Attachment "C" CIP Data List For Sampling: RFC Action Required

Attachment "C" CIP Data List for Sampling
Sequence of Completion
Phase 1- RFC supplies Attachment C for entity to input required data.
Phase 2- Entity completes the three green colored tabs: Critical Assets, Cyber Assets, and Personnel and submits to R
for more details.
Phase 3 - RFC performs sample selection and sends back to entity for detailed information requests (Device Sample a
populated with requested samples)
Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and Personnel Sample tabs c
RFC Action Required:

RFC supplies the Attachment C to the entity as part of the 90 day notification package. The CIP evidence list (Yellow
scope.
Colored Coded Tabs
Entity populates green tabs
Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need
Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with d
Acronyms:
EACM - Electronic Access Control and Monitoring
AP - Access Point
CCA - Critical Cyber Asset
ESP - Electronic Security Perimeter
NCCA - Non-Critical Cyber Asset
PSP - Physical Security Perimeter
PACS - Physical Access Control System
Next Steps:
After this Workbook is completed, sent to and received by ReliabilityFirst, the audit team will apply a sampling meth
establish and define a specific random sample set to audit against. The audit team will then send Evidence Requests
audited entity within 10 calendar days of receipt of a completed Attachment C and/or no later than sixty five (65) cale
date of the Complaince Audit.
ReliabilityFirst CIP Evide

CIP-002 through CIP-009 are applicable to RC, BA, IA, T
Standard
Requirement
CIP-002-3
R1
CIP-002-3
R1.1
CIP-002-3
R1.2
CIP-002-3
R1.2.1
CIP-002-3
R1.2.2
CIP-002-3
R1.2.3
CIP-002-3
R1.2.4
CIP-002-3
R1.2.5
CIP-002-3
R1.2.6
CIP-002-3
R1.2.7
CIP-002-3
R2
CIP-002-3
R3
CIP-002-3
R4
CIP-003-3
R1
CIP-003-3
R1.1
CIP-003-3
R1.2
CIP-003-3
R1.3
CIP-003-3
R2
CIP-003-3
R2.1
CIP-003-3
R2.2
CIP-003-3
R2.3
CIP-003-3
R2.4
CIP-003-3
R3
CIP-003-3
R3.1
CIP-003-3
R3.2
CIP-003-3
R3.2
CIP-003-3
R3.3
CIP-003-3
R4
CIP-003-3
R4.3
CIP-003-3
R5
CIP-003-3
R5.1
CIP-003-3
R5.1.2
CIP-003-3
R5.2
CIP-003-3
R5.3
CIP-003-3
R6
CIP-003-3
R6
CIP-004-3
R1
CIP-004-3
R1
CIP-004-3
R2
CIP-004-3
R2.1
CIP-004-3
R2.2
CIP-004-3
R2.3
CIP-004-3
R3
CIP-004-3
R3
CIP-004-3
R3.1
CIP-004-3
R3.2
CIP-004-3
R3.3
CIP-004-3
R4
CIP-004-3
R4.1
CIP-004-3
R4.1
CIP-004-3
R4.2
CIP-004-3
CIP-005-3
R1
CIP-005-3
R1
CIP-005-3
R1
CIP-005-3
R1
CIP-005-3
R1
CIP-005-3
R1
CIP-005-3
R2
CIP-005-3
R2.1, R2.2
CIP-005-3
R2
CIP-005-3
R2
CIP-005-3
R2
CIP-005-3
R2
CIP-005-3
R2
CIP-005-3
R2.4
CIP-005-3
R2.6
CIP-005-3
R3
CIP-005-3
R3
CIP-005-3
R3
CIP-005-3
R3
CIP-005-3
R3
CIP-005-3
R3.1
CIP-005-3
R3.2
CIP-005-3
R4
CIP-005-3
R4.1
CIP-005-3
R4.5
CIP-005-3
R4.5
CIP-005-3
R5 & R5.1
CIP-005-3
R5.2
CIP-005-3
R5.3
CIP-006-3
R1
CIP-006-3
R1
CIP-006-3
R1.1
CIP-006-3
R1.1
CIP-006-3
R1.2
CIP-006-3
R1.2
CIP-006-3
R1.3
CIP-006-3
R1.3
CIP-006-3
R1.4
CIP-006-3
R1.5
CIP-006-3
R1.6
CIP-006-3
R1.6
CIP-006-3
R1.7
CIP-006-3
R1.8
CIP-006-3
R2.1
CIP-006-3
R2.2
CIP-006-3
R3
CIP-006-3
R4
CIP-006-3
R5
CIP-006-3
R6
CIP-006-3
R7
CIP-006-3
R8
CIP-006-3
R8.1
CIP-006-3
R8.2
CIP-006-3
R8.3
CIP-007-3
R1
CIP-007-3
R1
CIP-007-3
R1
CIP-007-3
R1.1
CIP-007-3
R1.2
CIP-007-3
R1.3
CIP-007-3
R2
CIP-007-3
R2.3
CIP-007-3
R3
CIP-007-3
R3
CIP-007-3
R3
CIP-007-3
R4
CIP-007-3
R4
CIP-007-3
R4
CIP-007-3
R5
CIP-007-3
R5.1.1
CIP-007-3
R5.1.2
CIP-007-3
R5.1.3
CIP-007-3
R5.2
CIP-007-3
R5.2
CIP-007-3
R5.3
CIP-007-3
R5.3
CIP-007-3
R5.3.1
CIP-007-3
R5.3.2
CIP-007-3
R5.3.3
CIP-007-3
R6
CIP-007-3
R6
CIP-007-3
R6.1
CIP-007-3
R6.2
CIP-007-3
R6.2
CIP-007-3
R6.3
CIP-007-3
R6.4, R6.5
CIP-007-3
R7
CIP-007-3
R7.3
CIP-007-3
R8
CIP-007-3
R8.1
CIP-007-3
R8.4
CIP-007-3
R8.4
CIP-007-3
R9
CIP-008-3
R1
CIP-008-3
R1.1
CIP-008-3
R1.2
CIP-008-3
R1.2
CIP-008-3
R1.2
CIP-008-3
R1.3
CIP-008-3
R1.3
CIP-008-3
R1.4
CIP-008-3
R1.4
CIP-008-3
R1.5
CIP-008-3
R1.6
CIP-008-3
R2
CIP-009-3
R1
CIP-009-3
R1
CIP-009-3
R1.1
CIP-009-3
R1.1
CIP-009-3
R1.2
CIP-009-3
R1
CIP-009-3
R2
CIP-009-3
R3
CIP-009-3
R4
CIP-009-3
R5
Notes
1. Evidence identified in this listing is the result of each requirement. This listing is inten
audits or continued compliance. Submission of identified evidence does not guarantee a fi
all relevant evidence submitted and make final determinations of compliance based upon
compliance.
2. Evidence identified in this column must be submitted 40 days before the scheduled aud
3. Evidence identified in this column must be submitted as designated by Reliability
ReliabilityFirst CIP Evidence List

