FAQ & Lessons Learned

Click here to submit your question to SERC staff.

Acronyms
      • A:October 18, 2016
        Are relay settings considered confidential BCSI?

        While appropriate protection is essential, it is also necessary to avoid overprotection that will create unintended consequences; e.g., relays with setting information that is deemed to be BES Cyber System Information will make it unnecessarily difficult to make repairs.

        Reference: NERC Technical Questions and Answers, CIP Version 5 Standards, Version: June 13, 2014.
        http://www.nerc.com/pa/CI/tpv5impmntnstdy/Technical_FAQs.pdf

         

      • A:2/24/2015

        Would you expect FERC to maintain control of cybersecurity regulations for the near/long-term, or are other regulatory bodies pushing to be involved?

        For the electricity sector, it is expected that FERC and the ERO will maintain the cyber standards for the bulk power system. There is recognition that the electric sector is ahead of other sectors on these matters.

      • A:11/14/2013

        How is audit data or information submitted for enforcement actions handled by SERC and where is it stored?  Explain what controls exist over data that may be stored off-site.

        All CIP information submitted to either Enforcement or to Compliance is stored in SERC’s PEI System. Off-site storage is explained in the PEI program literature.  Briefly, it is maintained in a secured bank vault in the Charlotte area.

        • A:10/16/2015
          What may registered entities expect relative to a timeline for V5 audits (i.e., initial notification letter, etc.)?

          The typical timeline for compliance monitoring activities is as follows: 210 days prior: IRA questionnaire to entity; 180 days prior: IRA Questionnaire due back from entity; 150 days prior: IRA complete and ICE offered; 150 – 100 days prior: ICE; 90 days prior: audit detail letter is sent.  With respect to CIP V5, the ADL will detail which requirements are in scope.  If the audit is prior to April 1, 2016 or June 1, 2016, the entity will receive a matrix for what requirements to which version they wish to be audited on.  The audit period is when the ADL is sent out, so that’s why the June 1st date for CIP V5.

        • A:March 1, 2016
          How does SERC intend to approach CIP audits this year that fall shortly after July 1, 2016?  The document and data request would typically arrive prior to the enforceable date for Version 5/6 (meaning still during Version 3) but the on-site audit period would occur afterward with few pieces of evidence available under the new standards.  We realize individual standards are revised all the time, but this situation would seem to affect the entire complexion of audits during this switch-over period.  Will self-certification / data request for CIP-002 due May 2, 2016 be affected?
           

          The audit period is defined in the Audit Detail Letter, and the entity is responsible for demonstrating compliance during the audit period.

          How should nuclear units respond to the CIP-002 May 2, 2016 data request?

          NERC moved the May 2, 2016 due date to July 15, 2016.

        • A:March 1, 2016
          What is the "commissioned date" for BES Cyber Assets?  July 1?  Or ... 1996? or ? We ask that question since the term doesn't really exist until the new version goes into effect.

          See the instructions for the spreadsheet. If put in service prior to the audit period, leave it blank. If put in service during the audit period, use the date the asset was placed in service. The purpose of the commission date is to determine whether the asset was in place at the beginning of the audit period or was placed in service during the audit period.

        • A:March 1, 2016
          Should entities that identified CCAs under CIP V3 whose Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities implementation date aligned past the original mandatory enforcement date of April 1, 2016 for CIP V5, but prior to the delayed mandatory enforcement of July 1, 2016, early adopt compliance with CIP V5?

          Early adoption of CIP V5 is a decision for the registered entity. SERC will audit to the current requirements, but will allow the entity to move to Version 5 before the effective date.

        • A:11/15/2016
          There are rumors that some regions are requiring Entities to have an incident response plan test completed on or before April 1st 2017.  Is this something that SERC is requiring of Entities?  Attached is the most current CIP implementation plan that I can find on the NERC website
          http://www.nerc.com/pa/Stand/Prjct2014XXCrtclInfraPrtctnVr5Rvns/CIP_Implementation_Plan_CLEAN_BOARD.pdf
          I cannot find where a test of the incident response plan is required to be completed on or before April 1st 2017.

          As stated in the CIP Version 5 Standards Implementation Dates, April 4, 2016, CIP-003-6 R2, Attachment 1, Section 4, registered entities are required to be compliant on April 1, 2017. The ERO Enterprise expects entities to have documented incident response testing completed on or before the compliance date. On October 20, 2016, during an ERO Enterprise call, NERC confirmed the expectation that incident response testing must be completed by April 1, 2017.
          Link to the referenced CIP Version 5 Standards Implementation Dates document:

        • A:September 28, 2016
          How do the standards address CIP Cyber System Information existing in the “cloud”?

          Per CIP-011-2, R1.2, the registered entity remains responsible for protecting and securely handling BES Cyber System Information, including storage, transit, and use.

        • A:September 28, 2016
          Are IP (and cell and satellite) phones within a Control Center to be treated as BES Cyber Assets?  (Reference the memo from WECC)
           

          The IP, cell, and satellite phones would have to meet the definition of a BES Cyber Asset and potentially affect the BES within 15 minutes.

        • A:

          10/16/2015
          Is there an expectation that EACM will include only those systems that complete Electronic Access Control and Electronic Access Monitoring, or would that extend to secondary systems that are used to provide enhanced security (but do not perform compliance activities) to  the primary Electronic Access Control and Electronic Access Monitoring systems?  For example, if you have a system that automatically disables access to support the 24 hour removal requirement but is not the system that performs Electronic Access Control or Electronic Access Monitoring,  would that be included as an EACM?
          Generally speaking, if the system is simply a "nice to have" enhancement that goes above and beyond the access control and monitoring required by the standards (such as a system that runs a report to ensure that other systems have done their jobs), then it would not be included as an EACM, but would likely qualify as an internal control. However, in cases where the “secondary” system is needed to achieve strict compliance with access control and monitoring requirements, that system must be considered a part of the EACMS.

          Regarding the example provided in the question, consider a misuse scenario where the system is compromised and an account is not disabled in a timely manner. Clearly, we would want to make sure that doesn't happen, and the standards’ only recourse is to classify the system as an EACMS and protect it.

        • A:2/25/2015

          How does SERC plan to scale the volume of Low-impact entities? How many is SERC anticipating?

          SERC has conducted a CIP V5 survey with our registered entities, and is in the process of analyzing the results to provide outreach to the registered entities that have requested assistance. In addition, SERC will continue to provide outreach sessions throughout 2015 for registered entities that will be impacted by CIP V5.

        • A:10/16/2015
          Does SERC plan to do site visits for assets that contain Low Impact BES Cyber Systems?
          Maybe.  There is a wide variety in the scope and impact of low impact BES Cyber Systems, and SERC will target sampling and possibly site visits based on risk and impact.  For example, registered entities that have undergone a generation segmentation process at very large plants may require a site visit to ensure that the registered entity has completed the segmentation appropriately.  Similarly, large transmission stations may have both medium and low impact components, and SERC could assess the low impact portion during a medium impact site visit.  An audit of an entity that has only low impact BES Cyber Systems may include a site visit to a low impact field location if there is an on-site component to their audit.
        • A:10/16/2015
          How will physical controls be audited for assets containing Low Impact BES
          Cyber Systems?
          The key phrases for low impact physical security are “control access” and “based on need as determined by the Responsible Entity.”  The audit approach would ask a) how is access being controlled, and b) how is the Responsible Entity determining whether an individual _needs_ to have access.  The audit would examine the procedures being used to answer these questions, and may involve a site visit to ensure that access is being controlled as the procedure states.
        • A:2/24/2015

          Medium impact generation facility: Could there be cases when a forced outage could qualify as a CIP exceptional circumstance? 

          CIP exceptional circumstances have taken the place of the provision for emergency situations in Version 3. With that in mind, a weather emergency like a tornado or hurricane bearing down on the generation facility; a police action like a rail car of toxic gas that derails; a medical emergency within a protected area; or a fire at the facility requiring a general evacuation should qualify. The fact the generator itself caused a forced outage would not necessarily qualify. Areas should still be protected from unauthorized physical access, and cyber assets should continue to be protected from logical access.

        • A:10/16/2015
          Is a workstation used for badging considered PACS? Is a controller panel considered locally mounted hardware? 
          No, if the workstation is only used to produce access “badges.” Yes, if the workstation actually performs a logical task in regards to physical access control. A controller panel is considered to be a part of the PACS (especially if the device performs the logical function of physical access control). A locally mounted badge reader that does not perform logic tasks is considered hardware.
        • A:September 28, 2016
          When commercial software that contains open-source components is installed, are you required to look at those open-source components separately for patching or can they be included in the patch process for the commercial software?

          The registered entity is responsible for defining its patch source; however, there is an expectation for due diligence to mitigate vulnerabilities of installed software. Please refer to CIP-007-6, R2.1.

        • A:September 28, 2016
          Can a PSP exist within a PSP? How should further segmentations within a PSP be treated?

          Yes, a registered entity can have a PSP within a PSP; however, the definition of a PSP within a PSP will be based on the entity’s implemented access controls and authorization.

        • A:September 28, 2016
          If a vendor says that a required action is not technically feasible but the entity has determined it is possible, how should this be handled? Should a TFE be filed?

          If it is technically feasible, then a TFE is not required.

        • A:March 1, 2016
          Under CIP version 5/6, can visitor logs be amended on the same day even after the visitor has left the PSP for the day? Even longer?

          No, the expectation is that the logging process will provide accurate entry and exit times for each visitor at the time of the entry and exit.

          If logs are not being maintained accurately, consider whether a self-report is required.

        • A:10/7/2014

          Can inbound and outbound access controls be split between two interfaces/EAPs

          Possible answers following continued clarification.

          1. If this refers to separate interfaces on a device, the inbound and outbound cannot be split between the two interfaces as the requirement is that the inbound and outbound access requirements are necessary for each interface.
          2. If referring to sub-interfaces on the EAP, Registered Entities will still need access control on each interface at the main interface, as well as at the sub-interface level. Traffic would have to travel in both directions on the applicable interface and should have some type of access control for each direction.

          The answer may be NO, but there is a need to understand the device and the setup.

        • A:10/30/2014

          During the 2015 CMEP Implementation Plan presentation this morning, it included forgoing CIP off-site audits for Registered Entities with no CAs or CCAs (below).  
          Does that apply if that same Registered Entity is transitioning from CIP V3 to CIP V5 that identifies a BES Cyber System having a High, Medium, or Low Impact Rating based on the bright-line criteria?

          2015 Monitoring Schedule

          • More audits to be considered as off-site activities rather than on-site.
          • Forgo CIP off-site audits in 2015, for entities with no CAs or CCAs

          For clarity, the question is: if a Registered Entity has no CAs or CCAs under CIP V3, then they start transitioning to CIP V5 and identify a BES Cyber System utilizing the CIP V5 impact rating criteria, would SERC still forgo the 2015 off-site audit?

          Yes, under the current CIP V5 transition guidance, SERC would still forgo the off-site audit. However, SERC could choose to use another compliance monitoring method (i.e., Spot Checks, Self-Certifications, etc.).   Reference:  NERC CIP V3-V5 Transition Guidance, Section 5

        • A:10/7/2014

          For those Registered Entities that had no assets under Version 3, will that impact their inherent risk assessment under RAI for Version 5?

          The number of Critical Assets as well Critical Cyber Assets is considered when conducting an inherent risk assessment.  If a Registered Entity had no such assets under V3 but will have Medium or High BES Cyber Systems under V5, the risk assessment team would assess the impact of including those assets against the ERO/Regional Risks.  The risk assessment team would also consider the impact rating of these newly identified assets, compliance history, previous CMEP monitoring methods/frequency among other items.

        • A:10/7/2014

          What is SERC's expectations for tracking dates during the transition to V5?  May we do it by Requirement, device, site level, system?  Will a final date that all systems were switched to V5 be acceptable?

          Registered Entities will need records of implementation to support the partial and transitional phase of implementation into CIP V5.  Registered Entities will also need records documenting the date an asset is moved into CIP V5 from CIP V3 until CIP V5’s date of compliance becomes active.  New assets should be developed and implemented into CIP V5 from their start.

        • A:10/7/2014

          Are there any expectations/reviews by SERC of utilities' progress toward moving to Version 5 prior to the April 1, 2016 implementation date?

          For Registered Entities that are scheduled for onsite audits during the transition period, the goal of the ERO is to spend at least 50% of the time reviewing the Registered Entity’s CIP Version 5 program.  For others, NERC has a Security Reliability Program (SRP) where NERC and regional personnel will come onsite to review and assist a Registered Entity in transitioning to CIP Version 5.   More details can be found on the NERC website under Initiatives, CIP V5 Transition Program, Security Reliability Program.  This program was formally known as the Sufficiency Review Program.  In addition, SERC plans on expanding the NERC SRP and creating a regional SERC SRP.  The details are still being developed, but it will be based on the NERC SRP with guidance from NERC SMEs.  Further, if a Registered Entity requests SERC to review its transition progress, SERC can host the Registered Entity at the SERC office.  Please contact your single point of contact, CIP auditor, or email cipv5@serc1.org.

        • A:10/7/2014

          Can utilities move to Version 5 progressively (as in a few Standards or even a few Requirements at a time)?

          Yes – It’s encouraged that Registered Entities move aggressively to CIP V5 in an effort to achieve compete compliance for applicable dates of compliance.  CIP V5 implementation is not a light switch, which will be able to be magically turned on at the date of compliance.  Registered Entities will need to make changes in processes, procedures and infrastructure in order to support the transition to CIP V5.  Records of implementation are required to support the partial and transitional phase of implementation into CIP V5.  Also, records documenting the date an asset is moved into CIP V5 from CIP V3 are required until CIP V5’s date of compliance becomes active.

        • A:2/13/2013

          If your Reliability Coordinator (RC) has agreed to be your TOP through a contractual agreement, does your control center fall within the “medium” or “low” criteria for CIP?  If “low,” does this change to a “medium” if your control center can operate BES equipment that the RC control center cannot?

          The answer depends on the functions being performed in the control center for one or more of the assets that meet the criterion of CIP-002-5, which determine whether the BES Cyber System is classified in the High-Medium-Low Impact Rating. However, as suggested by the question, the Impact Rating of an asset could be raised or lowered based on the transfer of these functional obligations to another Registered Entity in a contractual agreement.

        • A:10/16/2015
          If SERC has outsourced their IT organization, who is supporting access to registered entities’ PEI?  Who is vetting the admins from that group and the whole process for protecting that information?
          Currently SERC has contracted with Walser Technology Group (WTG) to maintain the SERC IT infrastructure.    WTG has been performing work for SERC for the last several years, so they do not represent a new or unknown risk.  Employees of WTG are subject to the same background screening (PRA) as any SERC employee.  The process for protecting PEI has become more stringent since WTG took over the IT function. The methods of PEI transfer have been greatly restricted.  Once the PEI is in SERC’s hands, it is scanned for viruses on a non-networked SERC laptop, before being transferred via sneaker net to the SERC PEI server. The PEI server is located inside its own enclave, and is accessible only via a dedicated VPN appliance.  Access to this server is limited to SERC employees with a demonstrated need-to-know, and each such employee has a separate user name and password for VPN access to the PEI server.  PEI remains on SERC assets throughout the process.
        • A:11/14/2013

          Moving forward, is it possible to allow a Registered Entity to store CIP protected information used in preparation for an audit (ahead of the audit) rather than sending the information to SERC?  There are specific concerns about sharing information related to CIP-005 and CIP-007.

          Most Registered Entities have reviewed SERC’s PEI program, which was designed to conform with general cyber security best practices; and have seen the value of minimizing the on-site audit time and process. While SERC is willing to further explain the PEI process to assuage any specific concerns a Registered Entity may have, this is a necessary tool to improve our audit process.

        • A:March 1, 2016
          Under which conditions would modifications to visitor logs be permissible? Could an entity define the process within their internal procedures?

          Modifications to the visitor logs are not allowed. However, based on discussions with NERC, where a minor mistake is made, logs may be appended with a written and signed comment with an explanation. It may make sense for the procedure to identity individuals that are authorized to make such corrections.  However if this is a common problem, you may need to revisit the visitor log approach or education for the program. “Filling in” entries after the fact is not permitted.

        • A:3/18/2014

          Is SERC planning on doing anything from a Regional level related to the recent Physical Security Order?

          SERC has a number of activities planned related to the Physical Security Order.  Plans include outreach through the scheduled 2014 fall Compliance seminars and SERC CIP Committee meetings, as well as focused webinars, if needed.  SERC Reliability Services staff will also conduct on-site visits with Registered Entities upon their request to assist in components of CIP-014.

        • A:11/14/2013

          Under CIP Version 5, do physical security perimeters need to be defined in three dimensions or, for example, would a fence around substation or a generating plant suffice?

          The CIP-006-5 Standard states in Section 4: “While the focus is shifted from the definition and management of a completely enclosed “six-wall” boundary, it is expected in many instances this will remain a primary mechanism for controlling, alerting, and logging access to BES Cyber Systems. Taken together, these controls will effectively constitute the physical security plan to manage physical access to BES Cyber Systems.” 

          That being stated, at a Generating Plant or Substation, it may not be possible to produce a six-wall boundary in many circumstances. While a fence is a good start, it could be considered one layer of physical protection, but should not be the only mechanism. According to CIP-006-5, the aim is “physical security defense in depth via multi-factor authentication or layered Physical Security Perimeter(s).”

      • A:12/21/2015
        What is the difference in general, for the NERC Reliability Standards Enforcement Date vs. Effective Date? NERC's webpage of Enforcement Dates indicates the Enforcement Date is the date on which the standard becomes mandatory and enforceable in accordance with the existing laws of the jurisdiction and the approval granted by the regulatory authority.

        Within the Implementation Plans the effective date is used.

        • When is an entity required to demonstrate compliance? Enforceable or Effective Date?
        • Is the Enforcement Date and Effective Date the same?
        • What is the effective date?
        • What initial date should be used to calculate "the first calendar day of the ninth calendar quarter" (example from CIP V5)? 

        Effective date is defined in the NERC Rules of Procedure as “the date or pre-conditions determining when each Requirement becomes effective in each jurisdiction.”  The effective date is used in FERC Orders, Reliability Standards and implementation plans to identify the date from which to calculate the mandatory enforcement date.

        The term Enforcement Date is not in the NERC Rules of Procedure, but is used by NERC to describe the date at which a registered entity must comply with a Reliability Standard or requirement. 

        For example, PRC-005-2 was approved by FERC on 12/19/2013.  The regulatory approval date, normally 60 or so days after being published in the Federal Register, was February 24, 2014.  The effective date was the 1st day of the 1st calendar quarter following regulatory approval (April 1, 2014).  The enforcement date or 100% compliant date for R1, R2 and R5 was 12 months following applicable regulatory approval (April 1, 2015).

      • A:6/30/2016
        We may be upgrading a facility’s excitation equipment. Is there a Reliability Standard or SERC criteria that references any notifications, we need to perform prior to installation? If so, what is that time constraint?

        From an operations standpoint, TOP-002-2.1b, R3, R14 and TOP-003-1, R1 require coordination of generator availability prior to the outage. If the generation unit is going to be unavailable for more than six months, the outage has to be coordinated with the Transmission Planner and Planning Coordinator through the planning model process per TPL-001-4, R1.

        When changes are made to excitation equipment, PRC-019-2, R2 (effective July 1, 2016) requires Generator Owners to coordinate equipment or setting changes that affect Protection System settings within 90 calendar days following the identification or implementation of such changes. MOD-026-1 R4 requires each Generator Owner to provide revised model data or plans to perform model verification (in accordance with Requirement R2) for an applicable unit to its Transmission Planner within 180 calendar days of making changes to the excitation control system or plant volt/VAR control function that alter the equipment response characteristic.

      • A:December 8, 2016
        Description of the Violation, Issue, or Trend

        Entities discover that they have attributed incorrect Facility ratings, performed incorrect or inadequate maintenance and testing practices, and established inadequate Protection System setpoints. These issues related to legacy systems and related documentation, procedures and practices prior to the initiation of mandatory and enforceable Reliability Standards. 

        Risk Considerations
        N/A

        Description of Mitigation Activity
        These violations have a broad range of possible risks. Inaccurate Facility ratings may result in inadequate contingency planning and unplanned outages. They reach into long-term planning and Available Transfer Capability. Inadequate maintenance and testing practices may result in Protection System misoperations. Errors in establishing relay setpoints may cause premature generator trips and incorrect relay coordination. All of the above reduce the reliability of the Bulk Power System.

      • A:October 18, 2016
        Can SERC elaborate on upcoming changes to the ICE program? Is the current ICE template still the effective template / program?

        The internal controls evaluation program is or will be going through changes. The ERO Enterprise (Regions and NERC) is evaluating the current program and is expecting to make changes.

        • A:May 14, 2015

          Please confirm whether SERC or any other NERC region provides certification for its compliance auditors.

          NERC and SERC do not provide certifications for auditors but do support ERO and Regional audit staff getting applicable audit certifications from the appropriate providers. NERC does have a “NERC Certified System Operator” certification, and several SERC auditors hold that certification.

        • A:December 14, 2016
          Description of the Violation, Issue, or Trend
          Entity provided table tents with the names of their subject matter experts and SERC Auditors during the audit. This facilitates the audit questioning process and SERC's ability to effectively document who said what with correct names. 

          Risk Considerations
          N/A

        • A:2/24/2015

          When is SERC planning to release the 2016 audit schedule?

          SERC will begin working on the 2016 audit schedule around May 2015, and it should be finalized and published around the first week of November 2015.

        • A:6/22/2015

          Description of the Violation, Issue, or Trend
          Registered entities have used legal or the Primary Compliance Contacts to act as a spokesperson/mediator instead of permitting the Subject Matter Experts (SMEs) to directly interact with SERC auditors.

          Risk Considerations
          This could slow the progress of the audit or hinder the SERC auditors’ ability to capture the actual process or walk-through in the documentation.

          Other Factors or Comments
          Auditors should have direct access to SMEs to permit the efficient and effective capture of evidence and knowledge. This will assist with the progress of the audit, and will get employees back to normal work assignments.

        • A:2/25/2015

          Would SERC be willing to commit to making their audit plans, RSAWs, work papers, etc. available to registered entities (drafts and final documents)?

          SERC believes in transparency and walks each registered entity through the audit process and expectations. However, SERC will not be sharing finalized RSAWS or work papers.

        • A:September 13, 2016
          Description of the Violation, Issue, or Trend
          A key element of auditing is to validate that the evidence being reviewed is complete and accurate. When the evidence is a list or spreadsheet that has specific criteria to be met, the auditor must verify that all elements that may be applicable are vetted, and that the decision to include them or exclude them is accurately executed. In some cases, this will require including items that will be excluded from the list because they do not meet the required criteria. For example, while distribution substations are generally out of scope for NERC CIP Requirements, there are specific cases where they will be in scope. For example, if a distribution substation is part of a Special Protection System or a required part of a Blackstart cranking path, that substation may contain Low Impact BES Cyber Systems and thus be subject to the CIP Requirements. The best practice is to document everything that is vetted and could, under specific conditions, be assessed as in scope for the Requirement.

          Risk Considerations
          N/A

          Description of Mitigation Activity
          N/A

        • A:January 12, 2017
          We are implementing a new compliance software solution that has the ability to control the electronic approval of documents.  Is this evidence acceptable to SERC, or will we still be required to have an actual "wet" signature on all of our compliance documents that require signatures?

          Electronic approvals or signatures are acceptable as evidence.

        • A:March 1, 2016
          Are standards and requirements being removed from audit scope based on SERC conducting an entity IRA, or can audit scope only be decreased by participating in the ICE program?

          The IRA conducted by SERC will result in the initial compliance monitoring scope for the registered entity.  Upon completion of the IRA, the summarization will be shared with the entity, and it’s the entity’s opportunity to identify possible errors (e.g., incorrect information, etc.).  Once the entity responds, SERC also ensures that it has not missed any key data points or information.  Based on the Entity and SERC’s additional reviews, there could be an increase or reduction of standards/requirements based on what information may have changed.  For example, SERC has conducted additional reviews and found that not all of the Implementation Plans (NERC/SERC/Other Region for MRRE) were properly selected in the “IRA Tool.” Therefore, an entity’s audit scope may have appeared to increase. However, it wasn’t necessarily an increase but an error correction.  For those entities that have received their IRA summarizations, SERC does see a decrease in the number of standards and requirements monitored via audit from previous years.  Those numbers vary based on the characteristics of the entity. 

          The IRA process is the one of the initial steps in risk-based compliance monitoring. Information is assessed against risk factor criteria, which in turn has been mapped to standards and requirements.  There is some professional judgment that is used in the IRA process. However, SERC primarily uses the Internal Controls Evaluation to potentially reduce the monitoring scope.

        • A:March 1, 2016
          Can SERC provide some metrics on how many entities have had requirements removed/added to audit scope based on a SERC IRA or participation in the ICE program? If so, were any entities registered as a BA, TOP, or RC?

