CIP Version 5 (CIP V5) will bring a large number of BES Cyber Systems (in version 3, called Critical Assets) under CIP accountability not covered under version 3. This includes many companies that have previously not been required to be CIP compliant. If you are one of those companies, it is time to roll up your sleeves and starting digging in to CIP compliance because there is a lot of work to do.
Of course, you could just wait things out, and for some reasons that seems to make sense. The most prominent reason is that the language currently in CIP V5 seems to indicate that not much evidence is expected for BES Cyber Systems rated “Low” – and most companies coming under CIP for the first time will fall into this category.
However, this is one of the areas that FERC has indicated the need for modifications to CIP V5, specifically to include auditable requirements (exactly what the current language avoids doing). So while the current language may seem to be opted Lows out of evidentiary requirements FERC seems determined to have them in.
Now, assume for a minute that you will be required to produce auditable evidence. Doing so will require work on your part, and getting it right the first time will save a lot of time, money, and headaches down the road.
On the other hand, assume that evidence will not be required. Policies still need to be created that describe what you will do in order to be NERC CIP compliant. That is a lot less effort.
What are the impacts to these choices? The second choice is a recipe for disaster in my opinion, and here is why:
The policies you create are a commitment on behalf of your organization. It is what you promise to do.
Building these policies out, without the underlying compliance controls strategy mapped out, can result in a serious disconnect between what has been promised and what your people and systems can actually do. The most effective way to design a CIP program is to design how your people, processes and systems will be used to support your policies while the policies are being written. Otherwise you could get stuck trying to force the existing infrastructure into policies that are not aligned.
Further, the biggest challenge your peers that are already under CIP face is the production of data-driven evidence. Trying to cram that on top of a misfit program forced to fit into unaligned policies can make a strong men cry and brave women scream.
You may “just do it” with your Nike shoes but it will not be a pleasant experiencing doing so with CIP. Invest the time to go it right the first time. Invest in controls that enforce policies, detect compliance exceptions, and produce evidence for you. CIP programs can be setup very efficiently so that the resulting operational resource impact is minimal. Doing so now can help you avoid the entanglements experienced by your peers the hard way and leave you in great shape for whatever auditable requirements end up coming your way.