P-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE
Evidence1
Provide Risk Based Assessment Methodology (RBAM)
Provide evidence that the RBAM includes both procedures and evaluation criteria, and that the evaluation criteria are riskbased
Provide evidence that all required BES asset categories were evaluated by the RBAM for inclusion on Critical Asset List
Provide evidence that all control centers and backup control centers were considered by the RBAM
Provide evidence that all transmission substations were considered by the RBAM, and that evaluation of these assets was
performed at the substation level
Provide evidence that all generation resources were considered by the RBAM, and that evaluation of these assets was
performed at the level of greatest commonality
Provide evidence that at least the generator(s) used in the preferred resoration path are identified as Critical Assets
If applicable, provide system restoration plan
Provide evidence that all automatic load shedding systems meeting the parameters of the standard were considered by the
RBAM
Provide evidence that all special protection systems were considered by the RBAM
Provide evidence of any additional assets considered by the RBAM
Provide Critical Asset List derived through annual application of RBAM
Provide evidence of annual review of the Critical Asset list
Supporting Evidence:
For BES assets that were added or acquired, provide evidence that said assets were evaluated by the RBAM
Provide list of Critical Cyber Assets

Provide evidence that all cyber assets associated with each Critical Asset were evaluated as possible Critical Cyber Assets
If a comprehensive list of Cyber Assets was used as the basis for evaluation, provide this list. The list should be 1) grouped
by Critical Asset 2) have a unique identifier for the Cyber asset such as a device name 3) the type of Cyber Asset (e.g.
server, workstation, network device, etc. 4) The reliability functions the Cyber Asset supports 5) The network segments the
Cyber Asset is connected to (network segment identifier or Class C address space as depicted on a network topology
diagram). If a comprehensive list of Cyber Assets was not used as a basis for this evaluation, provide an explanation of how
the Cyber Assets associated with the Critical Asset were identified for consideration as a Critical Cyber Asset and the list of
Cyber Assets considered
Provide evidence that the senior manager or delegate approved RBAM, CA list, and CCA list
Provide Cyber Security Policy

Provide all policies referenced by the cyber security policy that address any of the requirements in CIP-002-3 through CIP009-3
Provide evidence that each version of the cyber security policy addresses each of the requirements in CIP-002-3 through
CIP-009-3 and contains provision for emergency situations
Provide evidence that the Cyber Security Policy, including any policy incorporated by reference, has been made readily
available to all personnel with authorized electronic or unescorted physical access to any Critical Cyber Asset
Provide evidence that each version of the cyber security policy, including any policy incorporated by reference, has been
approved by the senior manager assigned in per R2
Provide evidence of the assignment of a senior manager, including date of designation and effective date of any changes
Provide evidence that the assignment of the senior manager includes the required information
If applicable, provide the effective date of any change to the assignment of the senior manager
If applicable, provide evidence of delegation of authority, including the specific actions for which authority is delegated and
the effective date of the delegation
If applicable, provide evidence of that exceptions from the requirements of the cyber security policy were documented and
authorized by the semior manager or delegate(s).
Provide documentation of exceptions to the Cyber Security Policy, including expired exceptions, or an assertion that there
have been no exceptions to the Cyber Security Policy during the compliance period
For each exception to the cyber security policy, provide evidence of the date of approval
For each exception to the cyber security policy, provide evidence of the explanation of the necessity for the exception
For each exception to the cyber security policy, provide evidence of any compensating measures
For each exception to the cyber security policy, provide evidence of the annual review
Provide information protection program
Provide evidence of an annual assessment of information protection program
Provide access control program
Provide list of designated personnel who are responsible for authorizing logical or physical access to protected information
Provide evidence of annual verification of the list of personnel responsible for authorizing access to protected information
Provide evidence of annual review of access privileges
Provide evidence of the annual assessment of processes for controlling access privileges to protected information
Provide the process for change control and configuration management
Provide evidence that the change control and configuration management process has been implemented
Provide awareness program