          The IRA process does not remove standards/requirements from the audit scope. There is no longer an Actively Monitored List for entities. Therefore, the starting point for standards/requirements in scope is ANY standard or requirement that is applicable to the function for which the entity is registered.  The NERC/SERC Implementation Plans add additional focus to identified risks, and then the entity’s characteristics determine the rest.

          SERC has had approximately 12 entities “formally” participate in Internal Control Evaluations.  There has not been any reduction of standards/requirements based on ICE, but there have been many instances in the reduction of sampling. The entities that experienced a reduction in sampling were registered as a BA, TOP, or RC.

          How much time / effort is being saved and by whom?  Is it too early to tell?  Has the efficiency of using the above to target requirements based on risk been realized?

          The implementation year was 2015, and SERC, as well as the registered entities, has spent a lot of time and resources in reviewing, implementing, and developing internal controls. SERC expects that the efficiency will be realized in year two or three of the program once greater clarity is gained around expectations and as the controls mature.

          Will SERC make the current ICE form available to entities who have not participated?

          The ICE process is detailed on the SERC website, and the Internal Controls Survey template is available to the public.  SERC has worked with other entities that have declined ICE participation.  Based on resources available, SERC will provide the spreadsheet and a couple of risk factors (mapped to standards/requirements) and will work through the process with an entity.  Although it may not impact the current compliance monitoring engagement, it may provide training to the registered entity for Internal Control development and implementation.

           

        • A:6/22/2015

          Description of the Violation, Issue, or Trend
          Registered entities have had issues with data/evidence retention in past audits. During the span of the audit periods, registered entities have lost or not retained all audit evidence.

          Risk Considerations
          If registered entities do not have an established document retention program, information can be lost; this could lead to an issue of noncompliance.

          Other Factors or Comments
          Registered entities should establish a process for retaining its audit documentation/evidence. In addition, a back-up person should know the process and periodically audit it to make certain the evidence is whole, complete, and accurate.

        • A:2/24/2015

          Does SERC plan to publish the standardized data request for audits? If so, what is the anticipated publication date? (For example, a population of assets and format) 

          No. SERC will continue to make data requests as is currently done.

        • A:2/25/2015

          How will data sampling and selection be handled?

          Sample sizes may be determined in part by the results of the optional Internal Controls Evaluation (ICE). If a registered entity chooses to participate in ICE and is found to have good internal controls, auditors will likely opt for a smaller number of samples. Sample selection will depend upon the Standard and Requirement involved, but will typically be a mix of statistical randomness and professional judgment. An application called RAT-STATS (Regional Advanced Techniques Staff-Statistical, an audit tool used by US Department of Health & Human Services) is used for random sampling from a numbered list. Professional judgment generally aims to include a representative mix of samples, but can also be used to hone in on historic problem areas.

        • A:10/16/2015
          Where does the ISME program stand for CIP audits going forward?  Can the ISME participate in the off-site part of the audit?
          It will continue into 2016.  Yes, the ISME may participate in the off-site portion of the audit. The Audit Team Lead is responsible for assignments. See additional information about the ISME program.
        • A:2/24/2015

          SERC’s pre-audit survey: If SERC is asking questions to determine a registered entity’s risk, how are they using these questions to determine a registered entity’s risk? Is cost a factor? Who has access to the information provided by the entity? Some of the questions are not directly related to a particular standard. (Example: List all fuel contracts; the number of spare transformers on site; the turnover rate)  
          QUESTION:  What is the risk of not responding to pre-audit survey questions?

          The pre-audit survey has been modified to only include logistic type of information, while the risk-based questions are now asked in an IRA questionnaire.  Each IRA questionnaire is specific to a registered entity; and consists of questions directly related to ERO or Regional identified risks, which are mapped to Standards/Requirements. SERC Reliability and Compliance personnel have access to the information. However, it is protected to ensure only personnel with a need to know have access. SERC creates the IRA questionnaire based on information that the Region currently has on the registered entity. If a registered entity chooses not to respond to the questionnaire, the Inherent Risk Assessment may not correctly reflect the level of risk that the entity could pose to the BPS.

        • A:March 1, 2016
          Given that an entity may choose to perform a compliance task more often than a standard may require as part of an internal control, if that entity fails to perform that action as scheduled but within the timing requirements of the standard, will the auditors hold the entity to its own stated schedule or to that of the standard?

          That would depend on the specific standard and how the process document is written.  You may want to re-evaluate the effectiveness of the control. PRC-005-1.1b had no testing interval defined, and the entity was/is required to meet their own defined schedule.  PRC-005-2 defines the testing interval, but also caveats that, if the entity has a shorter interval and misses it but meets the defined interval, they still remain compliant.

          Entity Assessment Single Point of Contacts would hold the entity accountable to the language of the Standard/Requirement.

          If the standard has a specific requirement and the requirement is met, even if the entity procedure is greater than the requirement, we will audit to the standard. If the requirement is to develop and implement a program, we will audit to that program.

        • A:12/1/2015
          There are several versions of RSAWs out there. In the past (our last audit), we used the format you showed in this presentation for both the O&P and CIP audits.  However, the new format coming out now has a table version of this information.  We were assuming that the new format should be used, regardless of what is pre-printed in the blank RSAW.  With audits coming up next year, what format do you want us to use for consistency?

          Generally, you may use the format that is in that particular RSAW for that particular standard. Communication with your audit team lead (ATL) is very important. Talk with your ATL regarding formatting of the RSAWs for your particular audit, if you have additional questions. The RSAWs for your audit will be placed on the SERC Portal in the audit committee for your audit in the blank RSAWs folder.

        • A:10/16/2015
          Please provide guidance on how auditing is done within shared facilities?  Example, a substation with systems from two registered entities.
          Auditing is performed as defined in the Audit Detail Letter which defines the scope of the audit.

          In cases where more than one entity has BES Cyber Assets or BES Cyber Systems at a facility, there should be a written agreement that defines the responsibilities of each entity. For example, if one entity is providing all physical access control for a medium substation, that should be clearly documented. If a Possible Violation were found, the auditors would expect the second entity to review the information and consider appropriate action they should take to maintain their compliance with the standards (this could be a Self-Report).

        • A:3/18/2014

          How are attestations to be handled? When should attestations be updated and signed?

          Attestations should be worded to cover the entire current audit period and cover all elements of the Requirement.  A Registered Entity may sign and date attestations anytime from the date of the Audit Detail Letter to the date of the onsite portion of the audit.  However, the Registered Entity must notify the Audit Team Lead if the conditions of the attestation change after signing and dating it.  The Audit Team Lead will be able to provide a Registered Entity more information on the timing and specific wording of different attestations.

        • A:3/18/2014

          Regarding consistency of the process for the two-week post-audit period, what is that process?

          During the two week period after an audit, SERC reviews the major decisions of the audit team.  The audit team returns to SERC headquarters with the audit results and SERC management reviews the major decisions to ensure consistent treatment of Registered Entities during the audit process.

        • A:9/30/2014

          What is the ERO and the Regions’, specifically SERC, plan for those Registered Entities on a six-year audit cycle?

          NERC’s guidance is to do away with the six-year audit cycle, and SERC will support this along with the other Regions.  All Registered Entities are on a long-term schedule, and those previously identified as being on a six-year audit cycle will be assessed based on regional risk to the BES to determine if they can be monitored by another method (i.e., reduced scope, off-site audit, Spot Check, or Self Certification).

        • A:3/18/2014

          Does SERC perceive that NERC is driving more audit consistency across the RROs?

          Yes, NERC is driving more audit consistency, specifically with the Reliability Assurance Initiative (RAI) and the implementation of the Auditor Checklist and Handbook.  NERC is engaged with all eight Regional Entities in the RAI activities.  The purpose of the RAI is to promote consistency in audit scoping and processes and in audit team composition and qualifications.  Additionally, the Reliability Standard Audit Worksheet (RSAW) Working Group, which is comprised of representatives from NERC and all eight Regional Entities, is working to bring more consistency to approaching audits through the use of the RSAWs.

        • A:10/5/2014

          Description of the Violation, Issue, or Trend
          Now that Registered Entities are providing audit evidence for review well in advance of the onsite audit, SERC auditors are facing new challenges when evaluating the evidence.  Most requirements warrant several evidence files each, however, when faced with several files at once, it can be difficult to know where to begin.  Sometimes, there is valuable introductory information in one of the files but auditors may not become aware of that information until after working through several other files.  Furthermore, since every Registered Entity uses a different combination of tools and approaches, the meaning of an individual file can be difficult to understand as auditors may not know what application generated the file or what parameters were used.

          Risk Considerations
          The most important risk posed by this problem is that auditors will misunderstand the evidence being presented and will arrive at an incorrect conclusion.  This could result in the incorrect issuance of a Possible Violation or, conversely, could result in failure to detect a serious compliance issue.  However, it is much more likely that the audit team will find it necessary to schedule additional conference calls with the Registered Entity in order to alleviate confusion, which requires the investment of significant additional time from SMEs.  This could make null one of the key benefits of the off-site documentation review.

          Description of Mitigation Activity
          Registered Entities could greatly aid the speed and efficiency of the off-site portion of the audit andreduce the time demands placed upon the SMEs by providing a small amount of explanation with each group of evidence files.  A simple text file entitled “ReadMe” could be used to give auditors some background information on the evidence files being submitted, such as the best order in which to review the files.  In cases where an evidence file consists of system-generated output, the ReadMe file could include such details as the name of the application that generated the output, what reporting parameters were used to generate the output, and/or which of a spreadsheet’s columns are pertinent to the Requirement in question.

        • A:3/18/2014

          Registered Entities were originally told there would be a cut-off date for audits (only looking at compliance information up to that date).  But now, Registered Entities are being told that SERC staff is looking at information up to the date of the audit. This means extra attestations, data, and work.  Why carry an audit scope up to the date of the audit?

          In accordance with the NERC Rules of Procedure Appendix 4C Compliance Monitoring and Enforcement Program (CMEP), SERC defines the End Date of the audit period as the date the Audit Detail Letter is issued to the Registered Entity (which is at least 90 days prior to the commencement of a regularly scheduled audit).  If the SERC audit team discovers a potential noncompliance occurring subsequent to the End Date, the potential noncompliance will be subject to a Preliminary Screen pursuant to Section 3.8 of the CMEP.

        • A:10/5/2015

          Description of the Violation, Issue, or Trend
          One of the key benefits of SERC’s Reliability Assurance Initiative (RAI) pilot program has been that it permits reductions in audit scope and scale, allowing SERC auditors to focus on the higher-risk Standards and Requirements. However, there have been some misunderstandings as to the practical workings of the RAI principles.  One common misconception has been that the reduction in audit scope would result in a shorter, less rigorous audit.  That is not the case.  One of the benefits of removing low-risk requirements from an audit is that the audit team can then use that extra time to focus more intently on the requirements that warrant more attention.

          Risk Considerations
          Underestimating the rigor of an audit could lead to SMEs not being adequately prepared with the appropriate supporting evidence.

          Description of Mitigation Activity
          Registered Entities should work internally to foster realistic expectations in advance of an audit.  The SERC audit team will make use of the entire scheduled site visit even in cases where the audit scope has been reduced.  The Registered Entity should expect that the in-scope requirements will be tested more rigorously because those requirements have been deemed to represent a higher risk.  It is also important to remember that SERC may increase or decrease the focus of their review during the audit.

        • A:9/30/2014

          Is SERC scaling back on the ISME compliance audit participation?  Is the participation only going to be for documentation and evidence review and not for the on-site part of the audit?

          No, SERC is not scaling back on the ISME participation.  Because SERC is now doing more pre-audit evidence reviews, there may, at times, be less need to spend the full week on site.  Also, there may not be a need for the entire audit team to be on site.  It is at the Audit Team Leader’s discretion as to whether the entire team is needed on site or not and which team members are needed most.

        • A:3/18/2014

          If a Registered Entity provides mock audit information, how will that information be used? (In the Pre-Audit survey, SERC staff asks if the Registered Entity has done any pre-audit mock audits. If the response is yes, SERC staff requests the information.)  Is there a draft process for this?

          Using mock audit information can reduce the work required for a Registered Entity’s audit. Generally Accepted Government Auditing Standards (GAGAS) (The Yellow Book) permits auditors to utilize the work of others when performing audits or compliance reviews.  In accordance with this guidance, SERC auditors have drafted a process that allows the team to utilize the results of mock audits in lieu of testing every individual Reliability Standard and Requirement under certain conditions.

        • A:3/18/2014

          What is SERC’s risk assessment leading into the audit going to be? Fully subjective? Objective?  In the past this has been subjective. Has this been re-thought? Once scope is determined, is it going to be applied to all compliance monitoring or just the audit?

          SERC's risk assessment will be based on common risk criteria that will be applied to all of its Registered Entities.  All audit engagements entail professional judgment by the risk evaluators and audit staff.  However, by ensuring common risk criteria and common risk thresholds, SERC staff will ensure a more consistent approach across Registered Entities.  RAI will affect the scope and implementation of all CMEP activities.

        • A:12/31/2014

          Description of the Violation, Issue, or Trend
          In preparation for compliance audits, Registered Entities are asked to fill out the relevant Reliability Standard Audit Worksheets (RSAWs).  Depending on the scope of the audit, completing this step all at once may monopolize the Registered Entity Subject Matter Experts’ (SMEs) availability for a significant time period.

          Risk Considerations
          One of the most important risks is that limitations on their availability may lead Registered Entity SMEs to rush the process of filling out the RSAWs, resulting in incomplete or unclear information being supplied to auditors.  As a result, auditors may misunderstand the evidence being presented; and may arrive at an incorrect conclusion.  This could result in incorrect issuance of a Possible Violation or, conversely, could result in failure to detect a serious compliance issue.  However, it is much more likely that the audit team will find it necessary to schedule additional conference calls with the Registered Entity in order to alleviate confusion.  As such, the more prevalent risk is that the audit team will require Registered Entity SMEs to invest significant additional time. 

          Description of Mitigation Activity
          Treat the RSAWs as "living documents."  Rather than filling them out once every audit period, keep them updated as environments and processes change.

          Other Factors or Comments
          Because the RSAWs serve as auditors' work papers, becoming familiar with them will also aid SMEs in understanding what auditors look for during the audit.

        • A:12/9/2015

          Description of the Violation, Issue, or Trend
          In preparation for compliance audits, registered entities are asked to fill out the relevant Reliability Standard Audit Worksheets (RSAWs). Depending on the scope of the audit, completing this step all at once may monopolize entity SMEs’ availability for a significant time period.

          Risk Considerations
          Perhaps the most important risk is that limitations on their availability will lead entity SMEs to rush the process of filling out the RSAWs, resulting in incomplete or unclear information being supplied to auditors. As a result, auditors may misunderstand the evidence being presented and may arrive at an incorrect conclusion. This could result in an incorrect issuance of a Possible Violation or, conversely, could result in failure to detect a serious compliance issue.  However, it is much more likely that the audit team will find it necessary to schedule additional conference calls with the registered entity in order to alleviate confusion. As such, the more prevalent risk is that the audit team will require the investment of significant additional time from entity SMEs.

          Description of Mitigation Activity
          Treat the RSAWs as "living documents". Rather than filling them out once every audit period, keep them updated as environments and processes change.

          Other Factors or Comments
          Because the RSAWs serve as auditors' work papers, becoming familiar with them will also aid SMEs in understanding what auditors look for during the audit.

        • A:3/18/2014

          There is a lack of clarity on what SERC is really going to do and the timing of site visits.  Registered Entities need more information in order to have the right people on site, extra escorts, etc.

          Site visits are normally conducted during the onsite portion of the audit.  The Audit Team Lead (ATL) will be the Registered Entity’s point of contact during the audit and will provide detailed information on what will take place and when.  The ATL will inform the Registered Entity well ahead of time when the site visit will need to take place, how many SERC staff will be attending, and will be as accommodating as possible.

        • A:10/30/2013

          How will the "Audit Checklist" that NERC is proposing differ from the CANs (i.e., guidance without any regulatory basis)?

          The Audit Handbook that will be provided to the ERO Compliance Auditors is to assist the auditors in performing audit activities in a consistent, time-sensitive manner and will not incorporate audit guidance without regulatory basis.

          There is an ongoing effort by NERC to incorporate CANs and other audit guidance into the new RSAW templates for 2014 but it is a separate and distinct project from Auditor Handbook.

        • A:10/30/2013

          Is there a NERC or SERC process in place for the registered entity to ask questions about the evidence the Auditors will look for on a specific requirement, if the RSAW doesn't provide that type of insight?

          No, there is not a SERC or NERC process where Registered Entities can ask for specifics of audit evidence details other than at workshops and seminars like the ones conducted by SERC twice a year. All Registered Entities do things differently. However, every Registered Entity should end up with the same results (outcome) when it comes to compliance with the NERC requirements. The CEAs will always audit to the wording in each Requirement. It is up to the Registered Entity to provide the evidence that will demonstrate compliance to the CEA during the audit process. For example, processes, procedures or records.

          It is not sufficient to merely regurgitate the Standard/Requirement as a demonstration of compliance. For example, regarding FAC-008-3 R1, R2, and R3, it will be the responsibility of the Registered Entity to present the specific means by which it derives its Facility Ratings for each component listed in the requirements.

          Pay special attention to words like “shall have” or “must have” to make sure that all aspects required in the Requirements are covered and including how those things in the wording of each requirement are performed (HINT: If you do not have any Series or Shunt Compensation elements in the Facility, stating that fact in the Facility Rating Methodology is a means of demonstrating  this element has been addressed.).

          Neither NERC nor SERC is going to tell or suggest how a Registered Entity is to run its business. SERC Compliance Monitoring is always willing to give broad examples of the type of information that it has seen as satisfactory evidence in previous audits and to share industry best practices.

        • A:11/14/2013

          Will the auditor handbook be made available to Registered Entities once it's developed?

          The availability of the Auditor Handbook is subject to NERC review and approval. SERC will make the information available per NERC’s direction. 2014 is a transition year; and thus, the handbook will likely not be available to Registered Entities until the end of 2014.

        • A:10/30/2013

          If during the ICP review a question of an expansion of the audit scope is identified – is it a group decision of the audit team or just the lead auditor?

          Expansion of audit scope during an audit is usually an Audit Team decision based on evidence reviewed during the audit. The ultimate decision is made by the Audit Team Lead.

        • A:2/13/2013

          If you have a consultant preparing your documentation for an audit, can he, or a representative of his firm, act in the role of primary or secondary SME?

          If a consultant represents a registered entity as a subject matter expert (SME) that person needs to be an "authorized representative" on behalf of the registered entity. Also, remember that SERC's confidentiality agreements are with the registered entities, and not consultants.

        • A:11/14/2013

          What criteria will be used to evaluate/qualify those who prepare an entity's Independent Audit Review (IAR)?

          GAGAS standard auditing guidelines, industry credentials and experience.

        • A:11/14/2013

          Who besides an internal auditor or an external audit contractor would meet SERC's approval?

          Independent and objective third parties as defined in the standard auditing guidelines.

        • A:11/14/2013

          What standards should an entity's Independent Audit Review (IAR) meet in order to be acceptable documentation to SERC?

          Acceptable documentation should include an independently prepared in-depth, detailed, comprehensive review of compliance with the NERC Reliability Standards. SERC would expect to see standard audit work papers with evidence included. In addition, SERC would expect to see an explanation of how samples were selected from an overall population.

        • A:2/2/2015

          I understand SERC is moving to guided self-certifications for the six-year entities. Where can I find more information on the SERC program for the six-year entities?

          The 2015 SERC CMEP Implementation Plan is posted on the SERC and NERC web sites. Starting in 2015, SERC will use the monitoring method known as guided self-certifications, along with other monitoring methods, to assess compliance. Guided self-certifications are a form of the traditional "annual" self-certifications currently in use. The term "guided" was chosen, and is used in several Implementation Plans of other regions as well. The guided self-certifications will be used for Low Risk requirements, in what some six-year registered entities may have experienced as an off-site audit. The scoping and monitoring method is dependent upon a registered entity's Inherent Risk Assessment (IRA). SERC staff is now in the process of completing the IRAs for registered entities that are currently on the 2015 audit schedule, and expects to have these completed by May 1, 2015. SERC hopes to have IRAs for the remaining registered entities done soon afterward. If the method of guided self-certifications is used, the electronic form will be posted on the SERC Compliance Portal. The appropriate registered entities will fill out the form explaining how they are compliant, then list and attach evidence of compliance to the form. SERC anticipates that these will be done on a quarterly basis starting after the first quarter. More information on this and other compliance approaches will be discussed at the next Compliance Seminar scheduled for February 24-25, 2015.

        • A:12/1/2015
          Can you provide specific guidance regarding the Self-Certification and audit process for 2015/2016? What is SERC’s plan over the next couple of years for implementing the CMEP?

          SERC will continue to have a yearly Implementation Plan, and Compliance Monitoring activities will be dependent on the results of a registered entity’s IRA. Traditional “annual” Self-Certifications have been eliminated. SERC, along with other regions, is now using Guided Self-Certifications instead, which look at lower risk requirements.

        • A:10/16/2015
          Please provide an update on Self-Certifications.
          The IRA process will drive the guided self-certification for registered entities.  The guided self-cert is more than the typical self-cert as SERC will require the entities to submit evidence to demonstrate compliance.  It may be compared to an off-site audit, because the auditors will review the evidence and may ask questions as needed.  Registered entities may see guided self-certifications for standards/requirements related to medium/low risks identified in IRAs.  For entities that have gone through the IRA process, the IRA summarization would have that schedule on it.
        • A:3/18/2014

          What is the foreseen benefit of having the Self-Certifications submitted all at one time? Why do this so quickly? (April is a really quick turn-around and a tough transition.)  Also, will this be implemented with a lack of a comment period?

          NERC and all Regions are striving for consistency across the Electric Reliability Organization (ERO).  All Regions are moving to the same schedule and same filing period starting in 2015.  Once this occurs, Registered Entities registered in multiple Regions will no longer have to track various schedules.  In 2014, SERC will transition to the new schedule.  In order to accomplish this and to complete the SERC 2014 CMEP Implementation Plan, SERC will require a submittal in August 2014.

        • A:12/1/2015
          What is the percentage of self-reported violations reported to SERC that have been dismissed within the last two years?

          2014-2015

          Last 24 Months

          2013

          2014

          2015

          Self-Reported

          212

          224

          221

          128

          84

          Dismissed

          44

          46

          77

          30

          14

          Percentage Dismissed

          21%

          21%

          35%

          23%

          17%

           

          Including Self-Certification issues:

          2014-2015

          Last 24 Months

          2013

          2014

          2015

          Self-Certified

          15

          15

          8

          6

          9

          Self-Reported

          212

          224

          221

          128

          84

          Total Reported

          227

          239

          229

          134

          93

          Dismissed

          50

          52

          78

          32

          18

          Percentage Dismissed

          22%

          22%

          34%

          24%

          19%

           

        • A:2/13/2013

          Please comment on “Self-Report credit” if you Self-Report after audit notification.

          In general, after an audit notification, you will not receive Self-Reporting credit. If an issue occurs during the audit notification period, SERC staff will review the facts and circumstances to determine if credit is appropriate. 

        • A:2/13/2013

          I keep hearing about Self-Reporting.  While I understand it identifies that you are “being honest”, does Self-Reporting eliminate the possibility of fines/enforcement actions vs. the issue being found during an audit?

          No, Self-Reporting does not eliminate the possibility of penalties and sanctions. Penalties and sanctions are determined based on the risk to the bulk power system. However, most self-reported issues receive Self-Reporting credit, which reduces the penalty. Self-identification can be an indicator of a strong internal compliance program, which can also reduce a penalty. 

        • A:2/13/2013

          For submitting Self-Reports, the new Self-Report form requires root cause and mitigating and prevent recurrence actions.  To be as complete as possible for input as a potential FFT candidate, is 4-8 weeks for submittal of the Self-Report considered timely?

          Yes. Self-Reports received within 90 days of discovery are generally considered timely. For issues discovered by the registered entity and not reported to the Region within 90 days, please provide the reason as to why it is took so long to report.  

        • A:12/1/2015
          If SERC plans to include Spot Audits in their CMEP process, what does that look like?

          SERC will continue to use Spot Checks as a monitoring tool. Traditionally, SERC has used Spot Checks as a monitoring method initiated for various reasons, like in response to a system event or to confirm a Self-Certification. In 2015 the regions expanded the use of Spot Checks as a Compliance Monitoring tool for issues that could include a small number of requirements or sampling. Spot Checks are similar to off-site audits, but are smaller and more focused in scope.

        • A:March 1, 2016
          Could SERC provide information regarding expectations for spot-audits and Guided Self-Certifications?

          Spot audits or Spot Checks are small, focused audits. They may be done on-site or off-site. The NERC Rules of Procedure require a minimum of at least 20 days notification of a Spot Check to the registered entity. The audit team gives an Opening and Exit presentation. RSAWs are used as in an audit. Depending on the standard and requirement, SERC may require sampling. At the end of the Spot Check, SERC will create and send a report.

