Friday, February 26, 2016

No, None of the Other Dates will Change

It seems like every other post I write nowadays starts with something I read in the weekly EnergySec newsletter. Today’s post was prompted by speculation in this week’s newsletter that, due to yesterday's FERC action pushing back the CIP v5 compliance date by three months, some other CIP compliance dates for the v5 or the v6 standards might be pushed back, thus leading to even more confusion than currently reigns (if indeed such a thing is possible!).

On reading this, I immediately noted that there is no way the v6 implementation dates will be affected by this move, since those dates don’t depend at all on v5, and FERC only moved the main v5 date. As for the v5 dates themselves, there were only two anyway (vs. about 12 compliance events in v6, which are clustered among three dates): April 1 (now July 1), 2016 for High and Medium requirements, and April 1, 2017 for the one Low impact requirement in v5, CIP-003-5 R2.

These two dates were set independently of each other in the v5 Implementation Plan, so the fact that the High/Medium date is moved back three months doesn’t mean anything for the Low date. In fact, the Low date for v5 is meaningless, since CIP-003-5 R2 will be superseded by CIP-003-6 R2 – which comes into effect the same date, April 1, 2017.

To reflect this new change, I have changed the post I did in December with a revised compliance schedule. That post was prompted by the fact that FERC hadn’t approved v6 in December, meaning the v6 date was moved back to July 1. Of course, it was because that date is now July 1 that FERC yesterday agreed to move the v5 date to coincide with it. I’m tempted to say this will be the last change in the v5/v6 compliance dates, but I would have said the same thing in December.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.


  1. It's not entirely meaningless, as documentation and designation of CIP Senior Manager will be required under Version 5 on April 1, 2016 for Lows.

    1. Ryan, nothing is required on 4/1/16. All the v5 and v6 standards are now effective on 7/1/16. Highs, Mediums and Lows all have to comply with CIP-002-5.1 R1 on that date, and they need evidence.They also all have to designate their Senior Manager on that date per CIP-003-6 R3.

    2. Since the order simply read: “Accordingly, the implementation of the CIP version 5 Reliability Standards for entities with High and Medium Impact BES Cyber Systems is deferred from April 1, 2016 to July 1, 2016 to align with the effective date for the revised CIP Reliability Standards approved in Order No. 822.”

      There are requirements for an audit, as a Low, on 4/1/16. These include an assessment to prove that the entity only has Low Impact BES Cyber Systems (ironic) and a CIP Senior Manager Designation in accordance with CIP-003-5 R3.

      However, NERC has just yesterday responded with clarification that ALL CIP was pushed back to Version 6 so this point doesn't matter anymore.

  2. Not to mention R1 for CIP-002-5.1, which you have to follow to even determine Low/Medium/High. Will Lows be required to have evidence associated w/ this requirement, while Medium/High will not? It doesn't make sense.

    "Each Responsible Entity shall implement a process that considers each of the
    following assets for purposes of parts 1.1 through 1.3"

  3. An Interested Party pointed out that I should make it clear that the Initial Performance of Periodic Requirements dates - described in the v5 implementation plan - will also change, since they're tied to the v5 effective date. Since that date is now three months later, they will be three months later as well.

  4. You're right, Ryan. FERC definitely misspoke when they said "High and Medium". Thanks for catching that.