NERC FFT Reports: Reliability Standard CIP-003-1 | White & Case LLP International Law Firm, Global Law Practice
NERC FFT Reports: Reliability Standard CIP-003-1

NERC FFT Reports: Reliability Standard CIP-003-1

White & Case NERC Database

This page contains the FFT (Find, Fix and Track) summaries. Click here to read the NOP (Notice of Penalty)/ACP (Administrative Citation of Penalty) summaries.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R2

Region: SERC

Issue: As the result of a compliance audit, SERC determined FFT Entity violated R2 because it failed to provide evidence that it had designated a single senior manager with responsibility and authority for CIP-002 – CIP-009.

Finding: SERC found that this issue constituted only a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because FFT Entity does not have any CAs and does not own or operated any of the CCA criteria set out in proposed CIP-002-4.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R2

Region: SERC

Issue: As the result of a compliance audit, SERC determined FFT Entity violated R2 because it failed to provide evidence that it had designated a single senior manager with overall responsibility and authority for CIP-002 – CIP-009.

Finding: SERC found that this issue constituted only a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because FFT Entity does not have any CAs and does not own or operated any of the CCA criteria set out in proposed CIP-002-4.

Find, Fix and Track Entity, Docket No. RC11-6 (September 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R2

Region: SERC

Issue: During a compliance audit, SERC determined FFT Entity violated R2 because it failed to provide evidence that a single senior manager had been assigned overall responsibility and authority for CIP-002 through CIP-009.

Finding: SERC found that this issue constituted only a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because FFT Entity does not have any CAs, does not own or operate any facilities that would meet any of the Critical Asset Criteria set forth in the proposed CIP-002-4, and does not own or operate any BPS equipment.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R1/1.3

Region: NPCC

Issue: During a compliance audit, NPCC determined that FFT Entity did not have a senior manager approve a NERC cyber security policy and a statement of management commitment.

Finding: NPCC found that the issue constituted a minimal risk to BPS reliability. FFT Entity’s digital risk and security group did conduct an annual review of the CIP-related information security requirements, which was approved by the chief information security officer.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R1/1.1/1.2

Region: SPP

Issue: Through a spot check, SPP determined that the 2008 version of FFT Entity’s Cyber Security Policy did not incorporate any provisions for emergency situations as required. FFT Entity also did not distribute its Cyber Security Policy to its vendor personnel who had access to or were responsible for the CCAs until April 13, 2010.

Finding: SPP found that the issue constituted a minimal risk to BPS reliability. FFT Entity did possess a robust Cyber Security Policy that showed its management’s commitment to enact a program to comply with the CIP Reliability Standards and the 2009 version of its Cyber Security Program did include provisions for emergency situations. FFT Entity had uploaded its Cyber Security Policy onto its intranet, which was available to system vendors upon request. The system vendors had also undergone training on the CIP Reliability Standards and are aware of cyber security best practices.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R1, R4

Region: RFC

Issue: FFT Entity self-reported that, due to software issues, it was unable to access certain of its CCAs to change the passwords every 60 days as required by FFT Entity’s Cyber Security Policy (R1). FFT Entity also self-reported that, in one instance, it did not abide by the requirements in its information protection program to encrypt all information associated with its CCAs before digitally transferring (emailing) the information outside of the company (R3).

Finding: RFC found that the issues constituted a minimal risk to BPS reliability. In regards to R1, FFT Entity had established a shorter time frame for changes to its CCA passwords than what was required by the Reliability Standards. This shorter time frame was established according to a general corporate policy, and not in response to any heightened risk. Therefore, even though FFT Entity did not abide by its own 60-day requirement for changing passwords, it did not represent a potential cyber risk. In addition, no one attempted to gain access to the relevant CCAs during the violation. In regards to R4, RFC was, to FFT Entity’s knowledge, the only recipient of the relevant email and FFT Entity confirmed receipt of the unencrypted transmission. In addition, FFT Entity’s internal email system is protected against unauthorized access.

Find, Fix and Track Entity, FERC Docket No. RC12-1 (October 31, 2011)

Reliability Standard: CIP-003-1

Requirement: R6

Region: SPP

Issue: FFT Entity self-certified that it did not properly develop a process for change control and configuration management concerning the addition, modification, replacement or removal of all CCA hardware or software and that it did not enact supporting configuration management activities.

Finding: SPP found that the issue constituted only a minimal risk to BPS reliability. FFT Entity did have a change control program in place that it utilized for changes to its systems hardware and application and database components that were controlled by its vendor. In addition, FFT Entity used a change control program on its SCADA system, which documented (although not according to a formal process) any changes in the software and hardware that would affect an important component of FFT Entity’s system.