          Guided Self-Certifications are like the traditional Self-Certifications and actually use the same electronic form on the SERC Compliance Portal. The word “Guided” was added to differentiate from the traditional Self-Certifications because Guided Self-Certifications will require supporting evidence to be attached to the electronic form. SERC will give a 30 to 60-day notification by letter to the registered entity that the forms will be posted on the SERC Compliance Portal. No RSAWs are required or expected to be used, as the Guided Self-Certification form itself is the audit work paper. SERC will not monitor standards and requirements that require a sampling methodology by the Guided Self-Certification method. SERC will monitor those standards and requirements by another method such as a Spot Check or Audit. If the supporting evidence attached to the Guided Self-Certification is not sufficient, SERC audit staff will make another evidence request or modify the monitoring method to a Spot Check. SERC will not send a report but will send a validation form confirming compliance with standards and requirements in scope as notification to the registered entity that the Guided Self-Certification review is complete.

      • A:3/18/2014

        Where is Enforcement moving?  How are risk and internal controls factoring into how Violations are being processed?  Where are we moving with this, and where does this stand?

        SERC Enforcement currently uses a risk-based approach to determine violation dispositions.  SERC’s future view includes goals to factor risk assessments into mitigating activities to a greater degree.   In one of those efforts, SERC Enforcement is currently pursuing “decline to pursue” (DTP) in several pilots as an alternative to FFT.  NERC, SERC, and the other Regions have reviewed the pilot results, refined the processes, and expanded the DTP pilots to include more Registered Entities.  NERC will make a filing with FERC later in the year (probably Q4 2014) requesting to make DTP a formal disposition method.  A comprehensive report on RAI Enforcement Activities can be found here:  http://www.nerc.com/pa/comp/Reliability%20Assurance%20Initiative/RAI%20Enforcement%20Activities%20Overview%20document%20(2-5-14).pdf

      • A:3/16/2015

        I am working with a Client that is within the SERC Region but is not a member of SERC. Are they under any obligation to follow the SERC Criteria?

        Registered entities within the SERC Region are required to comply with the NERC Reliability Standards and the SERC Regional Reliability Standard PRC-006-SERC-01.  SERC Criteria are intended to provide guidance on how a registered entity within the SERC Region can take steps to comply with specific NERC Reliability Standards. As such, there is no obligation to follow SERC Criteria. Registered entities may find the SERC Criteria useful in understanding various means for demonstrating compliance with specific NERC Reliability Standards.

      • A:9/20/2016
        1. Is SERC planning to retire or revise the Regional Criteria for System Modeling Data Requirements?
        2. While Sections E & F clearly apply to Generator Owners, Sections A, B, C & D are not clear as to who has responsibility for meeting the requirements.  Who is responsible for each section?
        The SERC Dynamics Review Subcommittee has recently reviewed the SERC System Modeling Data Requirements Regional Criteria and have recommended the regional criteria be retired since new standards MOD-032-1, MOD-033-1, MOD-026-1, MOD-027-1 cover the items in the criteria. SERC registered entities should ensure their processes are compliant to the new standards, since the regional criteria will be retired by spring 2017.  Registered entity staff that build annual power flow and dynamics models are responsible for Sections A-D of the regional criteria.
      • A:9/30/2014

        Can SERC expand on the statement that was made in an earlier session that the 2015/2016 CMEP will include any Reliability Standards that could be associated with cold weather (i.e., polar vortex)?  Specifically, what enforceable Reliability Standards is SERC referring to?  There is no specific "cold weather preparation" Reliability Standard.

        Certain Reliability Standards and Requirements were identified as having a risk that was triggered by the cold weather event.  These standards are identified in SERC Implementation Plan, and will be considered when performing a risk assessment of a Registered Entity and may become part of the audit scope.

      • A:10/7/2014

        Can SERC better coordinate the schedule for events like these seminars to avoid conflicts with 1) other SERC meetings, 2) NERC meetings, and 3) other industry events like GridEx/NATF/conferences?  We realize it is hard to decide who trumps who, but it is a hardship for limited Registered Entity personnel to attend all of the meetings in which we need to participate.

        The SERC outreach schedule is established in August to allow announcement of dates for the upcoming year at the fall seminars.  Established event dates listed on all calendars are avoided in the following order: SERC audit schedule, SERC meetings and events, NERC events, and industry events.  Avoiding conflicts benefits seminar planning also because a wider variety of subject matter experts are available to speak.  However, if other event dates change, it can adversely affect the best laid plans.  For example, at the time this seminar was scheduled in August 2013, there were no conflicts.

      • A:If you are using Internet Explorer and are unable to log into the SERC Public Website to register for a meeting, or you are unable to log into the Compliance Portal, try upgrading your browser or follow these steps:
        1. Open your browser
        2. Click “Tools” and “Internet Options”
        3. Click the “Advanced” tab
        4. Under “Security”, make sure “Use TLS 1.0”, “Use TLS 1.1”, and “Use TLS 1.2” are checked
        5. Click Apply and Ok

        ​​

        If this does not resolve your issue, please contact SERC Support at SERCWebsite@serc1.org.

      • A:10/16/2015
        Request: Please put SERC staff contact information on the new portal.
        The new website team made a conscious decision not to include specific staff members’ names and email addresses because functions and/or responsibilities change.  SERC staff who represent the various committees have their contact information listed on the applicable committee sites, and the Contact Us site lists the email address based on topics. To contact a specific SERC staff member, please call the SERC office (704-357-7372), and the receptionist will direct your call.
      • A:February 24, 2017

        In a SERC webinar presentation, it was mentioned that ‘WinSCP’ can be used to setup an SFTP client. I am a member of a Technical Committee, and would like to use WinSCP to submit documents instead of using an internet browser to get to the portal. How do I set up ‘WinSCP’?

        The Host name to access the Committee site using WinSCP is “portal.serc1.org”.  See section 3.2, “Logging in to WinSCP”, of the SFTP User Guide for additional information.

        • A:06/15/2015

          What roles (permissions) are available in the RA Portal?

          RAV - Reliability Viewer
          A contact with RAV permissions can view, but not edit or submit, all data forms. RAV is the default setting for all users.

          RAC - Reliability Contributor
          A contact with RAC permissions can view, edit, and submit all data forms.

          MAA - Master Account Administrator
          A contact with the MAA role can view, edit, and submit all data forms. In addition, the MAA user can edit roles (permissions) for all users with access to the company for which the contact has the MAA role.

        • A:06/15/2015

          Why is a data form read-only?

          The icon in the Action column indicates the form's status, Read-Write or Read-Only. The status varies depending on whether the form has been submitted and the current user’s access level. If the form is Read-Only but it has not been submitted, ask your Master Account Administrator (MAA) to update your permissions from RAV (Viewer) to RAC (Contributor).

        • A:February 9, 2017
          We recently had several of our facility NERC registrations updated, deactivating the GOP registration and moving that function under the GO registration. Should we be able to access the GOP required activities from the single registration link in the Reliability Data Reporting Portal?

          If your portal ID has access to the correct companies, you can access all GOP activities in the Reliability Data Reporting Portal.

          Please contact the Reliability Assessments Staff (rastaff@serc1.org) with a list of plant names and the old GOP entity and the new GOP entity, as well as a list of contacts that should have access to these entities in the Reliability Data Reporting Portal.

      • A:3/18/2014

        What is SERC staff’s plan with all the GADS data that is mandatorily required now

        GADS data is a Reliability Assessments activity that SERC performs with NERC.  SERC works with Registered Entities to compile this data into the NERC database.  The data is also used for various assessment efforts, such as the NERC Probabilistic Assessment, to assess reliability of the system.

      • A:3/18/2014

        In regards to the data collection task portal (GADS database) and the SERC portal for audit participation, if a person can log into audit team information in the SERC portal, that person has access to all of the audit folders. What are the practices regarding information security? There are concerns that unintended parties may be privy to plant outage data, which could have the potential to affect commercial commerce.

        All users of the Portal can view general non-confidential Committee information (committee name, abbreviation, roster, etc.).  Only users added to the committee roster (permissions list) have access to documents and other confidential information.

      • A:September 9, 2016

        Company A currently owns and operates Plant I SPS. If we determine the need to retire the SPS, what steps and evidence must be taken/submitted to have the SPS removed from the SERC Portal? I understand from the SERC Regional Guidance document that the Dynamics Review Subcommittee must be notified when the SPS is removed from the database, but I’m not clear on the actual process.

        When an SPS owner retires an SPS they need to send an email to the SERC staff assigned to the SERC Dynamics Review Subcommittee (DRS) or to SERC Support.  The information will be sent to the DRS for review. The SPS Owner will then be directed to delete the retired SPS from the SERC Reliability portal.  Note, as PRC-012-2 becomes effective per its implementation plan, SPS’s will be evaluated by Planning Coordinators and those that meet the definition of a Remedial Action Scheme (RAS) will be identified as such. Planning Coordinators, Reliability Coordinators and RAS entities will be responsible for the requirements for RASs in the standard. This process will retire the SERC SPS Regional Criteria and any associated activities of SPS owners in SERC and the SERC DRS prescribed in the Regional Criteria.

      • A:March 1, 2016
        DP with more than 75MW and a UFLS program, could the DP be considered as UFLS-only for registration?

        No. These entities would be registered for all Standard Requirements applicable to the DP function.

        • A:12/6/2016
          During the SERC Fall Compliance Seminar a presenter stated that SERC will use the inverter nameplate ratings to determine whether a generation project should be classified as a BES facility. We seek clarification on this statement based on the following understanding:
           
          NERC’s Bulk Electric System Definition Reference Document, Version 2 April 2014, Radial System Exclusion E1 third sub-bullet allows for a radial system to be excluded from the BES “where the radial system serves Load and includes generation resources, not identified in Inclusions I2, I3 or I4, with an aggregate capacity of non-retail generation less than or equal to 75 MVA (gross nameplate rating).” 
           
          The statement made during the Seminar was that SERC would use the inverter nameplate ratings. Please clarify that a contractual limit of output stated in the Interconnection Agreement or other legal document can be used to determine the gross nameplate rating.  Due to standard inverter sizes produced by the various manufacturers a developer could likely install inverters with a gross nameplate rating larger than 75 MVA (i.e. 2MVA inverters * 38) but contractually limited the output to 74.9 MVA through programming of the inverter.
           
          At this time there are no provisions in NERC ROP Section 500, Organization Registration and Certification or in NERC ROP Appendix 5B, Statement of Registration Registry Criteria, that allow for the use of contractual or control based limitations on equipment ratings for BES considerations. In this instance we would look at the photovoltaic cells and inverters as a generator unit as illustrated in Figures I4-3 and I4-4 on pages 22 – 23 of the Bulk Electric System Definition Reference Document, Version 2. The inverter is the only equipment that has an MVA rating that could be used for a determination relating to BES Exclusion I1.
        • A:3/18/2014
          Does SERC staff have an opinion about the impact on BES reliability due to loss of baseload generation (i.e., coal units due to environmental regulation compliance and nuclear units due to market pricing)?

          To the extent that entities provide forecasts concerning early retirements, impact of regulations, fuel shifts, and other market pressures, that information is used by the Reliability Review Subcommittee (RSS) and SERC staff.  RSS and SERC staff consider trends in short-term and long-term planning, operations, and external influences as they affect reliability, both overall and sub-region specific.  Those conclusions are published annually and discussed at standing committee meetings.
        • A:2/13/2013
          BES E3 LN criterion includes "only incoming flow".  Do we also need to consider potential out-going flows on lower voltage network connections?

          FERC has directed NERC to remove the 100kV minimum operating voltage in the local network definition and, as of now, there is no lower voltage limit on the local network for consideration. The E3, will still be in effect, which requires that for a portion of a system to qualify as a local network it must be shown that power flows into the local network and does not transfer energy originating outside the local network for delivery through the local network. If it can be shown that power coming into a portion of the system being evaluated as a Local Network does not flow through a section of the system that operates below 100kV and then back out to the BES system, this system would qualify as a local network. Please note that there are generation considerations.
        • A:2/13/2013
          Might FERC object if many entities are able to de-register due to the new BES Definition?

          FERC will not object as long as there are no gaps in the Compliance Monitoring and Enforcement process. In other words, as long as there are no gaps in modeling, load reporting, emergency procedures, and/or coordination of protective equipment, there will not be a problem.
        • A:2/13/2013
          If it doesn't meet an inclusion (or the 100 kV initial threshold), does a facility have to be evaluated for exclusion, or is that assumed?

          A Registered Entity does not have to apply for an exception, but it does need to review the system with respect to the new BES Definition.The purpose of the exclusion exception is to afford a Registered Entity the opportunity to exclude an element, which is included by application of the BES Definition but that can be shown to be non-material to the BES.  A component of the new BES Definition implementation plan is the self-application of the BES Definition on an entity’s current facilities.  If a previously identified BES element is no longer a BES element under the new definition or vice -versa, the Registered Entity should notify its Regional Entity of the change in accordance with the NERC Rules of Procedure, Section 501, which requires a Registered Entity to notify its Regional Entity of any matters that affect the Registered Entity’s responsibilities with respect to Reliability Standards. 
        • A:12/1/2015
          For a JRO who is registered as a DP for several entities that would otherwise be registered as DP, is the system load defined as the total aggregated load of the JRO or as the system load of each of the DPs that make up the JRO?

          For a JRO, you would use the total aggregated load of the DPs that were part of the JRO agreement. This is a timely question because with the change in the Registration Criteria demand threshold from 25 MW to 75 MW. Some individual DP JRO members may no longer qualify individually for registration as a DP and could be removed from the agreements. There are other criteria that would need to be considered besides the annual peak demand; so a careful review of NERC ROP Appendix 5B would be needed before a registered entity was removed from any agreements to assure that no compliance gaps existed.

        • A:2/25/2015

          Have they come up with justification for 75 MW?

          The 75 MW threshold was changed to align with the BES Definition. Further information on the BES Definition can be found here on the NERC Website.

        • A:2/25/2015

          How is SERC going to close-out standards for those registered functions being deactivated? How will the entities be treated who are LSEs, PSEs, etc.?

          Barring any changes from FERC once it issues its decision, the Regions will first compile a list of the PSE, LSE, and IA registered entities impacted by ROP changes. The Regions will then check this list for any outstanding enforcement actions. Any pending enforcement actions must be resolved before any registered entity will be deactivated and removed from the NERC Compliance Registry. The list of PSE, LSE, and IA registered entities with no outstanding enforcement actions will be sent to NERC; and NERC will remove them from the NERC Compliance Registry and send out notifications according to the existing process.

          DPs that are impacted by the final ROP changes will need to make a request through the Regions’ normal Registration change process. These requests will be processed according to the existing procedures. In some instances, a registered entity's DP Registration will be deactivated. In others, the DP’s Registration applicable Standard Requirements will be reduced in scope to a sub-list, if it qualifies for the UF-Only DP classification. The UF-only DP classified registered entities will still be shown as DP on the NERC Compliance Registry, but the reduced scope of applicable NERC Standards will be noted in the CMEP for record.

          Again, all of this is pending a final FERC decision.

        • A:

          Updated 2/17/2016
          What is the process for de-registering out of SERC?

          The registered entity should request a copy of its current registration information from SERC and modify that registration by showing deactivation and providing the reasons for the deactivation. The registered entity must return the modified registration information to SERC for evaluation. This is shown in more detail on the SERC website.

        • A:

          9/30/2014

          Why does it seem to be taking so long to respond to a Registered Entity’s request on updating their Registration or on a new Registration?

          Only a few Registered Entities remain in SERC’s Registration queue.  The delay in activity, especially deactivation, is largely attributed to any relevant open enforcement action issues. Resolution of issues is required before deactivation can take place.

        • A:

          2/24/2015

          How is SERC determining a registered entity’s risk? Is it based on the registered entity or the equipment (assets) owned by a registered entity?

          SERC utilizes the information that is currently on file, plus any information that is requested in the IRA questionnaire.  The risk is entity specific, and considers the following:

          • The registered entity’s unique characteristics (i.e., business organization, reporting structure, entity operating conditions)
          • Registered functions;
          • Previous audit history;
          • Compliance history;
          • Events Analysis;
          • NERC Alerts; and,
          • Mitigation activities to address Open Enforcement Actions or previous audit findings.
        • A:

          2/24/2015

          What is the expected learning curve for the new integrated risk management process and stabilizing the initiative?

          This year (2015) is an implementation year for IRAs and Internal Controls Evaluations. SERC expects both the registered entity, as well as SERC, to continue to mature their programs as all parties work through the implementation of these processes. The processes are very fluid, and SERC is learning through collaboration with NERC and other Regional Entities, as well as working with registered entities.

        • A:

          3/18/2014

          SERC staff seems to want to see both internal and external assessments.  There seems to be a disconnect between what the SERC personnel are saying it will be used for and how it is actually being used.

          SERC is willing to utilize the work of independent evaluators to reduce the audit burden on a Registered Entity.  Independence, as defined in Generally Accepted Government Auditing Standards (GAGAS) (The Yellow Book), can be achieved by either an internal or external independent audit group. SERC evaluates independence and determines how much work of the independent assessment to utilize on a case-by-case basis.

        • A:10/16/2015
          Please provide an update on the ICE and risk assessments process. How are issues resolved between SERC and the registered entity?
          SERC is still performing ICE and IRAs.  Currently there are a couple of different scenarios.  1) Audit driven – I explained that situation with question 2.  2) Non-audit driven – SERC identified the medium and large size entities in the SERC region that may pose the highest risk.  In 2015, SERC has initiated IRAs on those entities.  SERC is developing the Compliance Oversight Plan based on that assessment, and the entity will receive the IRA summarization when complete.  For 2016, SERC will focus on the rest of the RC’s, BA’s, and TOP’s.  Issues between SERC and the registered entity can be worked out directly with SERC (Manager of Entity Assessment and Mitigation, your SPOC).  When SERC provides the IRA summarization to the entity, if there is a problem with the data please let us know.  SERC utilizes several different data points to pull information (Reliability Databases, previous audit reports, mitigation plans, Compliance Culture questionnaires, etc.).  SERC will work with any entity if they think that we assessed the risk with incorrect or insufficient data.
        • A:

          10/31/2014

          Will the audit approach change for Registered Entities that elect not to participate in the ICE? If so, how?

          Internal control evaluations can only reduce the scope of an audit.

        • A:

          10/31/2014

          What steps are being taken to promote consistency in the ICE process between SERC and the other Regions?

          The ERO has created an ERO ICE Guidance document.  Also, the ERO is creating, with input from all the Regions, a training slide deck which all Regional personnel who are responsible for conducting ICEs must attend.  In addition to the ERO industry sessions, the ERO is conducting numerous training sessions for Regional staff in the next few months.

        • A:

          10/31/2014

          Is there an expectation that a Registered Entity have formal controls testing in place prior to the ICE?

          ICE is a voluntary process for the Registered Entity.  Registered Entities are not required to have formal controls testing in place.

        • A:

          10/31/2014

          If a Registered Entity implements testing of existing controls prior to the ICE and tests retroactively to the beginning of the audit period, will it get credit for this even though the testing program itself may be new?

          SERC will evaluate the internal controls submitted and how effective they are in mitigating the identified risk.

        • A:

          10/31/2014

          What tools, if any, does SERC plan to use in conducting the ICE?

          SERC is evaluating tools and processes to conduct internal control evaluations.

        • A:

          10/31/2014

          How does the ICE integrate into the overall audit timeline considering the IRA needs to be completed first?

          SERC will first conduct the IRA, provide a summarization to the Registered Entity, then ask for internal controls to mitigate the risks identified prior to determining the monitoring method and/or audit scope.

        • A:

          10/31/2014

          How will SERC identify key controls versus non-key controls, and will the focus be only on the key controls?

          SERC will review the submitted controls and evaluate which internal controls provide reasonable assurance that the Registered Entity is complying with the applicable NERC Reliability Standards. 

        • A:

          10/31/2014

          Can a Registered Entity decide to share only a portion of its internal controls with SERC during the ICE?

          Registered Entities may share some, all, or none of its internal controls.

        • A:

          10/31/2014

          How has SERC described the voluntary nature of RAI?

          Per the ERO ICE Guidance document, the submission of internal controls by the Registered Entity is voluntary.

        • A:

          2/24/2015

          What impact will the inherent risk assessment have on an entity’s audit cycles and future audits? Could this result in some entities having audit cycles that extend greater than six years?

          Each registered entity’s inherent risk assessment will help define their compliance oversight plan.  As the ERO moves to a risk-based compliance oversight program, registered entities may have a different compliance oversight plan based on their individual IRA. The ERO Actively Monitored List (AML) of standards and requirements no longer exists; so registered entities are assessed (and your engagement is scoped) against the risks identified in the NERC and SERC CMEP Implementation Plan. It is possible, based on the risk assessment, that those registered entities, which present a lower risk, could have a monitoring cycle greater than six years.

        • A:

          2/24/2015

          Can the inherent risk assessment change the bright-line criteria for an entity (on a case-by-case basis) for CIP-002?

          No. Registered entities are encouraged to perform internal risk assessments and determine the potential risk to the bulk power system. However, those internal assessments and/or SERC’s IRA cannot be utilized to “reclassify” a device to a lower impact rating.  The bright-line criteria is used to identify the impact rating criteria for BES assets, and the inherent risk assessment is utilized to develop a compliance monitoring plan around those identified assets.

        • A:12/1/2015
          When does SERC plan to respond to IRA questionnaires submitted by entities this year? Can the outcome of the IRA limit the scope of the audit, and has SERC limited the audit scope for an entity since the implementation of IRA?

          SERC is conducting IRAs for what SERC identified as the medium and large size registered entities in the SERC Region during 2015. The IRA questionnaires were sent, and staff is completing the IRAs for those entities. SERC utilizes the information from the IRA questionnaire with the data that SERC has on-hand to complete the entity inherent risk assessment. The priority is on the registered entities that are scheduled for compliance monitoring engagement (audit), but the IRA results will be shared with each entity as they are completed. The results of the IRA are utilized to determine the compliance monitoring tool (on-site audit, off-site audit, Spot Check, guided Self-Certification, self-monitor). Each entity is unique; so the audit scope for each entity has been different. There is no such thing as an active monitored list, as the IRA results drive the list of Standards/Requirements to be monitored for each entity.

        • A:

          10/31/2014

          Is there an appeals process or other method for the Registered Entity to provide additional information that might change the results?

          There isn’t an official appeal process.  However, SERC will consider any additional information that the Registered Entity would like to share.

        • A:

          10/31/2014

          What steps are being taken to promote consistency in the IRA process between SERC and the other Regions?

          The ERO has created an IRA Guidance document.  Also, the ERO is creating, with input from all the Regions, a training slide deck which all Regional personnel who are responsible for conducting IRAs must attend. In addition to the ERO industry sessions, the ERO is conducting numerous training sessions for Regional staff in the next few months.

        • A:

          10/31/2014

          What inputs will SERC use in determining a Registered Entity’s inherent risk?

          SERC utilizes data previously submitted by the Registered Entity, as well as information from the pre-audit survey.  That information includes:  the Registered Entity’s unique characteristics (i.e., business organization, reporting structure, Registered Entity operating conditions); Risks identified by SERC’s Reliability Risk Team; previous audit history; compliance history; events analysis; NERC Alerts; and, mitigation activities to address open enforcement actions or previous audit findings. See ERO IRA Guidance.

        • A:

          10/31/2014

          How will SERC implement control evaluation – tools used, timing? 

          The Internal control evaluation process is still being developed, and tools are being evaluated. SERC’s goal is to perform the IRA and ICE prior to formalizing a compliance monitoring method for a Registered Entity.

        • A:

          10/31/2014

          Will SERC share the results of the IRA with the Registered Entity? If so, how?

          Yes.  SERC will provide a documented summarization of the IRA.

        • A:

          10/31/2014

          Who initiates the IRA? 

          The Regions initiate the IRA.  It may be based on emerging risks (ERO, Regional, or Registered Entity), compliance history, etc.

        • A:

          10/31/2014

          Availability and application of self-logging (aggregation)?

          SERC is evaluating each Registered Entity within the SERC Region for consideration into the self-logging program.

        • A:

          10/5/2014

          Description of the Violation, Issue, or Trend
          A key benefit of SERC’s RAI pilot program has been that it permits reductions in audit scope and scale, allowing SERC auditors to focus on the higher-risk Standards and requirements, and to avoid expending resources in the pursuit of issues that do not pose a true threat to the Bulk Electric System (BES).  However, there have been some misunderstandings as to the practical workings of the RAI principles.  One common misconception has been that if SERC removes a requirement from the scope of an audit, the Registered Entity is no longer required to maintain compliance with that requirement.  That is not the case.  While the audit team’s focus will be on those requirements that have been deemed higher risk, the removal of Standards or requirements from an audit does not remove the Registered Entity’s obligation to be compliant with those standards or requirements.

          Risk Considerations
          The primary risk to the Registered Entity is that it will cease to maintain compliance with the applicable Standards and requirements, resulting in future Possible Violations. This could also result in increased risk to the BES, if necessary (but currently low risk) reliability measures were allowed to lapse.

          Description of Mitigation Activity
          Registered Entities should work internally to foster realistic expectations in advance of an audit.  Management and SMEs must understand that the Registered Entity remains responsible for compliance with those standards and requirements that are removed from the scope of an audit.  Each Standard and Requirement that was enforceable remains enforceable regardless of changes to the audit scope or scale.