Provide evidence of awareness reinforcement
Provide Cyber Security Training Program
Addresses to whom it applies, delivery, review, and update frequencies
Provide Training Documentation, i.e., attendance records
Include all relevant personnel that documents date of authorization and date of training
Provide training material that addresses all of R2.2 and its sub requirements
Provide training documentation that includes annual training completion dates
Provide Personnel Risk Assessment program
Provide documentation that specifies when the PRA was conducted and when access was granted
Provide documentation that the PRA program includes all elements of R3.1
Provide Personnel Risk Assessment Program language that addresses criteria with respect to "for cause" and schedules for
re-assessment
Provide documentation of assessment results for all relevant personnel
Documentation, i.e., database, application or spreadsheet that shows proof of assessments matched against CIP-004 R4
list(s)
Contract agreements and associated documentation
Provide list(s), i.e., spreadsheet, database or other application that tracks all electronic and physical access rights
Documentation of authorized access approvals
Provide documentation that the list(s) is reviewed quarterly and updated within seven days of any change of access
Provide documentation that access list(s) for contractors and service vendors are properly maintained
Provide documentation that access is revoked within 24 for personnel terminated for cause and within seven calendar days
for personnel who no longer need access
Supporting Evidence for CIP-004 R2, R3, & R4:

Provide the following in a spreadsheet, database, etc. for anyone with electronic or physical access to a CCA
Employee name and ID (unique identifier)
Date electronic access granted
Specific electronic access granted
Date physical access granted
Specific physical access granted
Date electronic access removed
Date physical access removed
Date of original training
Date of annual training
Date initial PRA completed
Date PRA updated
For each Critical Cyber Asset identified per CIP-002-3 R3, identify the Electronic Security Perimeter (ESP) within which it
resides
For each ESP, identify each Cyber Asset residing within the perimeter
For each ESP, identify each access point to the ESP
For each ESP, identify each cyber asset used in the access control of the ESP
For each ESP, identify each cyber asset used in the monitoring of the ESP
For each ESP, provide a high-level diagram showing the major systems protected, all access points, and all access control
devices
For each ESP, provide documentation of processes and mechanisms for control of electronic access to the ESP
For R2.1, provide evidence that deny-by-default policy is deployed to sampled Access Points. For R2.2, provide evidence for
each sampled Access Point that Ports and Services are configured/implemented for operations and for monitoring of cyber
assets, including justification, within the respective ESP.
For each cyber asset used in the access control of an ESP, provide evidence that the access control model denies access by
default
Provide the procedure for securing dial-up access to each ESP
Provide evidence that the procedure for securing dial-up access to each ESP has been implemented, or an attestation that
no dial-up access exists for the ESP in question
For each ESP, if external interactive access to the ESP has been enabled, describe the controls used to authenticate the
user
For each access control device, provide the document identifying the content of the acceptable use banner
If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C)
For each ESP, provide the documented electronic or manual processes for monitoring and logging access at access points
to each ESP
Provide evidence that the above processes have been implemented
Provide evidence that the above processes are operational twenty-four hours a day, seven days as week
If applicable, provide evidence of alerts and notification of response personnel
If applicable, provide evidence of review or assessment of access logs
Provide evidence of alerts for each sampled Access Point where attempts at or actual unauthorized accesses were detected.
If alerting was not technically feasible for sampled Access Points provide evidence of manual review of logs at least every
90-days. Provide evidence of the 90 days prior to the 90 day notification.
For each ESP, provide documentation of the annual cyber vulnerability assessment
Provide documentation of vulnerability assessment process
Provide documentation of results of annual vulnerability assessment

If applicable, provide action plan to remediate or mitigate vulnerabilities and the execution status of the action plan
Provide documentation of annual review for all evidence for CIP-005
Provide evidence that updates to network control documentation were made within 90 days of a change
For Access Points selected provide evidence that access logs are retained for at least ninety
calendar days.
Provide evidence for the following dates:
Date1
Date2
Date3
Date4
Date5
Provide Physical Security Plan
Provide documentation of approval of Physical Security Plan by the senior manager or delegate(s)
For each Cyber Asset within an ESP, identify the Physical Security Perimeter (PSP) associated with that Cyber Asset.
For each PSP, provide identification of all physical access points through the PSP and measures to control entry at those
access points
For each PSP, provide evidence that the measures above have been implemented
For each PSP, provide documentation of the processes, tools, and procedures for monitoring of physical access to the PSP
For each PSP, provide evidence that the processes, tools and procedures above have been implemented
Provide documentation of visitor pass management, response to loss, and prohibition of inappropriate us of physical access
controls
Provide documentation Review of access authorization requests and revocation of access authorization, in accordance with
CIP-004-3 Requirement R4.
For each PSP, provide logs of visitor entry and exit
For each PSP, provide evidence of continuous escorted access of visitors
Provide evidence that Physical Security Plan was updated within 30 calendar days of a physical security change
Provide evidence of an annual review of the Physical Security Plan
Provide documentation that physical access control systems are protected from unauthorized physical access
Provide documentation that physical access control systems are afforded the protective measures in the referenced
requirements; this may be addressed as part of the individual applicable requirements or directly in response to this
requirement
Provide documentation that electronic access control systems are located within an identified Physical Security Perimeter
For each PSP, provide documentation of operational and procedural controls to manage physical access at all access points
to the PSP
Provide evidence that Unauthorized access attempts are reviewed immediately and handled in accordance with the
procedures specified in Requirement CIP-008-3. Provide evidence of the 90 days prior to the 90 day notification.
(Supply for all PSPs that the Sampled Assets reside in)
Provide documentation identifying the methods for logging physical access
Provide evidence of physical access logs for the implemented logging solution(s) that
demonstrates 90 calendar days worth of logs .
Date1
Date2
Date3
Date4
Date5
(Supply for all PSPs that the Sampled Assets reside in)
For each PSP, provide evidence of a maintenance and testing program for all physical security systems
For each PSP, provide evidence of testing and maintenance of all physical security mechanisms
For each PSP, provide the retention period for the testing and maintenance records
For each PSP, provide the retention period for outage records regarding access controls, logging and monitoring
Provide evidence that all Cyber Assets within the Electronic Security Perimeter are subject to the required test procedures
Provide evidence that all cyber security controls have been included in the test plans
Provide evidence (including test results) that all significant updates made to Cyber Assets selected have been tested.
Provide evidence for the past year immediately prior to the 90 day notification.
Provide documentation that testing was performed in a manner that minimizes impact on the production environment
Provide documentation that testing was performed in a manner that reflects the production environment
Provide documentation of test results
For each Cyber Asset selected, provide a list of each active port and service. For each active port and service identified,
provide a description of the port or service and identify the need to that port or service to be enabled
Provide the security patch management program
For each Cyber Asset selected, provide evidence of the assessment and implementation of security patches.
For each Cyber Asset selected, provide evidence of the implemention of anti-virus and malware prevention tools and testing
and installation of signatures updates.
Provide documentation of the process uses to update anti-malware signatures
Provide documentation of technical and procedural controls that enforce access authentication and accountability of all user
activity
Provide evidence that user accounts are implemented as authorized
Provide evidence of audit trails of individual user account activity demonstrating 90 days worth of
logs/audit trails. Provide evidence for the following dates:
Date1
Date2
Date3
Date4
Date5
Provide evidence of an annual review of user accounts to verify access privileges

