has been a source of considerable headache. Each regional entity could and frequently did ask for different information in different formats. This put the burden on compliance teams to both thoroughly understand the requirements of each regional entity and ensure that they complied with those requirements in the right way at the right time.
Managing all these different requests became extra problematic when done manually. Without an automated solution, utilities usually manage their cyber asset inventory in spreadsheets. Each facility typically has its own spreadsheet, filled out by its own team, often in varying formats after years of being tweaked by the team to their specific preferences. Users end up copy/pasting information into each region’s unique audit data request form from their spreadsheets and database solutions, sometimes translating existing data into new values requested by the form along the way. As a result, the spreadsheets suffer from high levels of human error and frequently failed to meet the requirements of NERC and its regional entities.
The standardization and automation of evidence requests
So, back to NERC making your life easier. Regional entities worked together to standardize the audit request process into the CIP v5 Evidence Request template. That means that for the most part, you only have to worry about one type of evidence request instead of a handful of variations (slight caveat: Although regional entities are encouraged by NERC to use the standardized audit data request, they are not required to.) This is definitely a step in the right direction, even if you’re still using spreadsheets.
With an automated compliance solution like SigmaFlow, however, the new standardized format opens up even more opportunities to make your compliance program more efficient and effective. With SigmaFlow, an up-to-date v5 Evidence Request report can be generated with one click at any time, with the latest data, in the correct format.
How does it work? SigmaFlow processes your data as you work in the tool. Whenever you need to create a report, simply click a button, and it generates the CIP v5 Evidence Request spreadsheet pre-populated with your data. In this way, the report becomes a living document that’s always current instead of the one-time static snapshot provided by a manual spreadsheet. The SigmaFlow solution leverages the information already collected in the system to save time, reduce risk, and increase accuracy.
How to get up and running with one-click CIP v5 Evidence Request reports
For the one-click capability to work, of course, SigmaFlow does need access to data. If you already capture your cyber asset information within the tool, either directly or via integration, you’re all set. If you want to take advantage of one-click CIP v5 Evidence Request reports but do not currently capture cyber asset data within SigmaFlow, consider our Quick-Start Program.
The SigmaFlow Quick-Start Cyber Asset Data Model was created to enable utilities to ramp up quickly and realize ROI right away. We specifically configured the process to capture the precise data necessary to populate cyber asset-related tabs in the CIP v5 Evidence Request report and converted the v5 Evidence Request spreadsheet into a report template, so the output generated by the system (with your data) mirrors the format and structure of the CIP v5 Evidence Request Template’s original data request.
The image below illustrates the template populated with sample BES Asset data, related Cyber Asset data and VM data, which is a subset of Cyber Assets that have been identified as either virtual hosts or guests.
Whether you’re still using spreadsheets, have all of your data in SigmaFlow, or fall somewhere in between, the standardization of regional evidence requests is a good thing. But it’s also a great example of where and how automation can add value, transforming compliance around a standardized process into something that’s literally as easy as the click of a button.
Learn more about the SigmaFlow Quick-Start Program here, or contact us to discuss your needs.
For more on an Automated Approach to Operations and Planning Processes, check out the rest of the blogs in the series:
- Part 1: Why Automation Is Critical to Compliance Teams
- Part 2: Automating the Facility Ratings Management Process (FAC-008)
- Part 3: 6 Ways to Automate Your Facility Management Processes (FAC-008)
- Part 4: Managing Protection System Maintenance for Tactical and Strategic Advantage (PRC-005)
- Part 5: How Event-Driven Workflows Standardize and Streamline Protection System Misoperation Identification and Correction (PRC-004)
- Part 6: Data Submittals
- Part 7: Self-Reporting