        • A:

          10/31/2014

          Is the availability of self-logging of deficiencies by a Registered Entity contingent on its participation in RAI?

          SERC will conduct an IRA prior to considering a Registered Entity for self-logging, and a review of internal controls is a component that can assist SERC in determining if a Registered Entity qualifies.

        • A:

          10/31/2014

          Will SERC offer self-logging to all Registered Entities, or will the Registered Entity need to request this?

          SERC is evaluating each Registered Entity within the Region.  If you have questions, please contact your single point of contact.

        • A:

          10/31/2014

          If self-logging is not available to all Registered Entities, what criteria will SERC use to decide which Registered Entities can/can’t participate in self-logging?

          SERC will utilize the factors established in the ERO Self-Logging of Minimal Issues Guidance Document posted on the NERC website.

        • A:

          10/31/2014

          Will self-logging be available for all Reliability Standards and Requirements or just specific ones? If the latter, then by what criteria will SERC decide?

          If a Registered Entity is accepted into the self-logging program, it may be for all or just some of the Reliability Standards/Requirements.  The relevant factors evaluated for acceptance into the program will be utilized to determine which Reliability Standards/Requirements the Registered Entity may self-log.

        • A:

          10/31/2014

          How often will the Registered Entity need to file deficiency (or aggregation) logs with SERC? How often will SERC review the logs?

          Registered Entities should submit the logs to SERC every three months, and SERC will review the logs within 60 days per the triage process at the beginning of the program.

        • A:

          10/31/2014

          Will the Registered Entity be expected to discuss each issue individually with SERC prior to entering the issue on the aggregation log?

          It is not required to discuss the issue with SERC prior to entering the issue into the spreadsheet unless the Registered Entity is unsure of the risk and has questions. 

        • A:

          3/18/2014

          With this being a transitional year for Reliability Assurance Initiative (RAI), are there things that are occurring in the audits?  Are audits being completed in a week? How is the implementation of RAI going thus far in 2014?

          RAI implementation includes risk assessment and audit changes that are occurring in preparation of and in carrying out compliance monitoring obligations.  The on-site portion of an audit generally occurs within a week's time.  To allow for this abbreviated time on-site and to minimize the operational impact of time on-site, SERC devotes more time to reviewing documentation in advance of the audit.  As SERC staff pilots the many aspects of a new audit process, SERC incorporates feedback from all participants to improve the RAI implementation.  The Registered Entities have greatly assisted SERC in ensuring successful RAI implementation in 2014.

        • A:

          10/31/2014

          Is participation encouraged or mandated?

          SERC will conduct an IRA of a Registered Entity based on the information SERC currently collects.  However, the internal control input is voluntary.  SERC encourages Registered Entities to share controls.

        • A:

          10/5/2014

          Description of the Violation, Issue, or Trend
          Another key benefit of SERC’s RAI pilot program has been that it focuses primarily on risks that are ongoing, thus reducing the time spent by Registered Entities and by SERC in handling mitigated Violations.  However, a misconception has arisen that SERC auditors will no longer review mitigated Violations.  This is not the case. SERC will continue to review mitigated Violations, as warranted.  Registered Entities should continue to mitigate Possible Violations as soon as possible and not delay necessary improvements to the reliability of the BES.

          Risk Considerations
          Failing to realize that SERC auditors will continue to review previously mitigated Violations may result in a Registered Entity not self-reporting when it should have.  Another risk is that SMEs may not be adequately prepared with the appropriate supporting evidence.

          Description of Mitigation Activity
          Registered Entities should work internally to foster realistic expectations in regard to mitigated Violations.  Management and SMEs must understand that while SERC is most concerned with Violations that are ongoing, previously mitigated violations will also be reviewed, as warranted, during an audit  or other compliance monitoring activities.

           


        • A:

          10/7/2014

          Clarify the expected qualifications of the utility staff involved in performing internal reviews in preparation for taking advantage of RAI during an audit.  If the work papers met the standards of the NERC Auditor Manual -- up to the same standards that SERC's own auditors would use -- does the utility have to have personnel with auditor certifications?

          The qualifications spelled out in the Compliance Auditor Capabilities and Competency Guide, which is a portion of the Compliance Auditor Manual,- are intended primarily for the use of the Regions in developing training programs for their own auditors.  The internal or third-party auditors utilized by Registered Entities are not required to adhere to this guide.  While an internal review team that can demonstrate compliance with this guide will likely be viewed as being more credible than a team that does not demonstrate such qualifications, SERC’s review of Internal Audit Reports (IAR) will focus primarily on the quality of the work papers and the independence of the internal auditors.  Auditors are considered independent when their opinions, findings, conclusions, judgments, and recommendations are impartial and viewed as impartial by reasonable and informed third parties.  A good question to ask to determine whether an internal auditor would be considered independent is:  Has the auditor (or anyone to whom the auditor answers) had any involvement in the development, operation, or management of the compliance measures being audited?

          As long as the internal audit team can demonstrate independence, and their work papers demonstrate good audit practices (including appropriate sampling and performance evidence), the Registered Entity does not have to have personnel with auditor certifications.

        • A:

          10/7/2014

          Are there any differences between SERC's RAI model and those of NERC and the other Regions?

          SERC’s goal is to build a robust RAI model that is consistent with the ERO IRA and ICE Guidance documentation posted on the NERC website.  (Initiatives, Reliability Assurance Initiative (RAI)).   NERC has directed each Region to develop its respective RAI model based on the ERO guidance.  However, each Region’s risk is unique; so the results from implementing each Region’s RAI model may differ.

        • A:

          10/7/2014

          For how long will RAI maintain its "voluntary status"?

          To clarify, Registered Entities undergoing an audit may either provide information on their internal controls (for an Internal Controls Evaluation, or ICE) which may result in a reduced audit, or they may opt to skip the ICE and undergo a “normal” audit.  The normal audit currently consists of the Standards and Requirements listed in that year’s Actively Monitored List (AML).  However, a Risk Assessment of the individual Registered Entity will soon replace the AML in determining the scope and scale of an audit.  Under this scenario, ICE will remain an optional component of the Risk Assessment, and Registered Entities will not be required to submit internal controls information.

        • A:

          11/14/2013

          If an entity chose not to undertake its own risk-assessment, prepare IARs, or perform other non-mandated elements of the new RAI (all of which are expensive or resource intensive efforts), how will that be factored by SERC during an audit?  Would it be viewed negatively in it's culture of compliance or result in a more critical or extensive audit than is currently being performed?

          As NERC phases out the AML, the Regional Entities will utilize information available about Registered Entities to assess risk and develop an appropriate audit scope based upon that risk.  The more information that SERC staff has, the more effectively SERC staff can rely on the Registered Entity’s internal control and management practices to scope and to scale focused audit objectives.  In the absence of a reasonable assurance of reliability, the Regional Entity may have to audit more Standards and Requirements for those Registered Entities on which the Regional Entity does not have information available.  This is not to penalize the Registered Entity but  to properly assess its level of compliance and resulting reliability risk. This would not be viewed negatively in a Registered Entity’s culture of compliance assessment.

      • A:2/13/2013

        My question for the forum is one we've been struggling with lately while updating our ICP. We are using the following definition that includes a three-month grace period: "Within a rolling 12-month period, but with no longer than 15 months between instances (i.e., with a three-month grace period to account for unforeseen circumstances)."  If an entity defines Annual as 'Within a rolling 12-month period…’ what is a suitable grace period for unforeseen circumstances?  It seems straightforward, but we’ve received several interpretations.

        The definition described is a NERC definition of annual, and it is the most common. A three-month grace period is suitable; so this definition is reasonable to use. If it is not already defined by the Standard, it is important that the definition of annual is documented. This helps ensure that the task is performed on a regular basis.

      • A:11/18/2014

        Description of the Violation, Issue, or Trend
        NERC CAN-0010 can impact annual requirements with a grace period.  For example, a Registered Entity has a procedure that needs to be reviewed annually with a three month grace period.  If the review from one year occurred in December and the review the following year utilized the three-month grace period and the procedure was reviewed again in February, based on CAN-0010, this would be a violation because it was not reviewed “at least once every Calendar Year” even though it was reviewed within the Registered Entity’s defined grace period.

        NERC’s Compliance Application Notice-0010 Implementation of “Annual” in Reliability Standards Requirements provides guidance to the Compliance     Enforcement Authority (CEA) stating that the CEA is “instructed to not  find noncompliance or a possible violation if a registered entity is following its own documented implementation of annual and its own documented implementation plan for annual requirements.”  However, this instruction is limited to apply only where, “the registered entity’s definition of annual causes the activity or event to occur at least once every Calendar Year.”  Calendar Year is defined as “beginning on January 1 and ending on December 31.”

        CEAs are to verify whether Registered Entities have documented another implementation of annual requirements along with procedures that define that implementation. However, CEAs are to verify that any alternative documented method demonstrates that the required activity was conducted at least once every Calendar Year.

        Regardless of the Registered Entity’s documented implementation of annual, that implementation will not supersede any Requirement stated in the Reliability Standard.

        Risk Considerations
        Risk is dependent upon the specific Reliability Standard and Requirement and situation.

        Description of Mitigation Activity
        Establish process to ensure that Reliability Standards and Requirements that require action annually are conducted at least once per calendar year regardless of the defined grace period.

      • A:10/5/2014

        Description of the Violation, Issue, or Trend
        Several Registered Entities have recently Self-Reported violations for failing to follow through with annual requirements.  In one instance, a Registered Entity changed its software vendor but forgot to enter the annual requirement 'reminder' in the new software system.  In another instance, a Registered Entity decided to re-align a review with the Self-Certification period without regard to the annual requirement.  In addition, one Registered Entity misapplied its grace period.  The employees performing the work interpreted the three-month grace period to mean three calendar months instead of the intended three months (90 days).

        Risk Considerations
        Risk is dependent upon the specific Standard and Requirement and situation.

        Description of Mitigation Activity

        1. Automated reminder for applicable work groups to submit the list to SERC
        2. Scheduled annual review of all Requirements with a specific time requirement
        3. Trained on existing procedures
        • A:2/18/2016
          BAL-001-2, which becomes enforceable July 1, 2016, states in the measures that the entity can provide calculation outputs to show compliance. However, the data retention states that the “data required for the calculation of Regulating Reserve Sharing Group Reporting ACE, or Reporting ACE, CPS1, and BAAL shall be retained in digital format at the same scan rate at which the Reporting ACE is calculated for the current year, plus three previous calendar years.” It appears that the data retention is imposing a requirement on the entity that is not stated in the requirements or measures. Will SERC expect the entity to retain the input data for the calculation as stated in the data retention, or will SERC be looking for the calculation outputs as stated in the measures?

          The SERC audit team will audit based on the NERC Compliance Monitoring Process outlined in the BAL-001-2 Standard. Data required for the calculation of Regulation Reserve Sharing Group Reporting ACE, or Reporting ACE, CPS1, and BAAL shall be retained for a period of three years. The data will also need to be stored in digital format at the same rate Reporting ACE is calculated for a three year period.

        • A:3/18/2014

          Is the CIP-001 annual sabotage training eliminated under EOP-004 for non-qualifying Distribution Providers (as defined in Attachment 1)?

          CIP-001-1 did not require annual training, and it is retired.  EOP-004-2 does not require training.  However, training on EOP-004-2 may be required as part of the training program implemented by a Registered Entity as a result of its systematic approach to training, pursuant to PER-005-1
        • A:March 1, 2016
          CIP-002-3:  R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3:

          ii. Transmission stations and substations; 

          Guidelines and Technical Basis

          • The SDT uses the phrases “Transmission Facilities at a single station or substation” and “Transmission stations or substations” to recognize the existence of both stations and substations. Many entities in industry consider a substation to be a location with physical borders (i.e. fence, wall, etc.) that contains at least an autotransformer. Locations also exist that do not contain autotransformers, and many entities in industry refer to those locations as stations (or switchyards). Therefore, the SDT chose to use both “station” and “substation” to refer to the locations where groups of Transmission Facilities exist.

          The switching stations at either end of the lone (load?) clearly must be considered, but what about Station A? Station B? What about switch “C”?

           

          Assuming that the horizontal line is a Low Impact BES Element and the four “M” breakers on the horizontal line are BES Elements, Station A will be Low Impact, but the vertical breaker leading down and the items below it are a radial distribution element and, thus, out of scope for CIP.

          Station B is radial distribution only; so it is out of scope for CIP

          Depending on the configuration details of “C”, it may be a BES Element.  SERC requires additional information determine the correct assessment.

          If there is no remote access to “C”, it is not a SCADA point in the EMS, there is no telemetry used by a control center, and it does not qualify as a cyber asset, it is out of scope for CIP.

          If it can be remotely operated from the control center, it will qualify as a BES Element, and the configuration details will determine if it includes a BES Cyber Asset subject to CIP requirements.

        • A:6/30/2014

          Description of the Violation, Issue, or Trend
          Registered Entities are failing to identify and document the Critical Cyber Assets (CCAs) that are essential to the operation of established Critical Asset(s). Registered Entities are deploying Storage Area Network (SAN) storage to support virtualized operator workstations in an effort to reduce operational costs.  However, Registered Entities are failing to evaluate, identify, and document the SAN devices as CCAs.

          Risk Considerations
          In general, this violation poses a serious risk to the reliability of the bulk power system. Failing to identify, document, and protect the SAN storage infrastructure could lead to unauthorized access, data loss, and loss of Energy Management System operator workstation availability.  Losing operator workstations would severely limit a Registered Entity’s capability to respond, control, and mitigate bulk power system contingency conditions.

          Description of Mitigation Activity
          Mitigating actions have included:

          1. Performing an out-of-band risk-based assessment based on the Registered Entity’s documented criteria to gather the list of Critical Assets and then re-evaluating all associated Cyber Assets, to include fiber channel connected devices or other storage devices that housed CCAs;

          2. Updating the  CCA list, network documentation, and other NERC-CIP documentation, as appropriate; and

          3. Training  subject matter experts (SME) on the identification of CCAs and the risks associated with failing to protect them pursuant to the NERC-CIP Standards.

          Other Factors or Comments
          The  Registered Entity properly classified the virtual operator workstation as a CCA, but failed to include the underlying storage hardware.

        • A:12/1/2015
          CIP-002-5: How would you classify non-BES facilities? How do we treat remote line switches that are outside of a transmission substation?

          Non-BES “facilities” (Lower case “f”) and Non-BES “Facilities” (Upper case “F”) are out of scope. This is due to the applicability requirements. Refer to “Facility” definition in the NERC Glossary of terms and “Section 4” and “Attachment 1” (pages 23 - 33) of the CIP-002-5.1 Guideline and Technical Basis.

        • A:2/24/2015

          Currently, a Lessons Learned position is being developed by the CIP V5 Advisory Group in an effort to provide consistency for all EROs; and being written and accepted by NERC.  The name of the proposed Lesson Learned is Generation Interconnection Points and has yet to be published for comment.

        • A:10/16/2015
          Do you need to list the physical address of the system?

          The auditor will require enough information to be able to locate the asset.

        • A:5/23/2016
          Under the previous version of CIP 002, we did not identify any critical cyber assets. It has also been determined by LBA/TOP that we are not critical to the BES.  Other than complying with requests and record keeping, does this make the new version not applicable to our entity?   The new version is very confusing.

          The CIP standards, and specifically CIP-002, should be applied to all assets and facilities that are part of the Bulk Electric System (BES) which is defined in the NERC Glossary of Terms. Registered entities should assess all BES facilities to determine whether there are any BES Cyber Systems or BES Cyber Assets at each facility.

          It is a best practice to document the assessment for all assets and facilities that are considered possible candidates as part of the Bulk Electric System. This documentation can provide information for auditors explaining why facilities may be excluded from the BES.

          Note that prior exclusion for not having Critical Assets in the version 3 standards is not a consideration for exclusion from the CIP V5 requirements. Registered entities should execute and document the assessment. BES facilities could have assets with Low or Medium Impact BES Cyber Systems.

        • A:10/16/2015
          CIP-002 V5 Attachment 1 – 2.10: If you have multiple relays that operate independently of the EMS system but add up to over 300 MW, how is that handled?

          The question is not whether the relays operate independently of the EMS, but rather whether the multiple relays coordinate with each other (i.e., operate as a coordinated load shedding system) that can trip more than 300 MW of load.  If the relays do not coordinate, i.e., they are separate and autonomous, then they do not meet the criterion; however, if they coordinate their actions or have common inputs, then they may meet the criterion.

           

        • A:2/24/2015

          CIP-002 V5 Attachment 1 Section 1.3: If a TO is performing some TOP functions at the direction of the TOP, is the TO’s control center pulled into the High category?

          Section 1.3 of Attachment 1 indicates that, if the functional obligation of the Control Center or backup Control Center is to perform for the TOP for assets that meet criteria 2.2, 2.4, 2.5, 2.7, 2.8, 2.9, or 2.10, the Control Center or backup Control Center would be classified as a High category.

          See NERC Lesson Learned: 

           http://www.nerc.com/pa/CI/tpv5impmntnstdy/FunctionalObligationsandControlCenterLessonLearned.pdf

          CIP-002-5.1: Identification of BES Cyber Systems at Control Centers Pursuant to Reliability Standard CIP-002-5.1

        • A:5/25/2016
          What assets qualify to be added to the data request spreadsheet?  For example, we have nine power plants and only six are controlled remotely.  Would I be correct in assuming that all generators, stations, etc. that are not connected to a "cyber-system" (such as a SCADA) should not be listed on the spreadsheet?  These are assets that do not have remote capability and have to be operated from a bench board locally. Naturally, I assume our remote plants, in which we can control generators, switchyard breakers, etc., would be included on the spreadsheet.

          Registered entities should apply the CIP standards, and specifically CIP-002, to all assets and facilities that are part of the Bulk Electric System (BES) as defined in the NERC Glossary of Terms (http://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf). Registered entities should assess all BES facilities to determine whether there are any BES Cyber Systems or BES Cyber Assets at each facility.

          It is a best practice to document the assessment for all assets and facilities that are considered possible candidates as part of the BES. This documentation can provide information for auditors explaining why facilities may be excluded from the BES.

          Note that lack of remote operation is not a consideration for exclusion from the BES or the CIP requirements. BES facilities with no remote capability can still be an asset with Low or Medium BES Cyber Systems. In most generation facilities, the Distributed Control Systems (DCS) qualify as BES Cyber Assets/Systems, even if they are not connected to a SCADA system.
        • A:12/1/2015
          For TO facilities (local control centers) that do not perform the functional obligation of the TOP (per the NERC functional model), should they be classified as medium impact per CIP-002-5? Specifically how should a TO facility (local control center) that has a jurisdictional control agreement with a TOP control center be classified per CIP-002-5?

          Yes, if it meets the Impact Rating Criterion of Section 2 - Medium Impact Rating (M).

        • A:2/10/2016
          How does "of the preceding 12 calendar months" from the CIP Standard work with the MOD-025-2 periodicity of "every 5 years or within 12 months of discovery of a change that affects the Real Power capability of more than 10%" considering that the CIP-002-5 say that the two should work together?

          The CIP-002-5.1 Attachment 1 paragraph below, highlighted, uses the phrase "highest rated net Real Power capability of the preceding 12 calendar months…"  The Guidelines and Technical Basis below that says this was used to have a value that could be verified through existing requirements.

          MOD-025-2 requires Real Power capability verification every 5 years or within 12 months of discovery of a change that that affects the capability by more than 10 percent.

          2. Medium Impact Rating (M)

          Each BES Cyber System, not included in Section 1 above, associated with any of the following:

          2.1. Commissioned generation, by each group of generating units at a single plant location, with an aggregate highest rated net Real Power capability of the preceding 12 calendar months equal to or exceeding 1500 MW in a single Interconnection. For each group of generating units, the only BES Cyber Systems that meet this riterion are those shared BES Cyber Systems that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed 1500 MW in a single interconnection.

          From CIP-002-5.1 Guidelines and Technical Basis:
          In the use of net Real Power capability, the drafting team sought to use a value that could be verified through existing requirements as proposed by NERC standard MOD-024 and current development efforts in that area.

          MOD-025 requires verification of this capability “within 12 months of discovery of a change that affects the capability by more than 10 percent.” By referring to “the preceding 12 calendar months,” CIP-002 is saying that only the “current” net real power capability need be considered in cases where there have been no changes within the last 12 months that affected capability by more than 10 percent. In cases where such changes have occurred within the last 12 months, then both the “before” and “after” values of the net real power capability must be considered, with the highest of the two (or more, if multiple such changes occurred) being the value used to determine the risk rating.  The idea of these two standards “working together” also means that when a qualifying change occurs in the future, not only must real power capability verification be performed within 12 months for MOD-025, but the entity also must re-visit the CIP-002 risk rating (to determine whether, for example, the change results in a Low impact facility becoming Medium impact).

        • A:March 1, 2016
          What is the CIP V5 implementation schedule for low impact sites?
            The CIP-002 assessment should be completed now to ensure that only low impact BCS assets exist. Processes and Procedures: 4-1-17 Electronic and Physical security controls: 9-1-18. Transient devices and Removable Media: still in Drafting at this time.
        • A:March 1, 2016
          For DPs that implement a UFLS scheme that sheds greater than 300 MW of load under a distributed (uncommon) control system that is energized at less than 100 kV and is not considered BES, does CIP-002-5.1 Attachment 1 Criteria 2.10 or 3.6 apply? If so, which criteria?

          More detail is required for a definite answer. For example, if the distributed control system has only one input that is common to all parts of the system, it could be viewed as a common control system.

          Assuming that there are no common components or inputs of the distributed control system, then it would not apply. If all the elements are below 100 kV, they are not considered BES Elements and, therefore, not subject to the CIP Standards unless subject to the 4.2.1.1.2 inclusion.

          CIP-002-5.1 Attachment 1 Medium Impact Rating Criteria
          2.10. Each system or group of Elements that performs automatic Load shedding under a common control system, without human operator initiation, of 300 MW or more implementing undervoltage load shedding (UVLS) or underfrequency load shedding (UFLS) under a load shedding program that is subject to one or more requirements in a NERC or regional reliability standard.

          CIP-002-5.1 Attachment 1 Low Impact Rating Criteria
          3.6. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.

        • A:2/24/2015

          CIP-002 V5 R1 and Section 2.6 (Attachment 1): Which functional entity (TP, PC, RC) determines the identification of the transmission facility as a medium impact BES cyber system? The TP/PC, due to the time horizon considered, do not identify the IROL; but are the asset owner of the transmission facility.  (The RC is not the owner).

          Each entity audited for compliance will need to provide thorough evidence of communication with all parties involved to provide some final determination by one of the parties of the impact rating for the particular Transmission Facility. This communication should address the various determinations and responsibilities as applicable for each Transmission Facility for which this determination is necessary.

        • A:2/13/2013
          The CIP Standards require Registered Entities to make the Cyber Security Plan available to all who have authorized unescorted physical access or cyber access to the CCAs. Are Registered Entities expected (or is it a best practice) to share the exceptions to the CSP as well (even a "sanitized" version, since the CSP is not a confidential document)?

          Registered Entities are not required to make exceptions to the Cyber Security Policy readily available to all personnel who have access to, or are responsible for, Critical Cyber Assets. In fact, the requirement to make the cyber security policy readily available to all personnel who have access to, or are responsible for, Critical Cyber Assets, (CIP-003-3 R1.2) has been retired in the Paragraph 81 ruling.
        • A:2/13/2013

          What is SERC’s thought of using Cloud technology to store CIP-related information?

          As usual, the answer depends.  Concerning the basic question in light of the CIP Standards, no specific aspects conflict with using cloud technology to store data covered by an entity's Information Protection Program.  From the business standpoint, this information belongs to the registered entity; and they may do with it what they feel meets Compliance and their own operational needs.  However, a registered entity's Information Protection Program must include at least two additional elements to cover the use of cloud resources.  First, the entity must update the documented program (with any associated procedures, processes, and practices) to account for the possibility of information on cyber assets outside of direct entity control.  The documentation should specify the Who, What, When, Where, and Why of how to appropriately and securely utilize cloud resources for entity information.  It bears noting that the types of information to be protected includes, "at a minimum and regardless of media type, operational procedures, lists as required in Standard CIP-002-3, network topology or similar diagrams, floor plans of computing centers that contain Critical Cyber Assets, equipment layouts of Critical Cyber Assets, disaster recovery plans, incident response plans, and security configuration information."  This does not include real-time data even though potentially sensitive - with the caveat that by the totality of that real-time data one could not derive one of the items in the above list.  In other words, this means a bad actor might gain the ability, by taking the data points enough detail, to create a Critical Asset List.  In fact, real-time data points commonly pass between Control Centers via ICCP and to EMS vendors for troubleshooting without issues in compliance.