Provide policy on use of administrator, shared, and other generic account privileges
Identify those individuals with access to shared accounts
Provide evidence that passwords adhere to 5.3 sub requirements as technically feasible
Provide explanation of how security status monitoring is implemented
Provide documentation of the mechanisms to monitor security events within each ESP
Provide documentation of alerting system configuration
Provide a listing of settings that would generate an alert by the monitoring systems
For each Cyber Asset selected provide evidence that logs of system events related to cyber
security are maintained and reviewed.
Date1
Date2
Date3
Date4
Date5
Provide documentation on methods, processes, and procedures for disposal or redeployment of Cyber Assets within the ESP
Provide records that assets were disposed of or redeployed in accordance with documented procedures
Provide documentation of the annual vulnerability assessment of all Cyber Assets within the ESP
Provide documentation of vulnerability assessment process
Provide documentation of results of annual cyber vulnerability assessment
If applicable, provide action plan to remediate or mitigate vulnerabilities and the execution status of the action plan
Provide documentation and records demonstrating the annual review and update of all documentation for CIP-007
Provide Cyber Security Incident Response Plan

Provide procedure for characterizing and classifying events as reportable Cyber Security Incidents
Provide roles and responsibilities

Provide incident handling procedure
Provide communication plans
Provide process for reporting incidents to the ES-ISAC
Provide evidence that all reportable incidents were reported to the ES-ISAC or an assertion that there have been no
reportable incidents during the spot check period
Provide process for updating response procedures
Provide history of Response Plan updates or an assertion that there have been no updates made during the spot check
period
Provide evidence of annual review
Provide history of incident response tests conducted, including 1) type of test (e.g. paper drill, table-top exercise, full
response drill, etc.) 2) date of test 3) incident(s) or event(s) tested
Provide cyber security incident documentation
Provide Critical Cyber Asset Recovery Plans

List the Recovery plan that covers the selected cyber assets.
Provide conditions that would invoke the recovery plan
Provide recovery actions
Provide roles and responsibilities
Provide evidence of annual review
Provide history of recovery plan exercises conducted, including 1) type of test (e.g. paper drill, table-top exercise, full
response drill, etc.) 2) date of test 3) event(s) or condition(s) tested
Provide documentation of changes to the recovery plan(s) and documentation of all communications
Provide documentation regarding the backup and storage of information
Provide documentation of annual testing of backup media
Notes
in this listing is the result of each requirement. This listing is intended to provide guidance to the
mpliance. Submission of identified evidence does not guarantee a finding of compliance to the requ
ubmitted and make final determinations of compliance based upon the literal language of the requ
in this column must be submitted 40 days before the scheduled audit review date.
in this column must be submitted as designated by ReliabilityFirst.
P, GO, GOP, LSE, NERC, & RE

40 Days2
Upon Request3
X
X
X
X
X
X
X
X
X
X
X
Not in Scope
X
X
X
X
X
X
X
Not in Scope
Not in Scope
Not in Scope
Not in Scope
Not in Scope
X
X
X
X
X
X
See Device Sampling Tab
Not in Scope
Not in Scope
See Personnel Sampling Tab


X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Not in Scope
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
x
x
x
X
X
Not in Scope
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Not in Scope
X
X
de guidance to the entities in preparation for their

pliance to the requirement. ReliabilityFirst will review
guage of the requirement and the evidence's proof of
e.
Attachment "C" CIP Data List for Sampling Phase 2 Instructions
Entity Action Required:

Please complete all the worksheets within this spreadsheet and return to ReliabilityFirst no later than seventy five (7
review date of the Compliance Audit
Please complete the following worksheets:
Critical Assets (List of all Critical Assets)
Critical Assets -Name of Critical Asset
Asset Function - Enter the function of the Critical Asset, e.g. Primary/Back-Up/Aleternate Control Center, Substatio
Responsible Registered Entity- For a combined audit of multiple registered entities
Cyber Assets (List of all Cyber Assets and the associated ESP and PSP- Indicate CCA, NCCA, AP, EACM, PACS)
Cyber Asset Name - Name of the Cyber Asset
Critical Asset Name - Name of the Critical Asset where the Cyber Asset resides
ESP Name - Name of ESP containing Cyber Asset
PSP Name - Name of PSP containing Cyber Asset
Vendor - Name of vendor for identified Cyber Asset
Model - Model Name and Number of identified Cyber Asset
IOS / Platform or Operating System - Name of platform or operating system running on the Cyber Asset (e.g. Wind
etc.
Virtual Machine - Enter "Yes" or "No" if the asset is a virtual machine
Asset Type - Enter the type of device, e.g. workstation, server, firewall, switch, IDS, printer, database, etc.
Supporting Organization - Name of internal organization supporting identified CA (e.g. EMS, Substation, Corp IT,
Cyber Asset Type (CCA, NCCA, AP, EACM, PACS)
Indicate if Critical under CIP-002 Version 3 criteria-(Y/N)
Indicate if Critical under CIP-002 Version 4 criteria-(Y/N)-This is only relevant if Entity has incorporated or adopte
BES Cyber Systems Impact Rating-(High/Medium/Low)- This is only relevant if Entity has incorporated or adopted
Personnel Sample (List of all personnel with authorized cyber or authorized unescorted physical access to NERC CI
protected information only and identification of terminated personnel or personnel role changes within the past twel
Name - Name of individual
Access Type - Should be Physical, Cyber, Both or Protected Information only
Personnel Type - Should be Employee, Contractor, Vendor or Other
Date of Termination and/or Personnel Role Change - Identify the date of termination or personnel organization cha
personnel role and responsibility change within past twelve (12) months.
Colored Coded Tabs

Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need
Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with d
Phase 2- Entity completes the three green colored tabs Critical Assets, Cyber Assets, and Personnel and submits to RF
Phase 3 - RFC performs sample selection and sends back to entity for detailed information requests (Device Sample a
populated with requested samples)
Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and Personnel Sample tabs c
Acronyms:
AP - Access Point
Next Steps:
After this Workbook is completed, sent to and received by ReliabilityFirst, the audit team will apply a sampling meth
establish and define a specific random sample set to audit against. The audit team will then send Evidence Requests
audited entity within 10 calendar days of receipt of a completed Attachment C and/or no later than sixty five (65) cale
date of the Complaince Audit.
Sequential
number
Critical Asset
1 SOUTHPARK
2 NORTHPARK
3 CEDARCREEK
Asset Function
PRIMARY CONTROL CENTER
BACK-UP CONTROL CENTER
SUBSTATION
Responsible
Registered
Entity
RE1
RE2
RE3
Indicate if
Critical under
Version 3
criteria
Y
Y
N
Indicate if
Critical under
Version 4
criteria
N
Y
Y
BES Cyber
Systems Impact
Rating Version 5
Criteria
High
Medium
Low
Sequential
number
1
2
3
4
5
Cyber Asset
Name
EXAMPLE_ABC
EXAMPLE_DEF
EXAMPLE_GHI
EXAMPLE_JKL
EXAMPLE_MNO
Critical Asset
where CCA resides
SOUTHPARK
NORTHPARK
SOUTHPARK
SOUTHPARK
SOUTHPARK
Name of ESP
where CA resides
EXAMPLE_PCC
EXAMPLE_SCC
EXAMPLE_SUBSTATION
EXAMPLE_SUBSTATION
EXAMPLE_SUBSTATION
Name of PSP
where CA resides
EXAMPLE_PSP
EXAMPLE2_PSP
EXAMPLE3_PSP
EXAMPLE4_PSP
EXAMPLE5_PSP
Vendor
IBM
HP
Gener
Gener
Gener
Model
NetVista
AU600
B2NR8NX0D
B2NR8NX0D
B2NR8NX0D
IOS / Platform or
Operating System
Windows 2000
TRU64 UNIX
N/A
N/A
N/A
Virtual Machine
Yes
Yes
No
No
No
Asset Type
PC/Laptop
Server
Relay
Router
Server
Supporting
Organization
EMS
Corporate IT
Substation
Corporate IT
Corporate IT
Indicate if
Cyber Asset Type Responsible Critical under
Choose only one Registered
Version 3
from example list
Entity
criteria
CCA
RE1
Y
NCCA
RE2
Y
AP
RE3
N
EACM
RE4
Y
PACS
RE5
Y
Indicate if
Critical under
Version 4
criteria
N
Y
Y
Y
Y
BES Cyber
Systems
Impact
Rating
High
Medium
Low
Low
Low
Sequential
number
1
2
3
4
Name
LASTNAME, FIRSTNAME
LASTNAME2, FIRSTNAME2
Access Type
Physical Access
Cyber Access
Both
Protected Information only
Personnel Type
Contractor
Vendor
Employee
Employee
Date of Termination
N/A
12/15/2011
N/A
N/A
Date of Personnel
Change
12/15/2011
12/15/2011
1/3/2012
1/3/2012
Responsible
Registered
Entity
RE1
RE2
RE3
RE3
Terminated
for Cause?
Y/N
Y/N
Y/N
Y/N
Sequential
number
Critical
Cyber
Asset
Name
Critical
Asset
where
CCA
resides
Name of
ESP
where
CCA
resides
Name of
PSP
where
CCA
resides
Vendor
Model
IOS /
Platform
or
Operating Virtual
System Machine
Asset
Type
Supporting
Organization
Cyber
Asset
Type
CCA
NCCA
AP
EACM
PACS
Responsible
Registered
Entity
Indicate if
Critical
under
Version 3
criteria
Indicate if
Critical
under
Version 4
criteria
BES Cyber
Systems
Impact Rating
(Version 5
Only)
CIP3 R6
For the selected Cyber
Assets, provide
documentation to
demonstrate that the
change control and
configuration
management process
has been implemented.
Provide changes for the
past year immediately
prior to the 90 day
notification.
CIP5 R2.1 ,R 2.2
CIP5 R3.2
CIP5 R5.3
For R2.1, provide

