On November 4, 2015, EnergyWire ran a story[i] quoting a FERC spokesperson as confirming what I reported in a recent post – that FERC will be conducting CIP v5 audits for some NERC entities, in place of the NERC region. To quote[ii] from the story:
FERC's decision, which has not been officially announced, was confirmed yesterday by Mary O'Driscoll, commission director of media relations, in response to a query. FERC and NERC have concurrent authority to audit and enforce cybersecurity standards. "However, historically, FERC has exercised its audit authority in only a few rare cases," O'Driscoll said.
"FERC is conducting these audits because CIP v5 is a major change in applicable requirements in a very important area of the standards," she said. FERC's action was not motivated by concern over the quality of audits by the regional entities, she added.
The same article states:
Several other regional organizations have also reported the change. Kim Israelsson, compliance program coordinator for the Western Electricity Coordinating Council (WECC), sent an email this week noting that FERC would conduct "limited monitoring activities" on the CIP5 rules. WECC is the regional organization for 14 Western states and parts of Canada and Mexico.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] Since EnergyWire is a subscription-based service, non-subscribers will need to sign up for the free trial to read the story. In the interest of full disclosure, I want to point out that the article does quote liberally from my original post on this story.
[ii] Quotation is with permission of EnergyWire.