          Secondly, specific procedures must include protections for such data against breach via non-entity personnel, such as the employees of the external company providing the cloud service.  This can include maintaining Personnel Risk Assessments (PRA) and Cyber Security Training (CST) as stated in CIP-004, but the Standards do not specifically require such records.  By the strictest application of the CIP Standards, only "personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets" (CIP-004 R2 and R3) requires current PRA and CST records.  Therefore, protected information access does necessitate but might wisely track these aspects.   In real-world terms, however, this proves impractical for several reasons, not the least being reluctance by the vendor to provide this information. A registered entity approaching the decision to source Cloud storage of protected information should consider the following recommendations: Review all FERC definitions, guidance, and regulations regarding Critical Energy Infrastructure Information (CEII).

          http://www.ferc.gov/legal/ceii-foia/ceii.asp

          http://www.ferc.gov/legal//maj-ord-reg/land-docs/ceii-rule.asp 

          http://www.ferc.gov/legal/ceii-foia/ceii/classes.asp

          Execute a binding contract and/or separate Non-Disclosure Agreement to specify protections and remedies for breach of protected information.
          When possible, utilize end-to-end encryption to protect the data both at-rest and in-transit to completely prevent even the possibility of access by non-entity personnel.
          Require vendor annually to provide certificate of completion or executive summary from Statement on Standards for Attestation Engagements (SSAE ) No. 16 Type 2 (formerly known as SAS70 Type II)

          http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AT-00801.pdf 

          http://en.wikipedia.org/wiki/Statement_on_Auditing_Standards_No._70:_Service_Organizations

          While not required for access to protected information, as discussed above, alter training content to clearly discuss the use of cloud resources for the storage CEII and other protected information.

        • A:2/24/2015

          When monitoring is used as a physical security control at a low impact location for standard CIP-003-6 Attachment 1 Section 2, should entities maintain evidence/logs of the monitoring for 90 calendar days, as in CIP-006-5 R1.9, or for the entire compliance period to provide to internal and ERO auditors? What are other examples of what will be requested to show implementation of these controls?

          The 90 calendar day limit deals with logging of access by authorized personnel or of visitors. However, because SERC tends to only sample events and incidents for a 90-day period just prior to an audit, monitored alarm events could be kept for this same time period. The policies, procedures, and system configurations that support logging must be maintained throughout the compliance monitoring period. It should be noted that reportable incidents per CIP-008 R2 require that all pertinent information be retained for three calendar years.

        • A:4/19/2016

          CIP-003-6 – Attachment 1
          Section 2.

          Physical Security Controls: Each Responsible Entity shall control physical access, based on need as determined by the Responsible Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset and (2) the Low Impact BES Cyber System Electronic Access Points (LEAPs), if any.

          Question: Does this require a log (physical or electronic) of individuals who physically access the “Low” assets?

          Per the standards, there is no requirement to log cyber or physical access of authorized persons or visitors to low impact BES Cyber Systems.
        • A:11/15/2016
          I have heard that different regions are auditing LERC and LEAP differently.  I am interested in finding out SERC’s audit approach for LERC and LEAP (NERC Glossary of Terms definitions of each below). Part of the definition states “Direct user‐initiated interactive access or a direct device‐to‐device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s)”.  I have heard that some regions are defining LERC as any bi-directional routable protocol connection that “punches a hole through the firewall” as being LERC.  The definition states “from a Cyber Asset outside the asset containing those low impact BES Cyber System(s)”.

          LERC and LEAP Definitions:

          Low Impact External Routable Connectivity (LERC) – “Direct user‐initiated interactive access or a direct device‐to‐device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi‐directional routable protocol connection. Point‐to‐point communications between intelligent electronic devices that use routable communication protocols for time‐sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols).
          Low Impact Electronic Access Point (LEAP) - A Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact BES Cyber Systems.
           
          Question:
          Is there LERC if the only communication is “pushed” from a DCS (inside the asset containing low impact BES Cyber Systems) to a DMZ (outside the asset containing low impact BES Cyber Systems) and is read only?  In other words the routable protocol “punches a hole through the firewall” but is only going one direction and is read only.

          SERC performs compliance monitoring and enforcement to the language of the effective and enforceable Standard and Requirement.
           
          CIP-003-6 Requirement R2, Attachment, Section 3, requires a registered entity to permit only necessary inbound and outbound bi-directional routable protocol access. In the scenario described, SERC would expect the entity to provide evidence demonstrating that the communication path is one-way. NERC has posted CIP-003-7 for public review and comment, and there could be significant changes. For example, The Standards Drafting Team is recommending that the terms LERC and LEAP be modified to electronic access controls. The SDT is also recommending providing more clarity on what is suitable electronic access controls evidence. CIP-003-7 Attachment Two, states that documentation, such as representative diagrams or lists of implemented electronic access controls (e.g., restricting IP addresses, ports, or services; implementing unidirectional gateways) showing that at each asset or group of assets containing low impact BES Cyber Systems, routable communication between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset is restricted by electronic access controls to permit only inbound and outbound electronic access that the Responsible Entity deems necessary, except where an entity provides rationale that communication is used for time‐sensitive protection or control functions between intelligent electronic devices.”
           
           
          The referenced version, CIP-003-7, has not been approved by Industry, NERC, or FERC; therefore, SERC would perform compliance monitoring and enforcement to the approved Standard and Requirement.
        • A:September 28, 2016
          CIP-003-6 Attachment 1, Section 3, 3.2 states that each Responsible Entity shall “Implement authentication for all Dial-Up Connectivity, if any, that provides access to low impact BES Cyber Systems, per Cyber Asset capability”.  

          The examples in CIP-003-6 Attachment 2, Section 3 list “access control on the BES Cyber System” as an example of authentication for Dial-Up Connectivity.  Many Cyber Assets utilized in industrial control systems are capable of providing password/passcode authentication, but are not capable of using any type of user or system account in conjunction with a password/passcode. 

          If Dial-Up Connectivity to a low impact BES Cyber System is authenticated through the use of passwords (but not in conjunction with any type of account) as the sole challenge authentication, would SERC consider this to be a sufficient means of authentication to meet the requirements of CIP-003-6 Attachment 1, Section 3, 3.2?

          At this point, low impact assets do not come into effect until April 1, 2017.  The Standards Drafting Team is further defining the requirements of the standards until the effective date.  Currently, SERC’s stance is that it applies “per device capability.”

           

        • A:2/25/2015

          What are the expectations for low impact entities?

          Low-impact BES cyber systems will not be subject to the CIP standards until April 1, 2017, a full year after CIP V5 takes effect for High- and Medium-impact systems.  SERC is currently working with the other Regional Entities and NERC to develop a consistent ERO-wide approach for Low-impact systems and registered entities.  The expectations for Low-impact registered entities will be communicated once they have been finalized.

        • A:10/16/2015
          CIP-004 R1.1:  A clarification is needed concerning the phrase “Responsible Entity’s personnel” as it relates to Security Awareness Programs in CIP-004-5 Part 1.1.

          Does the phrase imply that the registered entity’s Security Awareness Program only needs to target employees of the registered entity who have authorized electronic or unescorted physical access to High or Medium impact BES Cyber Systems?  It appears that, under V5, the SDT removed the registered entity’s obligation (as opposed to V3) to have multiple awareness programs to provide awareness to contract personnel who may not have access to direct communications (i.e., emails, memos, computerbased training); or indirect communications (i.e., intranet); or management support and reinforcement (i.e., presentations or meetings) when any of these methods are incorporated into the awareness program.
          As noted in the Measures section, compliance requires “documentation that the quarterly reinforcement has been provided.” The guidance states “[t]he Responsible Entity is not required to provide records that show that each individual received or understood the information, but they must maintain documentation of the program materials utilized in the form of posters, memos, and/or presentations.”

        • A:1/9/2015

          Can an entity define the training requirements specific to access type (physical or electronic)?

          Yes, a Registered Entity can define specific training requirements pursuant to access type. A Registered Entity will need to ensure that all training modules associated with that access type are obtained before access is granted and at least once every 15 calendar months for continual access. Example: If there are three modules needed for an access type, all three will need to be completed prior to being granted access.

        • A: 3/18/2015

          I am seeking guidance or examples on the level of separation required between the network(s) the BES Cyber Security policies and procedures are currently stored and the Corporate Network and associated Corporate IT staff.

          The BES Cyber Security policies are located on a secure network location(s), but the Corporate IT staff has “God Rights” to these network(s) as part of their job duties as assigned to support the Corporate network. The Corporate IT staff is not currently subject to any NERC compliance requirements and are not familiar with NERC in general since they only support the Corporate Network.

          Per the BES Cyber System Information definition, we are of the understanding that the BES Cyber Security policies and procedures would have to be stored in a separate location to prevent the Corporate IT staff from having any access.  If the BES Cyber Security policies and procedures are to remain on the Corporate Network, would the Corporate IT staff be subject to the NERC training requirements and access revocation timelines as specified?

          Within CIP-011-1 R1.1, the registered entity is required to establish methods to identify information that meets the definition of BES Cyber System Information. Under CIP-011-1 R1.2, the registered entity is instructed to implement procedures for protecting and securely handling BES Cyber Security Information. Using the definition of BES Cyber System Information that will become effective on April 1, 2016 (refer to the Glossary of Terms Used in NERC Reliability Standards; dated March 3, 2015), the registered entity would be required to properly determine and support the decisions on what information is considered BES Cyber Security Information.  Policies and procedures (what level of information they contain and how it is documented) will vary from entity to entity and from program to program. Some registered entities may include information in policies and procedures that is detailed or specific enough to its program, systems, architecture, and/or network that the information would be sensitive and could pose a threat to the BES if it found its way into the wrong hands.  Other registered entities keep policies high-level enough that they contain no sensitive information to cause or pose impact to the BES, even when considered in conjunction with all policies and procedures under CIP. The approach for this requirement is specific to the registered entity and to the program developed to meet compliance.  If a registered entity’s policies and procedures (when considered collectively) do not contain sensitive information that could pose a threat or could be used to allow unauthorized access to BES Cyber Systems, then it would not be in scope for protections cited in CIP-011-1 R1.2. If the policies and procedures do contain sensitive information, then they would be in scope for Information Protection.

          As a side note, if a registered entity chooses to keep policies and procedures devoid of operational specifics or details, there will be a level of documentation below these that does get into specifics and details that are required for operational effectiveness. These documents, however they are stored and used, and whatever they are called, would be subjected to Information Protection as required in CIP-011-1 R1.3/18/2015

        • A:2/24/2015

          CIP-005-5 R2.3 – Multi-factor authentication for interactive access: If a registered entity uses an application on their smart device to generate an authentication code, does the smart phone need to be protected as part of the intermediate system?

          Examples of additional authentication factors that are typically employed to achieve multi-factor authentication include devices such as smart cards and hardware tokens. These would be considered stand-alone devices, and would not be brought into scope as part of the intermediate system. By extension, this would also be true of the smart phone described in the question, since the described application would fulfill the same role as a hardware token. Entities should keep in mind that smart phones are highly targeted by cyber threat actors; and should, thus, be secured accordingly. However, in this example, the smart phone does not fall into CIP purview as an intermediate system.

        • A:10/16/2015
          CIP-005 R1.4 – Dial up: What is an acceptable minimal authentication level?   Is a password alone enough?  Does each person need to have their own password or is a shared one ok?   Is an Account expected?
          Registered entities should use an authentication that can validate the calling party  – any modem that answers all calls and connects would not be sufficient (and neither would be one that uses a well-known default password). The guidance states “[s]ome examples of acceptable methods include dial-back modems, modems that must be remotely enabled or powered up, and modems that are only powered on by onsite personnel when needed along with policy that states they are disabled after use.” It is not required that each person have a password as long as the small set of people with the password is documented.

          Note that if the dial-up connection provides Interactive Remote Access, then CIP-005 Part 2 will also apply.

        • A:11/14/2013

          CIP-005 R1.5 is about Electronic Access Contol and/or Monitoring Systems.  Can SERC confirm that this means "electronic access control and/or electronic access monitoring", as is clarified in the accepted definition of EACM in V5?

          There are many differences between Version 3 and Version 5 of the CIP Standards.  Version 5 offers many clarifications of terms and processes over Version 3 of the Standard.  However, as some Requirements have been altered in order to accommodate synergy of Requirements across Version 5 of the Standard, it is impossible to identify a 1:1 relationship between Version 3 and Version 5.  NERC and the Regional Entities are currently working to develop a backward compatibility matrix between Version 3 and Version 5 of the Standard.  Once this is complete, the Regional Entities will be able to provide more direct correlation between the two Standards.

        • A:3/17/2015

          Description of the Violation, Issue, or Trend
          The responsible entity did not include or implement a visitor control program in its physical security plan, or it does not meet the requirements of continuous escort.

          Risk Considerations
          Unauthorized or unsupervised individuals could access sensitive information and systems within the physical security perimeter.

          Description of Mitigation Activity
          Implement a visitor control program that incorporates logging of access and exit and incorporates a continuous escort within the physical security perimeter.

          Other Factors or Comments
          This is a best practice for visitor pass management. The visitor is assigned a bright green badge with a number. The escort then takes the corresponding bright yellow half badge with the same number to indicate which visitor he/she is escorting. The escort can clip on multiple yellow half badges for escorting more than one visitor. At a glance you can recognize which visitors are being escorted by which entity personnel. In the event there is an escort hand off, the new escort would receive the smaller yellow clip-on badge(s) from the original escort.

        • A:2/24/2015

          Are there additional resources or guidance for the types of controls to restrict physical access for the Medium Impact BES Cyber Systems without External Routable Connectivity and PACs applicable to CIP-006-5 R1.1 which do not reside within a PSP? The measures section only mentions providing documentation that these controls exist.

          Please note the following are examples of what has worked for other organizations.  A Physical Access Control System (PACS) server that is configured and maintained by authorized personnel that utilizes a documented procedure to grant and review access can be used to restrict access.  In addition, utilize a visitor management procedure that requires sign in, identification tagging, and active escorting within restricted areas. A detective control would utilize alarm systems to alert for forced open, held open, or unauthorized entry.

        • A:September 28, 2016
          CIP-006-6: If locally mounted hardware or devices at a PSP, as defined in the Background of CIP-006-6, fails (i.e., an electronic door strike does not fully engage but the door is closed), is that considered a lack of physical access controls and a Possible Violation?  

          In this example the documented physical security plan defined physical access controls as card keys, mechanical keys, security personnel, and other authentication devices (keypad or biometrics). Additionally, monitoring and logging of physical access are in place and working.

          Depending on the effectiveness of the implemented access controls, if the registered entity can no longer restrict physical access into a PSP, then it could be a potential violation of CIP-006-6.
        • A:4/9/2016
          CIP-006-6 R1.1 applies to Medium Impact BES Cyber Systems without External Routable Connectivity (ERC) and requires the Entity to “Define operational or procedural controls to restrict physical access”. 

          The questions relates to the handling of guests or visitors.  Can an Entity write procedural controls to allow guest entry into the areas with just someone providing them access?  Would a guest/visitor log be expected? Would escorting be expected?  The standard is not very clear on handling access to 1-time guests.

          There is no requirement per the wording of CIP-006-6 Part 1.1 to restrict physical access to any certain authorized group or to require that any other persons be restricted or escorted. It is up to the entity to document how they will restrict physical access to these BES Cyber Systems. The document should include, but not limited to, a discussion regarding:

          • Who the entity deems to have authorized physical access to these BES Cyber Systems and who would be restricted from physical access;
          • For those restricted from physical access, how the entity plans to grant them temporary access;
          • Whether escorting of those not normally authorized should be required and performed by whom;
          • Whether logging of those the entity deems authorized and those they deem not authorized needs to occur and, if so, by what means,
          • How access is to be restricted, either by electronic means such as via a PACS or keyless entry system or via mechanical means such as keys; and
          • If using keys, whether said physical access points should have special keys or standard keys and whether the keys should be “restricted” through a check-out process or distributed to anyone deemed authorized.

          CIP-006-6 Part 2.2 requires manual or automated logging of visitor entry into and exit from the Physical Security Perimeter and CIP-006-6 Part 2.1 requires continuous escorted access of visitors and BES Cyber Systems; however, those requirements are not applicable to BES Cyber Systems without ERC.

        • A:3/17/2014

          Description of the Violation, Issue, or Trend
          Registered Entities are failing to adequately document the enabled ports and services required for normal and emergency operations.  Registered Entities often document the port and/or service as being enabled and what service is typically running on the enabled port.  However, they fail to document the business need/reason for the port and/or service.

          Risk Considerations
          In general, this violation poses a moderate risk to the reliability of the bulk power system.  The failure to document and enable only the ports and services required for normal and emergency operations increases the risk of unauthorized access through unneeded ports left open. Unnecessary ports or services provide an attack vector into the Electronic Security Perimeter that could be used to deliver malware, extract information about Critical Cyber Assets, or allow tampering with Critical Cyber Assets such as the Energy Management System.

          Description of Mitigation Activity
          Registered Entities have mitigated the violation in several ways:

          1. One Registered Entity created a benchmark (baseline) document where it documented all of the ports/services that were currently enabled and the business justification for each.  The business justification also included a reference to the approved change management ticket demonstrating that the port/service was not only required but authorized by management.  In addition, the Registered Entity also maintained documentation from vendors justifying the operational requirement for the enabled port(s).  The benchmark documentation would then be updated for each significant change, as needed.  The benchmark documentation wasn't necessarily for each asset, but was for each class of asset.  This was accomplished to reduce the administrative overhead required.
          2. Another Registered Entity created benchmark documentation which was updated during the annual Cyber Vulnerability Assessment (CVA). The Registered Entity would rely on change management documentation to capture modifications to the approved enabled ports/services.  During the annual CVA, the Registered Entity would review the benchmark documentation, the CVA results, and all of the applicable change management tickets.  Based on the assessment, the benchmark documentation would be updated.

          Other Factors or Comments
          Entity size, the type and the number of Cyber Assets in scope.

          The amount of change management tickets for the Cyber Assets in scope.

          Sound CVA process to ensure assets are thoroughly assessed.

          Although a baseline is not required by the Standard, it  is great way to reduce the risk of unauthorized ports and services being unidentified on assets and to demonstrate compliance as well.

        • A:3/17/2014

          Description of the Violation, Issue, or Trend
          Registered Entities are failing to perform a CVA of all Cyber Assets within the Electronic Security Perimeter at least annually.  Registered Entities are performing basic network scans to look for common vulnerabilities and exposures.  However, they are failing to verify that the enabled ports and services are required.

          Registered Entities are failing to perform a review that only ports and services required for operation are enabled.  This can be done by comparing the annual CVA ports and services results against a documented benchmark (CIP-007-3a R2).

          Risk Considerations
          In general, this violation poses a moderate risk to the reliability of the bulk power system. The CVA provides a review of a Registered Entity’s existing program; and as such, is a validation that the CIP program is working correctly for change management and configuration control and other CIP requirements. The lack of an adequate CVA will result in a false sense of security along with an improper identification of the effectiveness of the Registered Entity’s program. Similarly, it will not provide needed results of what it was intended to test if relying solely on testimony and current intrusion prevention systems (IPS) and intrusion detection systems (IDS). The lack of a process of checking the controls of default accounts can result in the improper application of account management and result in a weak account management program or increase opportunity for increased attack vectors against CCAs. 

          Description of Mitigation Activity
          A Registered Entity mitigated the violation by implementing a robust CIP-007-3a R2 process for identifying and documenting the required ports and services for normal and emergency operations. The benchmark documentation was then compared against the annual CVA results. The annual CVA was conducted through a mixture of network scanning, if possible, and system commands to determine the ports/services enabled on the Cyber Asset(s). The assessment was thoroughly documented by detailing what was reviewed, who reviewed it, the dates, and citations to all of the supporting documents. If necessary, action plans were created based on the CVA results, which included the steps to remediate or mitigate vulnerabilities identified and the execution status.

          Other Factors or Comments
          Often Registered Entities that have issues with CIP-007-3a R8 also have issues with CIP-007-3a R2.  The key element to a successful CVA program is the benchmark documentation created by compliance with CIP-007-3a R2.

        • A:10/16/2015
          CIP-007 R2: If a patch solely includes new security functionality, does it need to be assessed if it doesn’t directly address a security vulnerability?  For instance, what if the security patch enhances the password complexity capabilities of a device but doesn’t directly address a known security vulnerability?
          The requirement is to “evaluate security patches for applicability.” While not all security patches reference specific vulnerabilities, all security patches are designed to enhance the security of the system, and all should be evaluated for applicability.

          Note that not all applicable patches must be installed, so the entity may choose to create a mitigation plan.

          In the example cited, short and simple passwords are clearly a vulnerability, so increasing the complexity and length of the passwords on the system does make the system less vulnerable. If the patch allows the entity to retire a TFE, that would be a patch that should be considered for installation rather than just mitigated.

        • A:10/16/2015
          CIP-007-5 R2.2: For devices in the field that haven’t been updated in “years,” do we evaluate patches for the history of the device; or should we start from April 1, 2016?  Or, should we start from patches released from April 1, 2016 going forward?
          The ERO is currently developing an approach for how to analyze patches for devices which have been in place for a number of years, have not undergone a patch analysis, and likely have some patches that would be analyzed for applicability if the patches would be released following April 1, 2016 (As of the writing of this response, the ERO has not solicited comments on this approach). The Implementation Plan is silent about patches released prior to 4/1/16, however the ERO is considering that during the initial patch assessment period (i.e., 35 days following 4/1/16, or by no later than May 5, 2016), assuming the device is updateable, and a patch source exists, the Responsible Entity would determine what patches are available and perform an initial triage of those patches to determine if any of them are security patches associated with functionality in use on those devices.  Then during the evaluation period (i.e., no later than June 8, 2016), a vulnerability mitigation plan would be developed to address the security vulnerabilities addressed by those patches.  Note that there is no expectation by the ERO that the patches will be installed by June 8, nor is there a requirement that the mitigations all be completely in place by then, only that a vulnerability mitigation plan exists, and the Responsible Entity is working toward implementing that plan.
        • A:10/16/2015
          CIP-007 R2.2: Do entities need to review patches for BIOS updates/drivers?
          Yes, these are reviewed/assessed along with the security patches or updates.
        • A:9/16/2015

          CIP-007-5, Table R4, Requirement 4.2.2
          “Detected failure of Part 4.1 event logging.”

          1. I do not see anything under “Measures” that defines what is expected.
          2. Is this on a “per device” or a general logging function?
          3. Is this covered by fulfilling 4.4 or is it an automated function, and if so how often?

          I’m not sure what is required, how often it is required, or how to fulfill the requirement.

          CIP-007-5 Part 4.1 requires that registered entities use event logs, while Part 4.2.2 requires that an alert be generated if that logging fails. Part 4.4 requires a periodic review of a summarization or sampling of logs; this is neither frequent enough nor comprehensive enough to serve as an “alert.” For all practical purposes, Part 4.2.2 may need to be addressed by an automated function.

          Part 4.1 allows the option of logging at the BES Cyber System level or the Cyber Asset level. Accordingly, the registered entity should document whether they are implementing Part 4.1 on a “per device” basis or utilizing a central log server. Once the registered entity has documented this, the entity will need to implement Part 4.2.2 at the same level(s). Most registered entities employ logging at both levels; i.e., individual devices generate and store logs locally (Cyber Asset level) while also forwarding log entries to a log server (which may be at a BES Cyber System or broader level).

          An example measure at the Cyber Asset level might be a script that runs periodically to verify that the local logging service is still running. An example measure at the BES Cyber System level could be a “heartbeat” service, whereby a central log server is configured to recognize when it stops receiving logs from an individual device. A good example measure for either level would be an automatically generated email that alerts system personnel to a detected logging failure.

          Due to differences in entity logging practices and in the amount of activity on individual devices, the threshold at which failure might be detected (and thus the frequency at which automated checks should occur) could be as little as a few minutes or as long as several days.  As such, SERC cannot define how often these checks should occur. Each registered entity must evaluate their Cyber Assets / BES Cyber Systems to determine the appropriate threshold(s) for their own environment.

        • A:4/8/2016
          If a CIP Exceptional Circumstance occurs, does SERC want to be notified at the time?  (This question is separate from any "reportable incident" under CIP-008's Incident Response requirements.) 

          Are CIP Exceptional Circumstances to a PSP expected to be shown in the Visitor log?

          What format should the reports use? 

          To whom at SERC should they be addressed?

          The "at the time of occurrence" reports - not the documents for audit evidence.

          There is no requirement to "report" the CIP exceptional circumstance - at the time of occurrence. However, the registered entity should adequately document the CIP exceptional circumstance and be prepared to provide the documentation to the auditors. The documentation should include, but is not limited to, the start and stop times and details surrounding the issue.

        • A:9/25/2015

          Description of the Violation, Issue, or Trend
          Recovery plans focused on disaster recovery do not meet the requirement of CIP-009 which is focused on device recovery. While redundancy and automatic failover to backup assets or sites provide disaster recovery, that process does not provide recovery of individual assets. This is a good way to find any deficiencies or undocumented parts of the recovery plan and procedure.

          Risk Considerations
          Recovery of individual assets, if not clearly documented, may not be executed properly when needed, especially in a major event when multiple assets are lost. This could greatly increase the time required to recover to the base situation where all assets (both primary and backup) are available.

