Process Driven Compliance Solution Provides Critical Capabilities to Adhere to NERC CIP Standards and Ensure Audit Readiness
PLANO, TX. — February 10, 2015 — SigmaFlow, the industry leader in NERC compliance solutions, today announced added enhancements to its Compliance Manager Solution to support NERC CIP version 5 standards. The new CIP v5 model provides additional preconfigured functionality that automates and streamlines the collection of evidence, document management and data-driven reporting – required to adhere to NERC CIP v5 standards.
The NERC CIP v5 standards provide many new and redefined compliance expectations for electric utilities. The challenge of transitioning from version 3 to version 5 can be complicated and often costly for utilities that are not adequately prepared. There are also many utilities coming under CIP for the first time due to the new brightline impact criteria in v5, requiring them to build an entire CIP program to prove their adherence to the standards, with processes in place to ensure their audit readiness.
“NERC CIP v5 is a big challenge for utilities, both those transitioning from v3 and those new to the standards. Our CIP v5 enhancements provide a streamlined option for compliance – one they can fully deploy in a matter of weeks,” said Terry Schurter, vice president of NERC Solutions at SigmaFlow. “We have received significant industry validation from prospects and customers regarding our comprehensive functionality, ease of deployment and customer support. Our automated process driven approach ensures audit readiness along with substantial cost and time savings,” Schurter added.
SigmaFlow Compliance Manager
SigmaFlow Compliance Manager manages all documents, data, and work activities while automatically collecting and building the evidence for NERC compliance in a real-time repository. The solution automatically collects and manages compliance evidence through data management, document management, tasks and procedures for all of the NERC CIP Standards.
The SigmaFlow Closed-Loop Controls FrameworkTM provides an out-of-the-box, preconfigured solution to support real-time compliance, ensuring reliability with built-in validation and feedback loops that detect compliance gaps and issues as they happen. The Framework includes controls for:
- Audit and RSAW Readiness / Production
- Security Controls, Access Rights, Change Management, Ports and Services, and Patches
- Cyber Security Training and PRAs (Personnel Risk Assessments)
- Information Protection, Compliance Events, Document Reviews, and Compliance Assurance
“The NERC CIP Standards have matured to version 5 and many requirements have expanded applicability and increased timelines, driving the importance of a process driven compliance management framework,” said Karl Perman, director of member services for EnergySec. “The use of automated solutions to replace manual processes can help considerably with time savings and greatly decrease the potential for errors when producing evidence for compliance.”
Solution Enhancements and Functionality to Support NERC CIP v5
Classification Management (Sites, System, Cyber Assets)
SigmaFlow CIP v5 enhancements include all new assessment and classification processes to address the new assessment and classification criteria in CIP v5. Built on auditable processes, the solution has the ability to guide, calculate and document the Impact Rating of Assets (Site/Facilities), evaluate Cyber Systems to determine if they are BES Cyber Systems using the BROS (BES Reliability Operating Services), determine BES Cyber System connectivity type to align with the v5 requirements matrix, and to classify each Cyber Asset properly. This enhancement also includes auditable processes for the required periodic review of these assessments and classifications.
Configuration Management (Cyber Asset Change & Baseline Management)
Configuration Management has been enhanced in this release to support v5 requirements for changes on existing cyber assets. This includes the built-in workflow to manage the addition of new cyber assets, proper decommissioning of cyber assets being taken out of service or reused for other purpose, and in-process management and updating of baselines, ensuring the Cyber Asset baselines are properly approved and validated prior to procedure completion. Before change and after change security controls validation on test cyber assets is supported and enforced for High Impact changes. The validation of baselines for production cyber assets post-change ensures baseline compliance and automated evidence generation produces the evidentiary documentation required for compliance.
Identity Access Management
CIP v5 has changed many of the requirements for physical and logical access rights management, with new time-sensitive rules that are strictly enforced. Depending on the type of access rights request, actions may be required to be completed in as little as 24 hours. The SigmaFlow solution now automatically calculates and displays the time allotment for each access right change ticket, collects the data required to show each ticket was completed on time, and produces the evidence for each access change ticket in the solution.
ESP High Water Mark
The ESP (Electronic Security Perimeter) High Water Mark rule is another major change in CIP v5. The rule applies to all ESPs that contain BES Cyber Systems with different Impact Ratings. With this rule, BES Cyber Systems and Cyber Assets that are not the same impact rating as the highest system in the ESP must be protected by a different set of requirements than would normally apply to them. This can be complicated and difficult to manage, often introducing significant work and risk into the compliance practice. With Compliance Manager, the ESP High Water Mark rule is automatically enforced, ensuring that all BES Cyber Systems and Cyber Assets are classified properly. The enhancement provides utilities with the assurance that even in the most complicated scenarios, BES Cyber System and Cyber Assets will be classified and managed correctly against the appropriate compliance standards.
Automated Evidence Generation
CIP v5 defines new and more advanced evidence requirements compared to CIP v3. Evidence must be collected for each applicable requirement for CIP compliance, and that evidence is not just limited to policies and procedures. The most difficult evidence for utilities to produce requires data to be combined from multiple sources into composite reports for a specific date range. These reports have long been problematic, time-consuming to produce and error-prone. The new SigmaFlow Evidence Generation control creates these reports with the click of a button. Automated Evidence Generation includes preconfigured reporting that produces the evidence for over 50 of the most challenging requirements in CIP v5.
Cyber Asset/BES Cyber System Mapper
Further automating compliance, the mapper automatically determines and tracks what requirements apply to each BES Cyber System and Cyber Asset. Requirements can be reviewed for any BES Cyber System or Cyber Asset with the click of a button. Conversely, on requirements, the mapper automatically maintains the list of all BES Cyber Systems and Cyber Assets that apply to the requirement – again, accessed with the simple click of a button. The mapper identifies the specific sub-requirement that applies in all cases by including the Impact Rating, Connectivity Type, Cyber Asset Classification, and BES Asset type in its mapping engine.
For more information about the SigmaFlow Compliance Manager Solution or for a demo of the solution please contact us today. Pricing options make the Compliance Manager affordable for small utilities a scaling to meeting the largest utilities.
SigmaFlow is a leading provider of process execution solutions for electric and renewables utilities and the upstream oil & gas industry. The company’s solution portfolio includes Compliance Manager for CIP & 693 and Upstream Well Delivery Solution. For more information, contact SigmaFlow today.