Provide evidence of
For Access Points
evidence that deny-by- alerts for each sampled
selected provide
default policy is
Access Point where
evidence that access
deployed to sampled
attempts at or actual
logs are retained for at
Access Points. For R2.2, unauthorized accesses
least ninety calendar
provide evidence for
were detected. If alerting
days.
each sampled Access
was not technically
Provide evidence for the
Point that Ports and
feasible for sampled
following dates:
Services are
Access Points provide
Date1
configured/implemented
evidence of manual
Date2
for operations and for
review of logs at least
Date3
monitoring of cyber
every 90-days. Provide
Date4
assets, including
evidence of the 90 days
Date5
justification, within the
prior to the 90 day
respective ESP.
notification.
CIP6 R5
CIP6 R7
CIP7 R1
Provide evidence that

Provide evidence of
Provide evidence
Unauthorized access
physical access logs for
(including test results)
attempts are reviewed the implemented logging
that all significant
immediately and
solution(s) that
updates made to Cyber
handled in accordance
demonstrates 90
Assets selected have
with the procedures
calendar days worth of
been tested. Provide
specified in Requirement
logs .
evidence for the past
CIP-008-3. Provide
Provide evidence for the year immediately prior
evidence of the 90 days
following dates:
to the 90 day
prior to the 90 day
Date1
notification.
notification.
Date2
Date3
(Supply for all PSPs that
Date4
the Sampled Assets
Date5
reside in)
(Supply for all PSPs
that the Sampled
Assets reside in)
CIP7 R2
CIP7 R3
CIP7 R4
For each Cyber Asset

selected, provide a list of
each active port and
service. For each active
port and service
identified, provide a
description of the port or
service and identify the
need to that port or
service to be enabled

selected, provide
evidence of the
assessment and
implementation of
security patches.

selected, provide
evidence of the
implemention of antivirus and malware
prevention tools and
testing and installation
of signatures updates.
CIP7 R5.1.2
CIP7 R6
CIP 9 R1
Provide evidence of audit For each Cyber Asset

List the Recovery plan
trails of individual user
selected provide
that covers the selected
account activity
evidence that logs of
cyber assets.
demonstrating 90 days system events related to
worth of logs/audit trails.
cyber security are
maintained and
following dates:
reviewed.
Date1
Date2
following dates:
Date3
Date1
Date4
Date2
Date5
Date3
Date4
Date5
Name Access Type Personnel Type
Entity
TRAINING
Oldest on
record
Sequential
number Name Access Type Personnel Type
Responsible
Registered
Entity
TRAINING
2012
DATES
2013
DATES
PRA DATES
ATTENDA
NCE LOG
REQUEST
ED (Y/N)
OLDEST
ON
RECORD
MOST
RECENT
PRA CONTENTS
NEXT
SS#
CHECK
(Y/N)
7 YR
CRIMINAL
CHECK
(Y/N)
PRA CONTENTS
CRITICAL CYBER ASSET - AUT
(RFC to
REDACTED
complete)
CURRENT
ANY
PRA SAMPLE
DATE
REDACTED PRA AUTHORIZ
STATUS - CHANGE
REQUESTED
GRANTED
CHANGE
SAMPLE
ATION
ACTIVE / IN ACCESS
(for most
DATE
IDENTIFIE
RECEIVED (for
DATE
NON
RIGHTS
recent PRA)
D
most recent PRA)
ACTIVE
(Y/N)
(Y/N)
DATE
AL CYBER ASSET - AUTHORIZED CYBER ACCESS
EMPLOYM
ACCESS
ACCESS
ENT
IF YES,
DATE
REVOCATI
IF YES,
NO
ACCESS AUTHORIZ
TERMINAT
DATE
CHANGE
ON
TERMINATI LONGER
REVOCATI
ATION
ED FOR
IDENTIFIE
MADE
REQUIRED
ON DATE REQUIRED
ON DATE
DATE
CAUSE
D
(Y/N)
(Y/N)
(Y/N)
CRITICAL CYBER ASSET - AUTHORIZED UNESCORTED PHYSICAL ACCESS
CURRENT
ANY
DATE
STATUS - CHANGE
GRANTED
CHANGE
ACTIVE / IN ACCESS
DATE
IDENTIFIE
NON
RIGHTS
D
ACTIVE
(Y/N)
EMPLOYM
ACCESS
ENT
DATE
REVOCATI
IF YES,
TERMINAT
CHANGE
ON
TERMINATI
ED FOR
MADE
REQUIRED
ON DATE
CAUSE
(Y/N)
(Y/N)
AL ACCESS
PRA and Training
Provide evidence of
ACCESS
IF YES,
redacted
ENTITY
RFC
NO
ACCESS
DATE
background
check
LONGER
REVOCATI COMMENT COMMENT
IDENTIFIE
and
training
records.
S
S
REQUIRED
ON DATE
D
(Y/N)
(Name of PDF file for
submitted evidence)
CIP 6 R1.5
CIP 7 R5
Provide evidence that