          Description of Mitigation Activity
          Ensure that the recovery plans include procedures to recover individual assets. These procedures should either address each asset individually or address each class of asset. They should include how to obtain replacement parts (relevant contracts, purchase orders, approvals required), which roles are required (who initiates the recovery, purchase order approval, communication to operations on restoration, change ticket creation and approval, testing prior to installation, documentation of events, lessons learned), and any relevant localized information. For example, there may be a central spare parts location, but for some assets (remote substations are one example), it may take longer to get the parts from the spare parts location to the site. That should be documented in the recovery plan and in the recovery procedure for those assets and both the plan and the procedure should account for that time in the expected recovery duration.

          Other Factors or Comments
          Quote from an Entity RSAW

          "Auditors noted an Area of Concern with the recovery process since it did not clearly address all information needed for the recovery. While the recovery plans include high level information that is required, they did not include details on parts of the recovery such as how to obtain replacement parts, who is responsible to obtain the spare parts (and any procurement sign offs), vendor contracts for spare parts or support, change management requirements during a recovery, roles for recovery approvers, coordination of the recovery with system operations and how the expected duration of the recovery is determined."

        • A:9/25/2015

          Description of the Violation, Issue, or Trend
          Recovery plan testing is often done only at a very high level.

          Risk Considerations
          Recovery of individual assets, if not adequately tested, may not be executed properly when needed, especially in a major event when multiple assets are lost. This could greatly increase the time required to recover to the base situation where all assets (both primary and backup) are available.

          Description of Mitigation Activity
          One approach that works well is to have someone technically qualified but outside the CIP organization attempt a recovery. This removes the tribal knowledge and forces the recovery to use the actual, documented procedure.

          Other Factors or Comments
          Quote from and Entity RSAW

          "shows a description of how the entity exercises their recovery plan but it does not include recovery of individual assets as specified in the requirement."

          "provides entities evidence of a 2015 recovery exercise, including agenda, participant list, exercise (not detailed) and restore types. It does not include a scenario describing the event, specific equipment affected or procedures to recover specific assets or lessons learned."

        • A:

          September 28, 2016
          CIP-010 Attachment 1, Section 3.2.2 states, “Mitigate the threat of detected malicious code on Removable Media prior to connecting the Removable Media to a high impact or medium impact BES Cyber System or associated Protected Cyber Assets.” 

          As further guidance within the Guidelines and Technical basis for Requirement R4, Attachment 1, Section 3 – Removable Media, it states: “Frequency and timing of the methods used to detect malicious code were intentionally excluded from the requirement because there are multiple timing scenarios that can be incorporated into a plan to mitigate the risk of malicious code.” 

          While this guidance and flexibility is appreciated, it also raises the question of what SERC would consider “acceptable” frequency and timing for detection of malicious code when the Removable Media may be used throughout BES and non-BES facilities.  For example, when providing support to remote facilities (e.g. substations, switchyards, etc.), it is not atypical to require use of Removable Media within multiple locations over an average workday, which each may be separately categorized as containing Medium Impact BES Cyber Systems, Low Impact BES Cyber Systems, or a non-BES facility.  As a standard practice to address this requirement, malware scanning of Removable Media may only occur at a central facility once each morning or week prior to using the Removable Media at these locations. 

          As such, we are requesting clarity from SERC regarding what would constitute sufficient mitigation controls for the Removable Media used at these facilities.  For example, if the Removable Media is scanned once each morning or week, but then used at multiple BES and non-BES facilities throughout the day, does SERC agree that this scan would suffice to meet the requirement?  Or, is the expectation from SERC that a sufficient frequency would only consist of an individual malware scan prior to use at each individual High or Medium impact BES Cyber System or BES Cyber Asset? 

          Additionally, if the specific frequency is solely up to the discretion of the entity, is it SERC’s contention that providing an entity uses a method to detect and mitigate malicious code on Removable Media at some point prior to connecting the Removable Media to a BES Cyber Asset, then the requirement is meet?

          Is the answer the same for transient assets?  Particularly, how frequently do anti-virus scans need to be run … daily, before each use?  For how long is an authorization valid?

          The threat of malicious code on Removable Media shall be mitigated prior to the registered entity making a connection with a high impact or medium impact BES Cyber System or associated Protected Cyber Assets.

        • A:September 28, 2016
          CIP-010 R4:  Does defined business function (Attachment 1, Section1, 1.2.3) need to be identified for every executable on a Transient Cyber Asset? Can the same assumption be made from the guidance for CIP-010 R1 (…The SDT does not intend for notepad, calculator, DLL, device drivers, or other applications included in an operating system package as commercially available or opensource application software to be included).

          At this time, this requirement does not come into effect until April 1, 2017.  Based on current understanding, the registered entity does not need to identify the defined business function for every executable on a Transient Cyber Asset.  Follow the same guidance as CIP-010-2, R1.

        • A:February 17, 2017

          A question was raised in our organization, regarding a BES Cyber Asset. Our operational team brought up the existence of a BES Cyber Asset containing a built-in tape backup, which makes the “built-in” part, not a transient device. However, the specific question is… Does the [physical] tape constitute a removable media? If so, would it require the corresponding CIP protections as stated in the guidelines and technical basis?

          Physical tape cartridges constitute Removable Media as defined in the Glossary of Terms Used in NERC Reliability Standards, as long as the physical tape resides in the tape drive for 30 consecutive calendar days or less. As defined in the NERC Glossary, Removable Media is storage media that:

          (i) are not Cyber Assets – (SERC notes the tape cartridge is not a Cyber Asset)

          (ii) are capable of transferring executable code, - (Tape is indeed capable of doing so)

          (iii) can be used to store, copy, move, or access data, and – (Tape is indeed capable of doing so)

          (iv) are directly connected for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a Protected Cyber Asset. – (SERC assumes the Entity is rotating the tapes on a weekly basis.)

          As Removable Media, the physical tape cartridges are subject to the CIP protections listed in Section 3 of Attachment 1 in CIP-010-2. Assuming the tapes are being used to store backups of BES Cyber Assets (or associated EACMS or PACS), the BES Cyber Systems Information protections of CIP-011-2 also apply. Based on the facts presented, the registered entity’s Information Protection Program (IPP) shall explain how registered entity secures the information during storage, transit, and use. Specifically, if the physical tape leaves the Physical Security Perimeter, the IPP must detail how the physical tape is protected against unauthorized access, misuse, corruption, and how the registered entity protects confidentiality of the BES Cyber System Information.
        • A:

          September 28, 2016
          CIP-010-2 R1.3:  When does the 30 days start for CIP-010 R1.3? Is it when a change request (what starts the change) is closed, the day changes are complete on a BES Cyber System as a whole, or when a change is complete on an individual BES Cyber Asset of a BES Cyber System?

          According to the Applicable Systems section, this requirement applies to the BES Cyber Systems and their associated EACMS, PACS, and/or PCS.  If the registered entity has made a change to a BCA in that system, then the registered entity has essentially changed part of the BCS.  Therefore, the 30 days start after the change is completed on the BCA.  Please reference page 33 of the Guidelines and Technical Basis for CIP-010-2, Requirement 1, paragraph 1.

        • A:February 1, 2017

          Our understanding is that, if a stand-alone commercially available or open-source executable program (e.g., the SSH client "PuTTY" or the third-party text editor “Notepad ++”) is copied onto the hard disk of an asset, then it has been “installed” on the asset. Because these types of programs do not go through the Windows installer, they do not show up in the Windows registry or list of installed software.

          1. When performing a 35-day baseline review of installed software, is it expected that every folder on every asset is searched for executables to compare to the baseline?
          2. Or, is it acceptable to define a folder where such software is to be placed according to a procedure, then search that folder for the review?
          3. Or, is there another recommended practice?
          4. How should stand-alone commercially available or open-source executable programs that reside on removable media that gets inserted into a BCA be handled? (i.e., Which CIP-010-2 and CIP-007-6 requirements apply to the programs on removable media?) Note, this question is not referring to cases where the program is to be copied onto the asset (“installed”) but rather used temporarily directly from the removable media.

           

          1. A registered entity must monitor the baseline of installed software for unauthorized changes at least once every 35 days. The registered entity must first properly identify and document software that makes up each baseline. Typically, most executables are put in place by the operating system or other installed software without individual approval of each executable. As such, these individual executable files are part of the software documented in the baseline and do not require additional documentation on the baseline configuration. For this reason, SERC expects the registered entity to develop its baseline and monitor for changes as required. Depending on system configuration, it may require in depth system analysis as part of CIP-010-2 R2.1 compliance efforts.
          2. A procedure mandating the use of a single specific folder for intentionally added standalone executables, including monitoring that folder’s contents for changes every 35 days, would not be an acceptable practice for detecting changes to standalone executables. However, the registered entity could deploy internal controls to support the monitoring requirement and ensuring only executables are added to the identified directory. In addition, the registered entity must maintain evidence to demonstrate that the controls are operating sufficiently.
          3. SERC has completed limited CIP V5 Audits and has no lessons learned to share at this time.
          4. Programs residing on removable media are not “installed on” the Cyber Asset; and thus, are not required to be documented as part of any baseline. However, as a good security practice, SERC recommends specifically authorizing use of such programs, whether documented in the baseline configuration or elsewhere.
        • A:10/16/2015
          How should the registered entities consider SERC’s PEI process in their CIP-011 Information Protection Program?
          The registered entity should ensure its own internal processes are followed for labelling sensitive information before providing it as evidence to SERC.  We recognize that the individual entities’ data handling procedures will not always mirror those required by the SERC PEI transfer process.  In these cases, SERC will not penalize the entity for failure to follow their own data protection policy if the entity follows the data transfer processes established by SERC.  We also will not expect the entity to track SERC’s retention and eventual destruction of entity data.
        • A:10/7/2014

          If the term "widespread" is removed from CIP-014, what criteria is NERC expecting Registered Entities to use?

          Registered Entities will be expected to apply the criteria that are issued with the release of FERC’s Final Rulemaking.  However, the Final Rule may not only remove the term “widespread” but also may include additional changes and language that further clarifies FERC’s intent; so read it very carefully.

        • A:3/18/2014

          In regards to the new physical security standard that is being drafted, critical transmission facilities will be in scope of regulation.  Will generation facilities deemed as critical be subject to the new physical security standard?

          Because the Physical Security Standard is still in development, SERC staff does not know if generation Facilities will be subject to the new Standard.  SERC staff notes that information about the development of the Physical Security Standard can be found on NERC’s website at: 

          http://www.nerc.com/pa/Stand/Pages/Project-2014-04-Physical-Security.aspx 

          SERC staff encourages interested Registered Entities to participate in the development process for the Physical Security Standard and to provide comments to NERC detailing any concerns or suggestions for improvement.

        • A:6/15/2016

          Description of the Violation, Issue, or Trend

          NERC recently distributed a memorandum to the regions regarding the handling of CIP-014 evidence information. Per the instructions SERC will be conducting all reviews of CIP-014 while onsite at TOs and TOPs. SERC will fill out the RSAW also while onsite during the review with no pre-audit preparation by the entity. SERC will not collect from the entity or store on its PEI server any of the following:

          1. Any registered entity-provided evidence used to demonstrate compliance with CIP-014 from the Transmission Owner’s or Transmission Operator’s site

          a. An entity’s list of critical substations developed under Requirement R1

          b. Documentation of the entity’s vulnerability evaluation developed under Requirement R4

          c. Documentation of the entity’s security plan developed under Requirement R5

          2. CIP-014 Reliability Standard Audit Worksheets (RSAWs) containing entity provided evidence

          3. Any auditor notes describing the whereabouts of critical substations or any other entity-provided evidence from the Transmission Owner’s or Transmission Operator’s site.

          CIP-014 information that will be stored on the SERC PEI server for the next 7 years, along with other audit evidence, may include the following:

          1. Auditor notes that describe the ERO Enterprise’s process for conducting the audit

          2. Documents (or other evidence) reviewed during the CMEP activity and their location

          3. Reliability Standard Audit Worksheets (RSAWs) that do not contain entity provided evidence

          4. Evaluated findings

          5. Evidence in the ERO Enterprise’s possession as a result of CMEP activities performed for other Reliability Standards, such as the cybersecurity‐related Critical Infrastructure Protection Reliability Standards (CIP‐002 through CIP‐011) and Transmission Planning (TPL) Reliability Standards

        • A:7/15/2015

          Does the scope of a registered entity’s obligation to perform an initial risk assessment under CIP-014 R1 extend only to the Transmission stations and Transmission substations that it owns?  From a plain reading of the first sentence of R1, that appears to be the case:

          “Each Transmission owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1.” 

          The word “its” in R1 seems to make clear that a Transmission Owner need only include in its risk assessment those Transmission stations and Transmission substations that it owns.  This is further supported by the language in Applicability Section 4.1.1, which makes clear that the Reliability Standard applies to a “Transmission Owner that owns a Transmission station or Transmission substation that meets any of the following criteria.”  Given that CIP-014 would not apply to a Transmission Owner that did not own a Transmission station or Transmission substation, it is a fair reading that CIP-014 R1 would not require a Transmission Owner to include in its assessment Transmission stations/substations that it does not own.

           For example, if a registered entity owns transmission facilities that are located within Transmission stations/substations that are owned by neighboring utilities, does the registered entity need to include the Transmission stations/substations in its risk assessment under CIP-014 R1?  

          The Applicability section 4.1.1 of CIP- 014-1 states that the standard applies to a “Transmission Owner that owns a Transmission Station or Transmission substation that meets any of the following criteria: . . .” and this concept is further reinforced by the language in R1 as noted.

          However, ultimate compliance responsibility could be impacted by existing mutual agreements, Coordinated Functional Registration (CFR) agreements, Joint Registration Organization (JRO) agreements, delegation agreements, memorandums of understanding (MOU), or contractual arrangements. Where none exist or where none specifically address compliance responsibility, it is highly recommended that registered entities include language in a formal agreement to clearly address compliance responsibility to avoid any confusion or misunderstanding between the two registered entities who share an impacted site.

          See NERC Compliance Public Bulletin #2010-004

        • A:

          6/25/2014
          I am a contractor following the development of CIP-014 Standard. We’re reaching out to each of the NERC Regions to determine what qualifications, if any, that the RE may have for Requirement 2 of the Standard which specifies an independent third party verification of the risk assessment (R1).  Does SERC have a formal or informal process regarding approved third parties? We have also developed a study methodology to perform the risk assessment based on our industry experience with performing impact analysis that we’d like to receive feedback/opinions on.

          SERC conducts a number of outreach and training activities to keep Registered Entities apprised of new and revised NERC Reliability Standards. SERC does not, however, instruct Registered Entities on how to be compliant. SERC also does not review or give feedback on methodologies or processes to consulting firms concerning Reliability Standards.  Participation in SERC outreach events is open to employees and representatives of organizations listed on the NERC Compliance Registry within the SERC Region.

        • A:October 18, 2016
          CIP-014:  If an entity makes changes to its physical security plan, including changes to any mitigating activities included within the plan, should the entity conduct another third party review?

          Based on the Guidelines and technical basis (page 32 of 36), the requirement was designed for a third party to review and evaluate/develop the security plan. If an entity changes the plan from what was initially reviewed, SERC would expect a third party to perform an evaluation. Reference the Rationale for Requirement 6, which also references the FERC directive requiring reviews by an entity other than the owner or operator.
        • A:11/16/2016
          CIP-014 R1 requires that registered entities perform subsequent risk assessments every 30 calendar months. Is it required that a third party verify our analysis each time (R2)?  Also, is it required that R3, R4, R5 and R6 be performed subsequently once every 30 calendar months also?

          The language of R2 states “the risk assessment performed under Requirement R1.” That covers both the initial and subsequent risk assessments. A third party verification is required for each risk assessment performed.
           
          Requirements R3-R6 have some interdependencies. For example, entities should perform R3 each time. Entities should also perform R4 as there could be a change in one of the existing stations. R5 would not have to be re-done if there are no changes, but it should be reviewed and documented in the revision history to that effect. R6 would also be required if there are R4 and R5 changes, but would not be required if there are no R4 and R5 changes.

        • A:12/1/2015
          For COM-001-2, are cell phones and landlines considered separate infrastructures?

          Yes. 

          In addition, do you have to have a coordinated test with your neighbor; or can you test your own equipment?

          No, a documented test call for each is sufficient evidence of testing.

        • A:8/17/2016
          Does losing the ability to place outgoing long distance calls constitute a "failure" of Interpersonal Communication capability within the meaning of COM-001-2 R10 when all other means of Interpersonal Communication capability (such as receiving internal and external local calls, receiving long distance calls, and placing internal and external local calls), as well as all Alternate Interpersonal Communications capabilities, remain?

          As long as non-suffering entities are able to contact the suffering entity via the Primary Interpersonal Communication capability, there is no failure.

        • A:September 13, 2016
          Description of the Violation, Issue, or Trend
          Entity that is required to maintain control center functionality and communications capability as a Reliability Coordinator and Balancing Authority maintains IT staff position in their control center at a System Operator console on a 24x7 basis. The IT person is also certified as a System Operator and has the same access and training on all EMS and SCADA applications as the on-shift System Operators.

          Risk Considerations
          Loss of EMS, SCADA, and other application tools affect the System Operators ability to manage real-time operations. These systems are vital to the oversight provided by the Reliability Coordinator and Balancing Authority functions.

          Description of Mitigation Activity
          Staffing the control center 24x7 with an IT person that is also a System Operator allows quick response to loss of EMS, SCADA, and other applications that affect system visibility for real-time System Operators.

          Other Factors or Comments
          Staffing an IT person in the control center 24x7 is excellent.  Staffing an IT person certified as a System Operator gives that person insight and knowledge of the systems and information and how they are used to maintain the reliability of the bulk electric system.

        • A:October 18, 2016
          COM-002-4: Can an entity categorize operating instructions into non-emergency and emergency operating instructions?

          During a declared state of emergency, are all operating instructions considered an emergency operating instruction or just the ones related to the emergency?

          Will non-emergency operating instructions be treated differently than emergency operating instruction during an audit / require higher level of documentation?

          What is SERC / NERC doing to ensure consistency across the regions in what is considered an emergency? What guidance have they given the different regions’ auditors for how to apply this standard?

          Although not explicitly defined, Emergency Operating Instruction (OI) is a combination of two NERC defined terms. Only OIs related to an Emergency are considered an Emergency OI. From an audit perspective, an Emergency OI and an OI will be treated the same. The VRF for an Emergency OI increases. Emergency is a NERC defined term.

        • A:March 1, 2016
          Regarding COM-002-4, R3: To clarify, is R3 mandating that all field personnel (switchman, technicians, union employees, contractors) are required to take the three-part communication training?  This would include administering, documenting, tracking, etc.  Our field personnel that would normally carry-out the actual Operating Instruction in a switchyard or sub-station, if it has to be done manually, are often union employees, and sometimes contractors, that are not employed by our company. This would be a rather arduous task and something we have not done in the past. We already use three-part communication; and currently, when a dispatcher is giving a field person an Operating Instruction, we require that the person in the field repeat back the instruction. As of July 1, 2016, must we have a complete training and tracking program in place for the field personnel mentioned above?

          Any operating personnel who can receive an oral two-party, person-to-person Operating Instruction must receive initial training prior to receiving an Operating Instruction (no retraining requirement).  If the personnel have been previously trained to use three-part communications that matches the COM-002-4 protocol, this training would meet the requirement and would have to be sufficiently documented. 

        • A:12/10/2015
          Under COM-002-4 R4 each RC, BA, and TOP is required to annually assess each of their personnel that issue operating instructions for adherence to their communication Protocol developed under R1. The Communication Protocol completion and operating personnel training on the Communication Protocol is required on or before June 30, 2016.

          Q: When does the initial assessment under R4 have to be performed?

          • July 1, 2016
          • December 31, 2016
          • July 1, 2017
          • Other, please explain

          The protocol should be in place by July 1, 2016. All operators that issue or receive Operating Instructions (OI) should be trained before issuing or receiving an OI. Operators that are trained on the COM-002-4 protocol prior to implementation meet the requirements of R2 and R3.

          The assessment should be completed by July 16, 2017 and within every 12 months thereafter. The assessment is not specifically an individual assessment, and the assessment methodology is left to the registered entity. One approach might be to assess each outage for adherence. Although somewhat burdensome, this approach would likely catch all operators at different times of the day. Another approach could be to document a specific time frame such as “x number of minutes per week during peak hours will be reviewed.” This approach would, most likely, catch each operator. It would also allow for the development of statistical data. That documentation would point out the percentage of adherence so that training could be brought in when irregularities are detected (perhaps an operator was determined to be using the protocols only 85% of the time). In the case where an operator did not issue or receive an OI or the sampling did not include an operator, simulation/training could be used and documented for an assessment of that individual.

        • A:12/1/2015
          There was a general discussion around applicability of COM-002-4 R6 to the GOP/DP functions and the acceptable evidence to demonstrate compliance to the requirement.

          COM- 002-4
          Purpose:
          To improve communications for the issuance of Operating Instructions with predefined communications protocols to reduce the possibility of miscommunication that could lead to action or inaction harmful to the reliability of the Bulk Electric System (BES).

          R6.     Each Balancing Authority, Distribution Provider, Generator Operator, and Transmission Operator that receives an oral two-party, person-to-person Operating Instruction during an Emergency, excluding written or oral single-party to multiple-party burst Operating Instructions, shall either: [Violation Risk Factor: High][Time Horizon: Real-time Operations]

          • Repeat, not necessarily verbatim, the Operating Instruction and receive confirmation from the issuer that the response was correct, or
          • Request that the issuer reissue the Operating Instruction.

          M6.   Each Balancing Authority, Distribution Provider, Generator Operator, and Transmission Operator that was the recipient of an oral two-party, person-to-person Operating Instruction during an Emergency, excluding oral single-party to multiple-party burst Operating Instructions, shall have evidence to show that the recipient either repeated, not necessarily verbatim, the Operating Instruction and received confirmation from the issuer that the response was correct, or requested that the issuer reissue the Operating Instruction in fulfillment of Requirement R6. Such evidence may include, but is not limited to, dated and time-stamped voice recordings (if the entity has such recordings), dated operator logs, an attestation from the issuer of the Operating Instruction, memos or transcripts.

          Time

          Horizon

          VRF

          Violation Severity Levels

          Lower VSL

          Moderate VSL

          High VSL

          Severe VSL

          Real Time Operations

          High

           

          The responsible entity did not repeat, not necessarily verbatim, the Operating Instruction during an Emergency and receive confirmation from the issuer that the response was correct, or request that the issuer reissue the Operating Instruction when receiving an Operating Instruction.

           

          The responsible entity did not repeat, not necessarily verbatim, the Operating Instruction during an Emergency and receive confirmation from the issuer that the response was correct, or request that the issuer reissue the Operating Instruction when receiving an Operating Instruction

          AND

          Instability, uncontrolled separation, or cascading failures occurred as a result.

           

          As written, R6 is only applicable to the DP/GOP in cases of an Emergency Operating Instruction. As illustrated during the 2015 Fall Compliance Seminar, however, a routine Operating Instruction may become an Emergency Operating Instruction while executing the Operating Instruction. So in this case, the lack of using the protocol when receiving the Operating Instruction has become a violation of R6 with a Severe VSL.  Most shops use three-part communications and may or may not be a requirement of a local procedure.  Using 3-part communications in any instance of receiving an Operating Instruction just makes good business sense, and is demonstrative of a Culture of Compliance.

          From the RSAW
          Evidence Requested:
          Dated operator logs, voice recordings, memos, or transcripts, or other evidence (per M6) describing the registered entity’s response to Operating Instructions received during an Emergency selected by the auditor.

          Auditors will look for several things in regards to this Standard for the DP/GOP. First will be that DP/GOP personnel have been trained as prescribed in R3, demonstrated by attendance records, training materials, agendas, etc. Second will be that DP/GOP personnel have used the established communication protocol when receiving an Emergency Operating Instruction. This can be demonstrated with date/time stamped voice recordings or transcripts thereof, dated operator logs, an attestation from the issuer of the Operating Instruction, voice recordings (if the entity has such recordings, memos transcripts, etc.).  In that the issuer is required to assess their protocol, it is likely that a recording of the Operating instruction already exists. This requirement does not require the DP/GOP to install any recording equipment.

        • A:10/30/2013

          How much detail should a letter of attestation contain concerning experiencing a capacity or energy deficiency requiring the Reliability Coordinator to initiate an Energy Emergency Alert in accordance with Attachment 1 of EOP-002-2.1; i.e., should it include how much capacity and energy was needed to satisfy the times and what necessary arrangements was made or would be made by them in a capacity deficiency situation?