Provide evidence for
The Responsible Entity
Review of access
shall ensure that user
authorization requests
accounts are
and revocation of access
implemented as
authorization
approved by designated
personnel
submitted evidence)
submitted evidence)
RFC Action Required:

Select samples and populate the Device Sample and Personnel Sample tabs using approved
methodology (and Device Sample Matrix and Personnel Sample Templates) and return to
entity no later than sixty- five (65) calendar days prior to the scheduled review date of the
Compliance Audit.
Device Sample (List of selected Cyber Assets and the associated Standards and Requirements
merged with Device Sample Matrix)
Pull required samples using approved methodology and merge with Device Sample Matrix.
Change Device Sample tab color to Green prior to sending to entity.
Cyber Asset Name - Name of the Cyber Asset
Critical Asset Name - Name of the Critical Asset where the Cyber Asset resides
ESP Name - Name of ESP containing Cyber Asset
PSP Name - Name of PSP containing Cyber Asset
Vendor - Name of vendor for identified Cyber Asset
Model - Model Name and Number of identified Cyber Asset
IOS / Platform or Operating System - Name of platform or operating system running on the
Cyber Asset (e.g. Windows, NT, Linux, Unix, DB/App, N/A, etc.
Virtual Machine - Enter "Yes" or "No" if the asset is a virtual machine
Asset Type - Enter the type of device, e.g. workstation, server, firewall, switch, IDS, printer,
database, etc.
Supporting Organization - Name of internal organization supporting identified CA (e.g.
EMS, Substation, Corp IT, Corp Security, etc.)
Cyber Asset Type (CCA, NCCA, AP, EACM, PACS)
Indicate if Critical under CIP-002 Version 3 criteria-(Y/N)
Indicate if Critical under CIP-002 Version 4 criteria-(Y/N)-This is only relevant if Entity has
incorporated or adopted Version 4 criteria
BES Cyber Systems Impact Rating-(High/Medium/Low)- This is only relevant if Entity has
incorporated or adopted CIP-002 Version 5 criteria
Personnel Sample (List of selected personnel with authorized cyber or authorized unescorted
physical access to NERC CIP cyber assets or personnel with access to protected information
only and identification of terminated personnel or personnel role changes within the past
twelve (12) months)
Pull required samples using approved methodology and merge with Personnel Sample
Template. Change Personnel Sample tab color to Green prior to sending to entity.
Name - Name of individual
Access Type - Should be Physical, Cyber, Both or Protected Information only
Personnel Type - Should be Employee, Contractor, Vendor or Other
Date of Termination and/or Personnel Role Change - Identify the date of termination or
personnel organization change. Enter N/A if active employee and no personnel role and
responsibility change within past twelve (12) months.
Colored Coded Tabs
Red colored tabs are meant to illustrate the information required once samples are selected by
RFC. There is no need to fill in this information.
Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in
scope requirements with due dates and Samples as appropriate
Phase 2- Entity completes the three green colored tabs Critical Assets, Cyber Assets, and
Personnel and submits to RFC via extranet
Phase 3 - RFC performs sample selection and sends back to entity for detailed information
requests (Device Sample and Personnel Sample tabs will be populated with requested samples)
Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and
Personnel Sample tabs completed)
Acronyms:
AP - Access Point


Entity Action Required:
Complete the Device Sample and Personnel Sample tabs per below instructions and return to
RFC no later than forty (40) calendar days prior to the scheduled review date of the
Compliance Audit.
Device Sample (List of selected Cyber Assets and the associated Standards and Requirements)
Please provide an evidence file reference for each Standard/Requirement column listed that is
not "greyed out". It is preferred that each requirement will have one PDF file with the
information contained within for all the samples within that requirement.
Personnel Sample (List of selected personnel with authorized cyber or authorized unescorted
physical access to NERC CIP cyber assets or personnel with access to protected information
only and identification of terminated personnel or personnel role changes within the past
twelve (12) months)
Complete the required fields for each person
In the PRA and Training column, it is required to have one evidence file for all the samples
within this column. In this file, please include the appropriate training records and redacted
background check for the selected individuals.
Colored Coded Tabs
Red colored tabs are meant to illustrate the information required once samples are selected by
RFC. There is no need to fill in this information.
Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in
scope requirements with due dates and Samples as appropriate
Phase 2- Entity completes the three green colored tabs Critical Assets, Cyber Assets, and
Personnel and submits to RFC via extranet
Phase 3 - RFC performs sample selection and sends back to entity for detailed information
requests (Device Sample and Personnel Sample tabs will be populated with requested
samples)
Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and
Personnel Sample tabs completed)
Acronyms:
AP - Access Point
Date
Name
December 17, 2010

February 15, 2011
Bob Yates
Bob Yates
Version
Number
1
2
October 19, 2011
Bob Yates
December 19, 2011
Kristie Purcell
December 20, 2011
Rhonda Bramer
Changes
Initial release of Attachment C spreadsheet
Added type to Critical assets, critical cyber assets and non-critical cyber assets
Added a changes tab and instruction to gather the total population of changes from
10/1/2010 through the 90 notification. This will allow for sampling of changes for CIP-003
R6
Changed due date in instructions from 30 days to 75 days.
Added Asset Function field to Instruction and Critical Asset Tab;