          SERC does not ask for attestations concerning capacity or energy deficiencies requiring a Reliability Coordinator (RC) to initiate an Energy Emergency Alert in accordance with Attachment 1 of EOP-002-3.1. SERC will ask for the pertinent information regarding any declared EEAs either in Attachment A of the Audit Certification Letter (issued no later than 90 days prior to the audit) or in a subsequent data request to an RC from which the audit team will review for compliance of EOP-002-3.1 R8 during its Pre-Audit Document review process. This Pre-Audit review may result in a second data request if further clarification is needed from the Registered Entity to demonstrate compliance with the Requirement. The information requested will not be in the form of an attestation, but rather, documents and evidence to describe the circumstances involved in any EEAs declared by the RC. If a Registered Entity has not had any declared EEAs over the audit period, an attestation could be provided to clearly state that there have NOT been any EEAs, which is used as support in the absence of any other evidence of compliance. NOTE: Attestations are only accepted by SERC as proof of a negative (no emergency event, no SPS’s, no disturbance events, etc.).

        • A:9/30/2014

          This is regarding EOP-004 reporting and suspicious activity.  Does SERC have any guidance as to what constitutes suspicious activity, or is the recommendation to let the Registered Entity specify what is reportable?

          The Registered Entity determines what is reportable as suspicious activity.  SERC Regional Criteria for Event Reporting is an applicable document, but no recommendations are provided.

        • A:10/30/2013

          Re: EOP-004, in the event that a standard is applicable to multiple functional entities, is a separate report required on behalf of each RE for the same event?

          No. From Page 13 of the standard . . ."Multiple Reports for a Single Organization

          For Registered Entities that have multiple registrations, the Disturbance and Sabotage Reporting Standard Drafting Team intends that these Registered Entities will only have to submit one report for any individual event. For example, if a Registered Entity is registered as a Reliability Coordinator, Balancing Authority and Transmission Operator, the Registered Entity would only submit one report for a particular event rather submitting three reports as each function.

        • A:January 4, 2017
          If a TOP experiences a complete loss of monitoring capability affecting their BES control center for 30 minutes or more, would their RC and BA, assuming each entity is a separate corporate entity, be required to submit a report for this event too, even if their monitoring capability was not affected?

          If the RC or BA did not experience the loss of monitoring capability affecting the BES control center (and there are no contractual obligations (example: JRO or CFR)) for more than 30 minutes, they would have no reporting obligation. The only registered entity obligated to file a report would be the affected entity. In this particular case, if the RC or BA is depended on information that is delivered by the failed monitoring system, they would have a reporting obligation. Upon notification the RC would be obligated to post the event on RCIS.

        • A:3/18/2014

          Is the “review only” approach acceptable for small Distribution Providers for EOP-004-2 R1 and R3?

          Distribution Providers (DPs) that do not meet the “Threshold for Reporting” for any event listed in Attachment 1 will not have any reports to submit under Requirement R2. However, these DPs will be responsible for meeting Requirements R1 and R3. These DPs may have a very simple Operating Plan that includes a statement that there are no applicable events in Attachment 1 (to meet R1) and that the DP will review the list of events in Attachment 1 each year (to meet R3).

        • A:3/18/2014

          EOP-004-2 R3 requires that Registered Entities validate all contact information each calendar year.  Attachment 2 lists the NERC phone number and email address.  SERC Regional Criteria - Events Reporting lists the SERC email and phone number.  Does SERC want each Registered Entity to call these numbers annually to verify they have not changed?  What is a best practice to “validate” a phone number?

          The measure for this Requirement states:  "Each Responsible Entity will have dated records to show that it validated all contact information contained in the Operating Plan each calendar year. Such evidence may include, but are not limited to, dated voice recordings and operating logs or other communication documentation."

          The rationale for this Requirement states in part:  “If an entity experiences an actual event, communication evidence from the event may be used to show compliance with the validation requirement for the specific contacts used for the event.”

          It may not be necessary to make a call to specifically validate a number used in the procedure.  For example, a phone number used in routine communication may be validated by evidence that it is the same number used in the procedure.  Where a phone number is published in another entity’s procedure or on a website and updated routinely, it may be validated by evidence from that procedure or a screenshot from that website.

        • A:2/27/2013

          EOP-005 R2 requires Registered Entities to have restoration plan that identifies black start facilities and cranking path, etc.  How does this apply to Registered Entities with no black start capabilities that will not be restored from black start units and restored later in the plan, after frequency and voltage becomes stable?

          If a Registered Entity has no black start units or Cranking Paths, there won't be any identified in the plan. However, the Registered Entity must still have a restoration plan, which should document that there are no black start units or Cranking Paths.

        • A:8/21/2014

          In the ‘Applicability’ section of NERC Reliability Standard EOP-005-2 (System Restoration from Blackstart Resources), section 4.1 lists Transmission Operators (TOP). Does the EOP-005-2 apply to all TOPs or only to TOPs that have Blackstart Resources within their footprint?

          Applicability section 4.1 is applicable to all Transmission Operators (TOP’s).

          According to Requirement 1 which states:

          R1 - Each Transmission Operator shall have a restoration plan approved by its Reliability Coordinator. The restoration plan shall allow for restoring the Transmission Operator’s System following a Disturbance in which one or more areas of the Bulk Electric System (BES) shuts down and the use of Blackstart Resources is required to restore the shutdown area to service, to a state whereby the choice of the next Load to be restored is not driven by the need to control frequency or voltage regardless of whether the Blackstart Resource is located within the Transmission Operator’s System. The restoration plan shall include: R1.1-R1.9.

          Each TOP should have a restoration plan approved by its Reliability Coordinator (RC). If a TOP does not have a Blackstart Resource in their area, the plan should show cranking paths and initial switching requirements between the affected TOP and an adjacent TOP that has a Blackstart Resource for the affected TOP to restore their systems and reestablish connection with other TOP’s.

          Any changes that affect an established restoration plan will require the TOP to update the restoration plan and submit to their Reliability Coordinator (RC) within 90 days for approval, per Requirement 4.1.

        • A:2/27/2013

          System Operators normally pick up no more than 5% of the current system load at a time to avoid large frequency swings and the tripping of units that are online.  Would this need to be verified through steady state and dynamic simulation?

          Picking up no more than 5% of current system load is common practice and a good way to control voltage and frequency, but it is not part of this Requirement’s criteria. However, choosing to verify this through simulations is fine.

        • A:2/27/2013

          Simulations performed in the EMS have difficulties energizing long transmission lines and starting some units due to the way these elements are modeled in the simulation.   Also, TOP restoration plans most of the time specify for the dispatch of field personnel to black start sites, to substations to open breakers, and to report station status.  The TOP can only estimate this time, so what basis does this need to have in the simulation?

          It is fine to estimate these things as best and realistically as possible. 

        • A:2/27/2013

          What Requirements do companies plan on applying dynamic simulations?  Will it only be R6.1 or all of them?

          Dynamic simulation is one of the methods of verification of the plan. It can be applied to all of the sub-requirements.  It's up to the company.  (Also see other responses to these requirements.)

        • A:2/27/2013

          It seems the intent of Transmission Operator (TOP) restoration plans would include black start, off-site power to nuclear plants and control centers, provide offsite power to CT and coal plants, picking up critical customer loads, synchronize internal islands, and synchronize with the Interconnection.  Do all these elements need to be simulated to achieve compliance with R6?  What does a dynamic simulation need to consist of?  Would this be a dynamic stability analysis, scripted PSSE power flow solution, or a combination or several analyses?  To what extent do the steady state and dynamic simulations need to show the TOP restoration plans’ intended function?  Would taking the simulation to the point where off-site power is restored to nuclear plant switchyards and those unit auxiliary loads energized be sufficient, without taking the simulation to the point of the units actually being started?  Do other fossil units in the TOP restoration plan need to show their auxiliary loads modeled and unit started in order to show the ability to energize lines, pick up load, and be able to control frequency and voltage within a tolerance?

          Verify through at least one of the three analysis tools in the Requirement, that the restoration plan accomplishes its intention.   Any analysis used to support satisfaction that the plan works as intended is acceptable as long as it satisfies the Requirement and all sub-Requirements.   Taking the simulation to the point where off-site power is restored to the nuclear plant is fine.  However, to satisfy R6.3, other generating resources will have to be online to control voltage and frequency within acceptable operating limits.  Each restoration plan is obviously different. Take the verification of the restoration plan as far along as needed to establish that the plan accomplishes its intent and satisfies the Requirement and sub-requirements.

        • A:2/27/2013

          Many TOP restoration plans include multiple islands, with options, and paths to pursue since it is unknown where the restoration will begin due to damage from a storm, sabotage, etc.  For instance, several best option starting points are detailed in the restoration plan; and are outlined step-by-step to the point where off-site power to nuclear plants is restored.  Then the plan goes into more generic guidance to energize the 115 kV, 230 kV, and 500 kV systems in loops to establish stability and pick up load; and then eventually, gets to guidance on synchronizing islands and tying with neighbors.  How many different islands or options must be simulated?  Does the simulation need to include all possible black start sites?  If a TOP restoration plan has multiple black start units with multiple possibilities of places to start from and end up, is it ok to exercise just one of these options or do all possibilities need to be exercised in the simulation? 

          Each system is different.  Larger TOP's have a bigger footprint; and therefore, more options. It is up to the TOP as to how many islands, options, black start units, and simulations are needed to verify that the plan will accomplish its intended function. You have a vested interest in having a successful plan that sufficiently meets your needs. Your documentation should reasonably tell the story of compliance that your restoration plan will work when needed.

        • A:2/24/2015

          EOP-005-2 R9 requires each TOP to have “Blackstart Resource testing requirements to verify that each Blackstart Resource is capable of meeting the requirements of [the entity’s] restoration plan,” and R9.1 indicates that the  registered entity’s testing requirements must ensure that, at a minimum, “each Blackstart Resource is tested at least once every three calendar years.” EOP-005-2 R16 then states that GOPs with Blackstart Resources shall perform Blackstart Resource tests “in accordance with the testing requirements set by the TOP to verify that the Blackstart Resources can perform as specified in the restoration plan.”

          QUESTION: If an entity’s restoration plan includes testing requirements that provide for testing of each Blackstart Resource more frequently than once every three calendars years, will the entity be audited to the testing timeline specifications in its restoration plan or to the “at least once every three calendar years” language found in the standard at EOP-005-2 R9.1?

          The short answer is that SERC audits against the criteria established in the Reliability Standards. In this case, the criterion is a minimum of three years.

          The longer answer is:

          Some Reliability Standards require the registered entity to establish a program or plan that includes certain elements. For example, consider FAC-003-3 R7 that requires the registered entity to perform 100% of its annual work plan. In this example, the content of the work plan is flexible; but the entity will be audited against whatever it has established in its work plan. In PRC-005-1 R1, the registered entity is required to establish a maintenance and testing program that specifies maintenance and testing intervals; and registered entities are audited against whatever it justified as its interval.

          Other Reliability Standards (or Requirements within the same Reliability Standard) establish a criterion as a threshold for compliance. Where such a criterion exists, it establishes the threshold for compliance; and the entity will be audited against the Requirement. Examples include PRC-023 R1 that sets a minimum relay trip set-point.  Registered entities may exceed that set-point without being noncompliant.  FAC-003-3 requires that 100% of applicable transmission lines receive a vegetation inspection annually.  If a registered entity establishes a more aggressive schedule for inspections in their program, it will not be found noncompliant unless it does not meet the requirement of at least once annually.

          In general, the Reliability Standards establish a minimal expectation for compliance and registered entities will often prefer to exceed those expectations.  An internal control (such as a program, process, or procedure) that exceeds the criteria established in the Requirements is encouraged as a measure to enhance, maintain, or restore reliability; but does not establish the minimal required performance when the criterion is stated in the Requirements.

        • A:12/1/2015
          Each Transmission Operator, each applicable Transmission Owner, and each applicable Distribution Provider shall provide a minimum of two hours of System restoration training every two calendar years to their field switching personnel identified as performing unique tasks associated with the Transmission Operator’s restoration plan that are outside of their normal tasks.

          The RSAW for EOP-005-2 R11 states: 
          Note to Auditor: Evidence may include, but is not limited to, a copy of training records/materials with training dates, topic, attendees and duration. Initially, entities will have two years from July 1, 2013 to execute this training.

          Registered entities may have interpreted this to be “two calendar years” as stated in the requirement, which would make the “initial” training completion date to be December 31, 2015.

          Question:  When is the “initial” training for applicable Distribution Provider field switching personnel to be completed, by July 1, 2015 or by December 31, 2015?

          July 1, 2015, as per the implementation plan.
        • A:2/27/2013

          EOP-005-2 R11 states, “Each Transmission Operator, each applicable Transmission Owner, and each applicable Distribution Provider shall provide a minimum of two hours of System restoration training every two calendar years to their field switching personnel identified as performing unique tasks associated with the Transmission Operator’s restoration plan that are outside of their normal tasks.”   What does SERC define as unique tasks?  Please provide examples of these tasks.  How are other companies defining unique tasks?   What are the tasks identified; and what training is being, or will be, conducted?

          "Unique tasks" is actually defined in the Requirement as tasks "that are outside of their normal tasks." Examples could be a substation test engineer whose normal duties are to test relays or EMS remote work, who are called to do transmission line switching. Another example is a Distribution employee called to do transmission substation or line switching.

          SERC is not aware of how other companies define "unique tasks".  Tasks identified and the particular training needed would be up to the registered entity and its needs for successful training.

        • A:2/27/2013

          If the training is self-paced and some people take less than two hours to complete, are you out of compliance?  Self-paced training is written such that the average student will take “X” amount of time. This means some take longer, and some take less time. If it is formal classroom training and some instructors can cover the required material in less than two hours, are you out of compliance?  The measurability of R17 should rest on the training content that it is given within the required two year period.

          Provided the self-paced course has been piloted and documented to be a “two-hour program”, and provided the individual successfully completes all the requirements of the two-hour program, the Registered Entity would be in compliance, no matter how long it takes the person to actually complete the training.  This applies to self-paced training only.  For instructor-led classes, the individual must have the full two contact hours every two years.  It is expected that the two hours will address not only the restoration-related tasks but also an overview of restoration principles and practices.

        • A:2/27/2013

          Can SERC provide some clarification on what they would want to see for criteria for sharing information regarding restoration with neighboring RCs and with TOPs and BAs within its RC Area? Some examples would be helpful.

          What R1.7 is asking is what the RC is sharing, and how are you sharing or communicating this to your neighboring RC, and TOPs and GOPs in its RC Area. Show evidence of what you have shared and that the sharing has been/is being done to prove compliance.

        • A:9/30/2014

          This is relative to EOP-006-2 R2 and R3 that state:
          R2. The Reliability Coordinator shall distribute its most recent Reliability Coordinator Area restoration plan to each of its Transmission Operators and neighboring Reliability Coordinators within 30 calendar days of creation or revision.

          R3. Each Reliability Coordinator shall review its restoration plan within 13 calendar months of the last review.

          Is a review of the restoration plan that has no changes but is documented in the Revision History of the plan, such as going from Version 1 to 1a, considered a revision that has to be distributed to its TOPs and neighboring RCs within 30 calendar days?

          Yes, the TOPs and RC need to know that the plan was reviewed and that there were no changes.

        • A:September 13, 2016

          Description of the Violation, Issue, or Trend
          Entity that is required to maintain control center functionality and communications capability as a Reliability Coordinator and Balancing Authority maintains IT staff position in their control center at a System Operator console on a 24x7 basis. The IT person is also certified as a System Operator and has the same access and training on all EMS and SCADA applications as the on-shift System Operators.

          Risk Considerations
          Loss of EMS, SCADA, and other application tools affect the System Operators ability to manage real-time operations. These systems are vital to the oversight provided by the Reliability Coordinator and Balancing Authority functions.

          Description of Mitigation Activity
          Staffing the control center 24x7 with an IT person that is also a System Operator allows quick response to loss of EMS, SCADA, and other applications that affect system visibility for real-time System Operators.

          Other Factors or Comments
          Staffing an IT person in the control center 24x7 is excellent.  Staffing an IT person certified as a System Operator gives that person insight and knowledge of the systems and information and how they are used to maintain the reliability of the bulk electric system.

        • A:October 18, 2016
          How does SERC interpret the expectations of the industry related to the GMD Executive Order


          SERC will continue to audit EOP-010-1 as currently approved by FERC.
        • A:5/9/2014

          FAC-003-1 has never been applicable to our Registered Entity.  Our Registered Entity does not own or operate any transmission lines at 200kV and above.  Our Registered Entity also did not have any lower voltage lines designated by SERC as critical to the reliability of the electric system in the region.

          With the upcoming effective date of FAC-003-3 of July 1, 2014, our Registered Entity would like updated confirmation that our Registered Entity’s lower voltage lines are not designated by SERC as critical to the reliability of the electric system in the region.  If possible, we would like such confirmation by return e-mail for our permanent compliance record filing.

          The applicability of FAC-003 changes when version 3 goes into effect.  FAC-003-3 is applicable to “Transmission Owners that own Transmission Facilities defined in 4.2.”  Section 4.2  includes “[e]ach overhead transmission line operated below 200 kV identified as an element of an IROL under NERC Standard FAC-014 by the Planning Coordinator” (see 4.2.2).  FAC-003-3 is also applicable to Generator Owners with lines that meet the requirements of section 4.3.  Section 4.3 also places the determination of applicability with the Planning Coordinator.

          Please contact your Planning Coordinator to determine whether your Facility(s) are applicable under FAC-003-3.

        • A:3/18/2014

          Does SERC staff have specific expectations regarding the timeliness of ratings changes in field being reflected in planning and EMS models (particularly for downgraded ratings)?

          [REF Recommendation: Be aware of associated PRC-023 “official ratings analysis” compliance.]

          No, there is not a hard timeline for updating the affected systems.  However, a Registered Entity should have a process in place to update its tools and systems with new information when changes in the field occur. 

        • A:3/18/2014

          In regards to GO/GOP Registered Entities, the FAC-008-3 generators’ facility ratings are never requested. They are never electrically limited but mechanically limited. Has SERC staff recommended to NERC that this standard should not apply to generating units, since the rating of the largest prime mover is never attained?

          No, this Standard applies to both transmission and generation.  Generation facility ratings are requested for audit if this Standard is identified in the audit scope.  Some generation facilities are electrically limited. Further, there are several new Standards being approved that will also require generation facility ratings.

        • A:6/3/2016
          Description of the Violation, Issue, or Trend

          Entities of various sizes in SERC and the other regions are finding significant instances of noncompliance with FAC-009-1 R1/FAC-008-3 R6. Some of the instances date back prior to June 18, 2007 while others occurred after that date. In some cases the noncompliance is a result of incorrect calculations and in other cases the noncompliance is a result of not identifying the most limiting element.

          Risk Considerations
          These violations typically pose a moderate risk to the bulk power system.

          Description of Mitigation Activity
          Implementation of additional internal controls and training are typically included in the mitigating activities.

          Other Factors or Comments
          Ineffective change management for Facility Ratings has been a significant contributing factor.

        • A:2/24/2015

          Under FAC-008-3, R8.2, who specifically may request this data from the TO?
          a. Which functional entities may request this data?

          As stated in FAC-008-3 R8, each TO (and GO subject to R2) shall provide requested information to RC(s), PC(s), TP(s), TO(s) and TOP(s).
          b. What does “under the requestor’s authority” mean? (i.e., Could this include adjacent entities?)

          Facilities under the requestor’s authority refers to Facilities within the RC(s), PC(s), TP(s), TO(s) or TOP(s) area of operational or planning responsibility.

          Per FAC-014-2 R5.3, it is the PC’s responsibility to provide System Operating Limits, which include facility ratings, to adjacent PCs and TPs, TSPs, TOPs, and RCs within its PC area.

        • A:6/3/2016
          Description of the Violation, Issue, or Trend

          Entities of various sizes in SERC and the other regions are finding significant instances of noncompliance with FAC-009-1 R1/FAC-008-3 R6. Some of the instances date back prior to June 18, 2007 while others occurred after that date. In some cases the noncompliance is a result of incorrect calculations and in other cases the noncompliance is a result of not identifying the most limiting element.

          Risk Considerations
          These violations typically pose a moderate risk to the bulk power system.

          Description of Mitigation Activity
          Implementation of additional internal controls and training are typically included in the mitigating activities.

          Other Factors or Comments
          Ineffective change management for Facility Ratings has been a significant contributing factor.


           


        • A:March 1, 2016
          INT-006-4 Requirement 1 states that, “Each Balancing Authority shall approve or deny each on-time Arranged Interchange or emergency Arranged Interchange that it receives and shall do so prior to the expiration of the time period defined in Attachment 1, Column B.”  If an entity utilizes electronic tagging for interchange requests, does an E-Tag that automatically changes to an “Expired” state demonstrate compliance with this requirement?  In this instance, the E-Tag is not actively approved or denied by the entity’s scheduling personnel, but automatically changes to an expired state at the end of the assessment period due to an automatic process built into the E-Tagging software.  This question also corresponds to R2, which is a TSP requirement. 

          Yes

        • A:October 18, 2016
          IRO-001 / TOP-001: Draft RSAW v4 asks for a list of operating instructions received during the audit period.  Is SERC expecting a complete list of all operating instructions during an audit period?  This list could be extensive.

          No, SERC will sample certain days of the audit period per NERC Sampling Methodology.

        • A:12/7/2016
          In reviewing the requirements in IRO-001-4, we have a dilemma with R2 and R3, which state the following:
          R2 Each Transmission Operator, Balancing Authority, Generator Operator, and Distribution Provider shall comply with its Reliability Coordinator’s Operating Instructions unless compliance with the Operating Instructions cannot be physically implemented or unless such actions would violate safety, equipment, regulatory, or statutory requirements.

          R3  Each Transmission Operator, Balancing Authority, Generator Operator and Distribution Provider shall inform its Reliability Coordinator of its inability to perform the Operating Instruction issued by its Reliability Coordinator in R1. 
           
          We believe that these requirements are referencing operating instructions issued during normal operations.  We are currently registered to perform the BA, TOP RC functions in SERC.  All of these functions currently work out of the same control center in very close proximity to one another (less than 10 feet apart). 
           
          My question is in regard to operating instructions issued for normal operations.  Since these functions work so closely together, most operating instructions are issued verbally with three-part communication with only operating instructions issued for emergency situations being logged. Since these functions communicate operating instructions throughout the day, every day, the sheer number of issued operating instructions would be voluminous in nature and would possibly place a significant burden on the operators to ensure that they are logged. 
           
          Based on our functional setup, what evidence would SERC be looking for to demonstrate compliance?  Would we need to have microphones/intercom system set up at every functional desk that routes back to a centralized recording to capture every operating instruction issued during normal operations by the RC to the TOP and BA; or would SERC place value on our current setup and denote that these functions work closely together in the spirit of cooperation where operating instructions for normal operations are generally issued verbally and not captured or logged.
           
          It seems as though these requirements were written for entities that participate in RTOs.  However, we would like some guidance from you as to your compliance approach based on our functional setup.
           

          Per the measures for IRO-001-4:

          R2: Registered entities are expected to provide evidence that will be used to determine that it complied with its Reliability Coordinator's Operating Instructions, unless the instruction could not be physically implemented, or such actions would have violated safety, equipment, regulatory or statutory requirements. In such cases, the Transmission Operator, Balancing Authority, Generator Operator, or Distribution Provider shall have and provide copies of the safety, equipment, regulatory, or statutory requirements as evidence for not complying with the Reliability Coordinator’s Operating Instructions. If such a situation has not occurred, the Transmission Operator, Balancing Authority, Generator Operator, or Distribution Provider may provide an attestation.

          R3: Registered entities are expected to provide evidence that will be used to determine that it informed its Reliability Coordinator of its inability to perform an Operating Instruction issued by its Reliability Coordinator in Requirement R1.

        • A:March 1, 2016
          MOD-001-2 has been moved to the archived web page, but it is not enforceable. What is the status of this standard?

          The project web page for the standard development project (Project 2012-05 – MOD A) was moved from the “Reliability Standards Under Development” web page to the “Archived Reliability Standards Under Development” web page. The NERC BOT adopted the MOD-001-2 standard and filed it with FERC in February 2014. In the interim, FERC has issued a NOPR on the proposed standard and also held a technical conference regarding MOD-001-2. The standard is still under consideration by FERC and can be found on the “Standards Filed and Pending Regulatory Approval” web page. MOD-001-1a is the currently mandatory and enforceable standard.

        • A:Updated 5/19/2015

          How are the Regional Criteria for MOD-024-1, MOD-025-1, and MOD-025-2 going to be utilized for compliance activities through July 1, 2016?  

          MOD-025-2 is currently effective (7/1/2014) and is a continent-wide NERC Reliability Standard. MOD-025-2 becomes enforceable on 7/1/2016.

          MOD-024-1 and MOD-025-1 are not mandatory standards subject to enforcement.  MOD-024-1 and MOD-025-1 will be retired on 6/30/2016 as MOD-025-2 becomes enforceable on 7/1/2016. 

          The SERC Regional Criteria, Verification of Generator Real and Reactive Power Capability, associated with MOD-024-1 and MOD-025-1 is being retired.

        • A:5/28/2014

          Can a Registered Entity continue to report for the contract owners?

          The Applicability section of Standards MOD-024-1 and MOD-025-1 indicate that the Generator Owner (GO) is the Registered Entity responsible for reporting. When a generating unit has more than one owner, the decision as to which one registers with NERC as the GO is a decision made by the unit’s owners. The registered GO is then responsible for compliance reporting requirements. 

        • A:5/28/2014
          What changed that now requires a Registered Entity to be listed on the MOD-024-1 and MOD-025-1 data forms?  

          The form is assigned by SERC staff to all entities registered as a GO and/or a Generator Operator (GOP) to permit data collection simplification.  Regardless, the GO is responsible for reporting, per the NERC MOD-024-1 and MOD-025-1 Reliability Standards.  The list of generators is filtered to include all units for which the selected Registered Entity is either a GOP or contractual generator owner.  If an entity is a contractual owner but not a registered GO, the form will not be assigned.
        • A:5/28/2014

          If a Registered Entity remains on the data forms, what future data reporting and compliance responsibilities does that imply?

          The current data request is for MOD-024-1 and MOD-025-1 data only.  Future data reporting is driven by NERC Reliability Standards, SERC Regional Reliability Standards, and SERC Regional Criteria.  A Registered Entity’s future data reporting and compliance responsibilities cannot be determined.

        • A:5/28/2014

          Is May 27, 2014 or June 30, 2016 the retirement date for MOD-024-1 and MOD-025-1; and if not either of those dates, when is it?

          MOD-024-1 and MOD-025-1 are scheduled to be retired June 30, 2016, per the MOD-025-2 implementation plan approved by FERC in the MOD-025-2 Order, which has an Effective Date of May 27, 2014. MOD-025-2 is enforceable on July 1, 2016, found here: Standard MOD-025-2, at page 21.

        • A:Updated 5/19/2015

          Will the Regional Guide for MOD-024-1 and MOD-025-1 be retired with the Standards?

          Yes, the SERC Regional Criteria, Verification of Generator Real and Reactive Power Capability, associated with MOD-024-1 and MOD-025-1 is being retired. 

        • A:4/10/2015

          Standards each have staged implementation periods based on percent of applicable unit gross MVA or percent of applicable Facilities respectively.

          How will the percent of applicable unit gross MVA or percent of applicable Facilities be audited?  Entities are asking to ensure they know how to determine the percentages?  (Is it based on unit type, fossil, nuclear, hydro, etc., entire fleet, or another measure?)

          For entities with facilities in multiple Regions are the percentages based on facilities in each Region or can the percentage be based on their total facilities in all regions?

          First identify the applicable qualifying units in the Eastern Interconnect that meet one or more of the following criteria:

          • Those that are 20 MVA or greater, per generator, and directly connected at 100 kV or greater.
          • Those that are a synchronous condenser 20 MVA or greater and directly connected at 100 kV or greater;
          • A generating plant/facility 75 MVA or greater connected at 100 kV or greater.  (If this criterion is met, the entire plant/facility counts as one generator for the total number of qualifying units.)
          • Blackstart units that are part of the TOP restoration plan (PRC-019)

          From the list of applicable generators and condensers, the percentage is calculated from the total number of applicable generators and condensers. The registered entity shall be able to show how the total and percentage were calculated and the records to show that the tests were performed and verified.

        • A:11/10/2015

          ​If we have been issued a specific voltage/reactive schedule by the BA/TOP for our plant to meet that specifies a minimum MVAR output below the capability rating curve for the units, can the test points for our MOD-025-2 testing documentation conform to that same schedule?

          The purpose of MOD-025-2 is to verify the actual real and reactive power capability of generators. The verification should be conducted per MOD-025-2, Attachment 1; so the Transmission Planners’ model data is consistent from the different units in their footprint. The verification process should compare the unit’s real/reactive output capability to the designed operating range (D-curve) of the unit, not the TOP’s voltage schedule.

        • A:Updated 5/19/2015
          Can Registered Entities start applying MOD-025-2 Requirements now rather than following the Regional Criteria for MOD-024-1 and MOD-025-1?

          Yes, Registered Entities must start applying MOD-025-2 Requirements. The SERC Regional Criteria, Verification of Generator Real and Reactive Power Capability, associated with MOD-024-1 and MOD-025-1 is being retired. 

        • A:

          11/24/2015

          Our company is in the process of validating real and reactive power in preparation to meet or exceed the 40% compliance threshold by July 1, 2016. In the process, a question has arisen.

          At what point does the 90-day submittal become enforceable?  We have collected operational data h, but we were unable to finalize reports on a few units before 90 days after the data collection.

          All of the data is still valid. Is it still consistent with the requirements of this Standard to finalize the reports and send them prior to July 1, 2016?

          The 90 calendar-day submittal deadline is enforceable at the milestone dates of the implementation plan. Thus, each Generator Owner must submit verification data to its Transmission Planner for at least 40% of its generation units prior to July 1, 2016. 

        • A:Updated 5/19/2015

          Will a new Regional Guide be provided for MOD-025-2; and if so, when should we expect to see it?

          No, the SERC Regional Criteria, Verification of Generator Real and Reactive Power Capability, associated with MOD-024-1 and MOD-025-1 is being retired. 

        • A:7/22/2014

          MOD-025-2 / MOD-026-1 / MOD-027-1: Please explain how to be compliant and when each is effective. 

          SERC cannot comment on how to be compliant. The MOD Standards will be included in future SERC outreach activities. SERC staff is currently reviewing the material to plan the appropriate outreach initiatives. 

          Below is the requested effective date information.

          MOD-025-2 
            40%  of applicable Facilities are to be compliant by 7/1/2016  
            60%  of applicable Facilities are to be compliant by 7/1/2017  
            80%  of applicable Facilities are to be compliant by 7/1/2018  
            100%  of applicable Facilities are to be compliant by 7/1/2019

          MOD-026-1  R1, and R3 through R6:  Effective date is 7/1/14  
          MOD-026-1 R2:  
            30% of the entity’s applicable gross MVA are to be compliant by 7/1/2018  
            50% of the entity’s applicable gross MVA are to be compliant by 7/1/2020 
            100% of the entity’s applicable gross MVA are to be compliant by 7/1/2024

          MOD-027-1  R1, and R3 through R5:  Effective date is 7/1/14  
          MOD-027-1 R2:  
            30% of the entity’s applicable units gross MVA are to be compliant by 7/1/2018
            50% of the entity’s applicable units gross MVA are to be compliant by 7/1/2020
            100% of the entity’s applicable units gross MVA are to be compliant by 7/1/2024

        • A:6/30/2016
          Does a single registered unit need to be in compliance by July 1, 2016?

          The issue was discussed by SERC Compliance management on a recent ERO call. To be consistent across the ERO, SERC has aligned with the other Regions and moved the MOD-025-2 compliance date for a single unit to July 1, 2016. 

        • A:

          6/30/2016
          What is the SERC guidance on implementation percentages of MOD-025 and PRC-019.  If a single plant has 10 generating units, must they complete all 10 prior to July 1, 2016 or four units to meet the first milestone?

          Per the MOD-025-2 implementation plan each Generator Owner and Transmission Owner shall have verified:
               at least 40 percent of its applicable units by 07/01/2016
               at least 60 percent of its applicable units by 07/01/2017
               at least 80 percent of its applicable units by 07/01/2018
               and 100 percent of its applicable units by 07/01/2019

          This would require four of the 10 units to be compliant by 07/01/2016 and 2 more for each of the next three years.

        • A:February 21, 2017
          MOD-025-2: Does the verification have to be completed by a certified U.S. engineer? We employ many Canadian engineers, but in order to have a U.S. engineer certification we would have to hire a consultant.

          MOD-025-2 does not specifically address the qualifications of personnel performing verification.  In most situations, state law governs engineer licensure.  However, it is the responsibility of each registered entity to ensure qualified personnel performs work when certifying compliance with Reliability Standards.

        • A:7/5/2016
          Question 1:
          Requirement 2 is the requirement to perform Reactive Power testing and submit the report to Transmission Planning within 90 days of recording the data.  Reactive Power testing consists of both a leading (lower voltage) and lagging (raising voltage) test.  Are they compliant if they perform the leading test in January, and perform the lagging test in July, and send a single report 90 days after finishing the lagging test in July?

          Leading and lagging Reactive Power tests can be performed at different times.  For the unit to be considered compliant, both tests must be complete and submitted by the implementation milestone dates.

          Additional information

          Milestone dates:
          Each Generator Owner and Transmission Owner shall have verified at least:
            40 percent of its applicable Facilities by 07-01-2016.
            60 percent of its applicable Facilities by 07-01-2017.
            80 percent of its applicable Facilities by 07-01-2018.
          100 percent of its applicable Facilities by 07-01-2019.

          Per MOD-025-2 Attachment 1 Paragraph 1 under Periodicity for conducting a new verification: 
          The first verification for each applicable Facility under this standard must be a staged test.

          Question 2:
          Requirement 2 has the 90 day window for submitting the report to Transmission Planning.  Will Nuclear still be compliant if they send the report after the 90 day period?

          The 90 calendar-day submittal deadline is enforceable at the milestone dates of the implementation plan. Thus, each Generator Owner must submit verification data to its Transmission Planner for at least 40% of its generation units prior to July 1, 2016. The only exclusion for Nuclear units is the requirement to perform Reactive Power verification at minimum Real Power output. 

          Reference:
          The Violation Severity Levels in the standard identify the consequences of exceeding the 90 calendar days specified in Requirement 2.2.

        • A:7/13/2016
          Question 1:
          Is a completed Attachment 2 report submitted after 90 calendar days, still a valid date to calculate the next testing due date?

          The next test date is based on the previous verification date, not the date the form is submitted. 

          Question 2:
          If the test for Reactive Power lagging and leading are performed at different times, is it ok to hold the data for the pending test until all data is gathered? If so, what is the maximum allowable time between the two tests?

          If the data is recorded from a staged test, then the data must be submitted within 90 days per requirement 1.2 and 2.2.  If the staged lagging and leading test are more than 90 days apart, then two forms are required.  If the data is selected from historical operational data, then the elapsed time between the lagging and leading test could exceed 90 days, as long as the dates selected are within the 66 calendar month compliance window.  However, paragraph 2 of MOD-025-2, Attachment 1 states, “If data for different points is recorded on different days, designate the earliest of those dates as the verification date, and report that date as the verification date on MOD-025 Attachment 2 for periodicity purposes.” 

          Question 3:
          Is the Real and Reactive Power capability change of 10 percent based on design/equipment change or what the unit could actually verify during an operational test?

          The 10 percent change is based on design changes or discovery of equipment changes that are expected to affect the unit’s capability for more than six months.

        • A:11/9/2015

          For Generating Units that qualify for the 10 year exemption for excitation systems/governors, is the Generator Owner obligated to provide ANY model data to the Transmission Planner under MOD-026/027 and possibly MOD-032?  What if changes or updates are made to these systems?  If they still qualify for the exemption are we required to provide models or notify of changes?

          My reason for asking – The majority of my units qualify for this exemption and will likely never go over the 5%.  I have sent notification to the TP with this statement and showed the calculations for these units as described in the Attachments at the back of the standard.  They seem to think I still owe them model data, even if it isn't verified. I do not agree.

          We will also be upgrading some of these exempt units over the next couple of years hence my changes/upgrades question.

           MOD-026-1 and MOD-027-1 do not require initial generator verification for generators with an average capacity factor of 5% or less over the three most recent calendar years.  To meet this exclusion, the capacity factor must be calculated as specified in Appendix F of the GADS Data Reporting Instruction on the NERC website.  If the GADS capacity factor calculation is 5% or less, a letter should be sent to the Transmission Planner stating the facts and circumstances of each generator that meets this exclusion.  Notification of changes and/or models are not required, as long as the unit meets the net capacity factor exclusion.

           

        • A:April 10, 2015

          Standards each have staged implementation periods based on percent of applicable unit gross MVA or percent of applicable Facilities respectively.

          How will the percent of applicable unit gross MVA or percent of applicable Facilities be audited?  Entities are asking to ensure they know how to determine the percentages?  (Is it based on unit type, fossil, nuclear, hydro, etc., entire fleet, or another measure?)

          For entities with facilities in multiple Regions are the percentages based on facilities in each Region or can the percentage be based on their total facilities in all regions?

          First identify the applicable qualifying units in the Eastern Interconnect that meet one or more of the following criteria:

          • Those that are 100 MVA or greater, per generator, and directly connected at 100 kV or greater; or a generation plant with 100 MVA or greater generation connected at 100 kV or greater.
          • For those units that are connected in the ERCOT Region, those that are 50 MVA or greater, per generator, and directly connected at 100 kV or greater; or a generation plant with 75 MVA or greater generation connected at 100 kV or greater.
          • Also any technically justified unit that meets NERC registry criteria and is required by the Transmission Planner. (MOD-026-1)

          From this list of applicable generation, the total MVA shall be used for the percentage calculations and this may cross several regions. This includes all types of generation in the total MVA: hydro, nuclear, steam, wind, and solar. The registered entity shall be able to show how the total MVA and percentage were calculated and the records to show that the tests were performed and verified.

        • A:12/1/2015
          MOD-026-1 and MOD-027-1 Attachment 1 have the following exemption: Existing  applicable  unit  has  a  current  average  net  capacity  factor over the  most recent three calendar years, beginning on January 1 and ending on December 31 of 5% or less.

          What three-year period do we use for the initial implementation date? Is it our choice?

          The most recent three calendar years, to be recalculated every 10 years.

        • A:12/1/2015
          Many units qualify for the 5% capacity factor exemption under MOD-026/MOD-027. Are GOs obligated to provide any model that qualifies for the exemption?  MOD-026-1 and MOD-027-1 do not require initial generator verification for generators with an average capacity factor of 5% or less over the three most recent calendar years.

          The capacity factor must be calculated as specified in Appendix F of the GADS Data Reporting Instruction on the NERC website to meet this exemption. If the GADS capacity factor calculation is 5% or less, the GO should send a letter to the Transmission Planner stating the facts and circumstances of each generator that meet this exemption.

        • A:8/25/2016
          A site has determined it has 3 equivalent or sister units, Unit 1, 2, and 3. All three units have identical control systems, parameters, and settings.

          Unit 1 is selected for model verification and the required model and verification is submitted. Unit 2 and 3 submit their required model data and state they are sister units to Unit 1 which was verified.

          Question 1:  Is this all that is required or would there need to be additional information for a sister unit?

          Units 2 and 3 that meet the equivalency criteria documented in NERC Standards MOD-026-1, Attachment 1, Row Number 4, Verification Condition section (see below) and the MOD-027-1, Attachment 1, Row Number 5,  Verification Condition section (see below), necessitate completion of the corresponding Required Action sections of Attachment 1 for both NERC Standards.  If Entergy Units 2 and 3 do not meet the equivalency criteria, individual unit modeling and verification will be required for both Units 2 and 3. 

          Please note that verification of a “different” equivalent unit during each 10-year verification period is required and that MOD-026-1/MOD-027-1, Attachment 1, Row 1, applies when calculating generator fleet compliance during the 10-year implementation period.

          Also, please note that all Units that implement system changes after initial models have been verified are subject to MOD-026-1 R4 and MOD-027-1 R4 compliance and the obligation to notify its Transmission Planner within 180 calendar days of making system “changes”.

          Later, Unit 1 upgrades is control system and performs model verification and submits the required data.

          Question 2:  Would Unit 2 or 3 need to perform model verification since the original verification was performed for Unit 1?

          Units 2 and 3 that meet the equivalency criteria documented in NERC Standards MOD-026-1, Attachment 1, Row Number 4, Verification Condition section (see below) and the MOD-027-1, Attachment 1, Row Number 5,  Verification Condition section (see below), necessitate completion of the corresponding Required Action sections of Attachment 1 for both NERC Standards.  If Units 2 and 3 do not meet the equivalency criteria for the model that was verified, individual unit modeling and verification will be required for both Units 2 and 3.

          After the Unit 1 upgrade, Unit 2 upgrades is control system which is identical to Unit 1. 

          Question 3:  If the control system, parameters, and settings are the same as Unit 1, does Unit 2 need to perform model verification or is it covered as a sister unit?

          If Unit 2 does not meet the equivalency criteria documented in NERC Standards MOD-026-1, Attachment 1, Row Number 4, Verification Condition section (see below) and the MOD-027-1, Attachment 1, Row Number 5,  Verification Condition section (see below), completion of the corresponding Required Action sections of Attachment 1 for both NERC Standards is required.  If Unit 2 does meet the equivalency criteria, as stated above, it may qualify as an equivalent unit.

        • A:3/1/2016
          There have been many documents that have excluded some or all nuclear power plants from frequency response requirements.  These include:
          • NERC Alert A-2015-02-02-01, Generator Governor Frequency Response
          • Memo from Nano Sierra (FERC) to the ERAG MMWG dated September 9, 2010
          • Memo from Nano Sierra (FERC) to the ERAG MMWG dated April 27, 2011
          • Memo from ERAG Management Committee to the MMWG dated April 28, 2011
          • Email providing FRCC’s response to the September 9, 2010 FERC memo
          • MMWG Procedure Manual, page 42, section 9.2.D.2

          Based on these documents, our Transmission Planner does not include nuclear plant governors in their system models.

          The question is, can the nuclear industry get an exemption from the MOD-027-1 reporting requirement to provide governor models to our Transmission Planner since they are not going to use them?

          If the planner does not use the data, is it necessary?

          Auditors are required to audit to the standard as written. The standard includes an exclusion (MOD-027-1 Attachment 1). 

          Follow-up question to above. They would like to include steam turbine generators for Combined Cycle plants to the question to SERC on MOD-027 applicability.

          “Though we don’t have the “paper trail” of documents for them like we do for nuclear, these [Combined Cycle] units run with their steam valves wide open and, as such, do not respond to grid frequency deviations.  For this reason, our Transmission Planner does not include their governors in the models either.”

          Auditors are required to audit to the standard as written.

           

        • A:8/19/2016
          In the past, the portal was open to all the various asset owners, LSEs, etc., for each company to log in and enter their respective data. Under MOD-031-1 or v2, it will be the Planning Coordinator's role to collect and enter said data. Will SERC be able to provide insight as to which data from MOD-031 R1 will be requested under the Q1 2017 time frame? Stated another way, do you know if we can expect any changes from the historical reporting forms other than which entities will be logging in to the portal to report?  If the forms are changing. Do you know if it will be communicated within the 75 calendar day time frame to allow for collections?

          There will be no changes to the Demand and Energy forecasts that are reported by the Planning Authority via the Reliability portal.
          The PC will continue to report Actual Demand and Energy data through the Reliability portal; however, the actual data will be broken out by LSE beginning with 1st Quarter 2017 data due in April 2017. SERC will distribute a data request with an explanation of the changes made to the PC entities early in February 2017.

        • A:March 1, 2016
          MOD-031:  If there are multiple planning coordinators that jointly plan for a common area, can these planning coordinators coordinate their R1 data requests in a manner that utilizes a single planning coordinator to issue and collect the R1 data to provide to SERC under requirement 3?

          Yes; however, without documentation such as a CFR that clearly delineates responsibilities, a violation of R1 could go against all the Planning Coordinators that are a part of the coordinated approach.

        • A:7/22/2016
          NERC Reliability Standard MOD-031-1 – Demand and Energy Data became mandatory and enforceable on July 1, 2016.  Requirement R1 requires that the Planning Coordinator (PC) or Balancing Authority (BA) develop and issue a data request to certain applicable entities in their area. The sub-requirements of R1 specify the content of the data request. The data specified in Requirement R1 is provided to SERC via forms posted in the Reliability Data Reporting Portal as part of the Long-Term Reliability Assessment (LTRA)  and NEL data submittals due each year on or before April 1st. The issuance of a data request by the PC or BA to applicable entities for the same data prior to the next data collection cycle (i.e., Q1 2017) will create confusion among the entities, yet is implied in the Measure M1 if an entity is to be fully compliant with the new Standard on July 1, 2016. What is the expectation by SERC CEAs regarding evidence of compliance with Requirement R1 between the enforcement date of MOD-031-1 (July 1, 2016) and the next data reporting cycle (Q1, 2017)?

          MOD-031-1 is part of the ongoing annual process for Planning Coordinators and Balancing Authorities to collect demand, energy, and related data to support reliability studies and assessments. The schedule for issuing data request should continue to follow the normal data request process that has been established. Any data request issued after 7/1/16 should be compliant with MOD-031-1. Any data request issued after 10/1/16 should be compliant with MOD-031-2.

        • A:February 21, 2017

          NERC Reliability Standard MOD-033-1, Requirement R1 states that each Planning Coordinator (PC) shall have a documented data validation process and shall implement that process.  The implementation of the process includes performing comparisons of model predictions to actual system behavior and response “at least once every 24 calendar months”. The effective date of the Standard is July 1, 2017.  Is the expectation that the initial comparisons be performed by the PC prior to the effective date of July 1, 2017, or does the PC have 24 months from the effective date to perform the initial comparisons?

          Per the MOD-033-1 implementation plan, responsible entities have 24 months after the effective date of July, 1 2017 to complete the initial comparisons as required in MOD-033-1, R1.

        • A:August 30, 2016

          We are planning our testing for NERC standards MOD-026 and MOD-027. I wanted to ask for information on coordinating this testing with SERC. We are planning on performing the tests in 2017, but do not have any dates at this time. I would like to have this information for planning of the tests.

          There are no requirements to coordinate with SERC during the development of the control models required by MOD-026-1 and MOD-027-1.  If you have specific Reliability Standards related questions, please submit those questions via the SERC FAQ process.

        • A:12/15/2015

          In PER-005-1 R3. At least every 12 months each Reliability Coordinator, Balancing Authority and Transmission Operator shall provide each of its System Operators with at least 32 hours of emergency operations training applicable to its organization that reflects emergency operations topics, which includes system restoration using drills, exercises or other training required to maintain qualified personnel.

          My understanding is that the 12 month period begins January 1 thru December 31. For example, if a system operator hire date is July 1 does the employer only have to provide 16 hours of emergency operations training or is the 32 hours still required to be given within a 6 month time frame?

          PER-005-2 becomes enforceable 7/01/2016. This revision does away with the 32 hour emergency operations training requirement. How many emergency operations training hours are required to be compliant with PER-005-1 R3. for half the year, 16 or 32?

          ​The 12-month period starts when the operator is put on shift to work unsupervised by another operator. An operator that starts shift on July 1 should have 32 hours of EOP hours by the following July1.

          As for the implementation of Version 2, the expectation is that the registered entity will continue to train their operators in the same way as it has in Version 1, with no specific requirement of the number of EOP hours.

           

        • A:11/16/2015

          I am looking for some information in regards to PER-005-2 Requirement 2.2 and 2.3. The wording in the implementation plan is confusing. What is required prior to July 1, 2016? We are a TO. If we do not have someone currently going through our training program (including at the July 1, 2016 date), do we need to have all the training associated with the program developed? During implementation of PER-005-1, the RSAW clearly stated that the development of the training materials was not required until they were used for training. This time it is not as clear.

          The main consideration with this new version is introducing the two new applicable entities. You basically have to do a condensed version of what was done for RC, TOP, BA in the current version.

          To be applicable, you must be a TO that can act independently to operate. The first challenge is to determine who those personnel are.  Do they independently operate or direct operations of the TO's BES transmission in real-time?

          The typical example are those in a transmission control center who operate a portion of the BES at the direction of its TOP.

          Requirement 2.2 requires writing a training program that includes a list of RRT and training material for those personnel prior to July 1, 2016.

          Requirement 2.3, on delivering training, refers to existing personnel as well as new personnel. For those personnel identified, you must deliver training prior to July 1, 2016.

          However, if there are no personnel currently but will be in the future, you have to state your case with compliance.

        • A:9/30/2014

          PRC-001 R1 states that the GOP needs to be familiar with the purpose and limitations of protection system schemes applied in its area.  Is there specific guidance from SERC on what SERC believes is good evidence and who specifically is the target audience for the training?

          For this Reliability Standard, GOP is defined as the Registered Entity and not the person sitting on the desk.  There should be staff or contractor(s) available to address protection systems issues as they arise.  Staff could include the actual operator, electricians, instrumentation crew, etc. Training records, qualification records, etc. have been used as evidence of compliance in the past. The key question is: who is contacted to decide what to do when a protection device is triggered?  Is it the operator or other staff?

        • A:10/3/2016
          NERC Implementation Plan for PRC-002-2 Requirements R2, R3, R4, R6, R7, R8, R9, R10, R11 states:
          Entities shall be at least 50 percent compliant within four (4) years of the effective date of PRC-002-2 and fully compliant within six (6) years of the effective date.
          Question(s):
          1. How do you quantify 50% compliance with PRC-002-2?
          2. Does the 50% compliance apply to entities with a single generator?
           

          Question 1:
          As of July 1, 2016, registered entities must be compliant with PRC-002-2, R1.1 and R5.1.  Compliance with R1.1 and R5.1 determines the number of devices that an entity must install. Once the number of devices is determined, then the registered entity shall be at least 50 percent compliant by July 1, 2020.

          Example: Suppose an entity must install five (5) devices identified by R1.1 and R5.1. For 50 percent compliance, five devices * 50 percent = 2.5 devices; and rounded up to the nearest whole number equals three (3) devices that must be installed by July