Added Vendor; Model; Platform or O/S; Function Performed; and Supporting Organization
fields to the CCA, Non-CCA, ESP Access Points and ACM and Instruction tabs.
Changed abbreviation to acronymns and added acronyms to the Instructions tab.
Added examples to the worksheetts and formatted.
1) Changed field "Asset Function" to "Asset Type" on the CCA, NCCA, AP and ACM tabs for
clarity;
2) Added filters on each worksheet to enable filtering capability for each tab/worksheet
3) Removed Changes tab
4) Added "Date of Termination" and "Date of Personnel Role Change" column to Personnel
tab.
5) Added "Critical Asset" column to CCA, NCCA, AP and ACM tabs to map respective assets
back to the Critical Asset.
6) Added additional examples to each of the worksheets
7) Updated the Instructions tab to reflect above changes.
8) Moved Instruction tab to be the first worksheet within workbook.
9) Moved the Personnel tab to be after ACM worksheet.
January 23, 2012
Rhonda Bramer
5.1
February 23, 2012
Todd Thompson
5.2
John
John
John
John
John
John
John
Kellerhals
Kellerhals
Kellerhals
Kellerhals
Kellerhals
Kellerhals
Kellerhals
5.3
5.4
5.5
6
6.1
6.2
6.3
May 10, 2013
John Kellerhals
6.4
Added columns AS and AT to personnel sample matrix and revised Personnel sample
instructions for phase 2 and 3.
May 31, 2013
John Kellerhals
6.5
Added columns E,F,G to Critical Assets Tab and columns N,O,P to Cyber Assets Tab and
Columns N,O,P to Device Sample Matrix tab to accommodate transition from V3 to V4 to
V5 of the CIP Standards. Added related instructions to the Phase 2 and Phase 3
Instructions tabs.
July 11, 2013
John Kellerhals
6.6
August 22, 2013
John Kellerhals
6.7
September 18, 2013
John Kellerhals
6.8
June 25, 2012

July 3, 2012
August 24, 2012
November 15, 2012
November 28, 2012
January 22, 2013
March 7, 2013
Added a "Yes" or "No" column for "Virtual Machine" in the following tabs: Critical Cyber
Assets, Non-Critical Cyber Assets, ESP Access Points and Access Control and Monitoring.
Also updated the Instructions Tab to reflect the change above.
Incorporated multiple sample sheets into this spreadsheet for ease of use.
Added Responsible Registered Entity Columns to support combined audits
Included feedback suggestions from entities
Release including instructions for 4 phases
Release including instructions for 4 phases
Aligned Custom Evidence List with the updated samples
Adjusted Device Sample Matrix for AP CIP-005
Device Sample Matrix - Added verbiage to description for columns U & V

Personnel sample template - Added verbiage to description for columns AR, AS & AT
CIP evidence-customize - Made edits to Lines 106, 109 & 142-144
Deleted line 108 (redundant to line 109)
Deleted line 145 (redundant to line 147)
Removed Column E on Personnel sample Matrix tab that was named Group
Changed Phase 2 Instructions tab to reflect all personnel versus selected personnel and
included instructions for personnel with access to protected information. Updated Phase 3
Instructions tab to reflect addition of personnel with access to protected information.
Updated Personnel tab to reflect addition of "Protected Information only" access type in
example choices.

Attachment "C" CIP Data List For Sampling: RFC Action Required

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Attachment "C" CIP Data List For Sampling: RFC Action Required

Загружено:

Авторское право:

Доступные форматы

Attachment "C" CIP Data List for Sampling

RFC Action Required:

ReliabilityFirst CIP Evide

ReliabilityFirst CIP Evidence List

Provide list of Critical Cyber Assets

Provide Cyber Security Policy

Provide awareness program

Supporting Evidence for CIP-004 R2, R3, & R4:

Provide documentation of results of annual vulnerability assessment

Provide evidence of an annual review of user accounts to verify access privileges

Provide Cyber Security Incident Response Plan

Provide roles and responsibilities

Provide Critical Cyber Asset Recovery Plans

P, GO, GOP, LSE, NERC, & RE

See Personnel Sampling Tab

See Personnel Sampling Tab

See Personnel Sampling Tab

See Personnel Sampling Tab

See Personnel Sampling Tab

See Device Sampling Tab

See Device Sampling Tab

See Device Sampling Tab

See Device Sampling Tab

See Device Sampling Tab

See Device Sampling Tab

See Device Sampling Tab

See Device Sampling Tab

de guidance to the entities in preparation for their

Attachment "C" CIP Data List for Sampling Phase 2 Instructions

Entity Action Required:

Colored Coded Tabs

CIP5 R2.1 ,R 2.2

For R2.1, provide

Provide evidence that

For each Cyber Asset

For each Cyber Asset

For each Cyber Asset

Provide evidence of audit For each Cyber Asset

Name Access Type Personnel Type

CRITICAL CYBER ASSET - AUT

AL CYBER ASSET - AUTHORIZED CYBER ACCESS

CRITICAL CYBER ASSET - AUTHORIZED UNESCORTED PHYSICAL ACCESS

PRA and Training

Provide evidence that

Attachment "C" CIP Data List for Sampling Phase 3 Instructions

RFC Action Required:

PSP - Physical Security Perimeter

Attachment "C" CIP Data List for Sampling Phase 4 Instructions

December 17, 2010

October 19, 2011

December 19, 2011

December 20, 2011

Added Asset Function field to Instruction and Critical Asset Tab;

January 23, 2012

February 23, 2012

May 10, 2013

May 31, 2013

July 11, 2013

August 22, 2013

September 18, 2013

June 25, 2012

Device Sample Matrix - Added verbiage to description for columns U & V

Вам также может понравиться