Find, Fix and Track Entity, Docket No. RC12-6 (December 30, 2011)

Reliability Standard: CIP-003-1

Requirement: R2/2.2/2.3

Region: ReliabilityFirst

Issue: During a compliance audit, FFT Entity was found to be in violation of the requirement that any changes to CIP senior management must be documented within 30 days of such change. FFT Entity’s parent company changed the delegated senior management authority to another individual, but FFT Entity did not document evidence of its senior management delegation change until three months after the change.

Finding: ReliabilityFirst found the issue constituted a minimal risk to BPS reliability because it was documentation related, and although the documentation was not changed within the required timeframe, the senior manager delegate was performing all delegated senior manager functions. Furthermore, FFT Entity has no Critical Cyber Assets.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-003-1

Requirement: R1/R1.1

Region: SPP RE

Issue: During a spot check, SPP RE determined FFT Entity violated CIP-003-1 R1.1 because, at the time that the first version of the Standard was applicable, its Cyber Security Policy (CSP) failed to address all of the requirements of CIP-002-1 through CIP-009-1, specifically the following: CIP-004-1 R2.1, R2.1; CIP-005-1 R1.5, R2.1, R2.6; CIP-006-1 R1.1 through R1.7; CIP-007-1 R1.1, R1.2, R4.2, R5.2.2, R5.2.3, R5.3.2; CIP-008-1 R1.1, R1.4. FFT Entity remedied the problem by enacting a new CSP to match all the requirements of CIP-002-2 through CIP-009-2 on the date that Version 2 of the CIP Standard was enacted.

Finding: The issue posed only a minimal risk to BPS reliability because on the date Version 2 of the CIP Standard went into effect, and prior to SPP RE’s spot check, FFT Entity enacted a new CSP that addressed all the requirements of CIP-003-2 R1. Further, while FFT Entity’s CSP did not address every requirement of Version 1 of CIP, it did address every main level requirement. In doing so, the initial CSP conveyed management’s commitment and ability to secure FFT Entity’s CCAs.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-003-1

Requirement: R2

Region: MRO

Issue: As part of a compliance audit, MRO discovered FFT Entity failed to meet the requirements of CIP-003-1 R2 by not making a senior manager responsible for FFT Entity’s implementation of, and adherence to, the Standards articulated in CIP-002 through CIP-009.

Finding: MRO determined FFT Entity’s breach of CIP-003-1 R2 posed only a minimal risk to BPS reliability because FFT Entity’s failure to assign a senior manager to oversee the implementation of the CIP Standards did not affect FFT Entity’s successful implementation of its cyber security policy. Further, while FFT Entity did not have a formal documented assignment, the senior manager did sign the policy. Lastly, FFT Entity has less than 20 miles of transmission line and is summer peaking with an all time peak of less than 100 MW in July 2007.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-003-1

Requirement: R4

Region: MRO

Issue: MRO, in a CIP spot check, found that FFT Entity violated CIP-003-1 R4 by not labeling FFT Entity’s disaster recovery plans and CA lists as mandated by FFT Entity’s energy information security classifications policy.

Finding: The issue posed only a minimal risk to BPS reliability because FFT Entity’s document software package facilitates secure content management and limits electronic access to authorized users. As such, the documents not properly labeled were still protected by the restricted area of the system. Only a limited number of authorized users were able to access the documents.

Find, Fix and Track Entity, Docket No. RC12-7-000 (January 31, 2012)

Reliability Standard: CIP-003-1

Requirement: R1

Region: NCEA

Issue: NCEA determined three FFT Entities violated CIP-003-1 R1, R2 and R3, respectively, because they failed to include in their methodology or assessment the CIP assets of other third-party entities that were performing tasks on their behalf. As such, because of different compliance schedules, there were gaps in time where these assets were not in compliance.

Regarding FFT Entity in violation of R1, two of its third-party entities breached the Standard. The first third-party entity failed to prove that its policy was available to all employees who had access to CCAs. The second third-party entity insufficiently referenced the emergency situation requirements in Standards CIP-002 through CIP-009.

Regarding FFT Entity in violation of R2, a third-party entity failed to demonstrate that it had developed a list of CAs identified through an annual application of the risk-based assessment methodology required in R1.

Regarding FFT Entity in violation of R3, a third-party failed to demonstrate that it used a list of CAs developed pursuant to R2 or that it developed a list of associated CCAs essential to the operation of the Critical Asset.

Finding: These issues posed only a moderate risk to the reliability of the BPS because NCEA determined that, despite the errors, the third-party entities were preparing for compliance with the CIP Standards as required by the Approved Implementation Plan. As such, there was no actual impact to the reliability of the BPS as a result of these issues.

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-003-1

Requirement: R1.1

Region: TRE

Issue: FFT Entity self-reported that its cyber security policy did not satisfy all of the requirements of the Reliability Standard.

Finding: TRE found that this issue constituted a moderate risk to the BPS, but that the risk was mitigated by the fact that FFT Entity’s cyber security plan (which had been in effect since before the Reliability Standard came into effect) was reviewed and updated annually and addressed the vast majority of the requirements in the Reliability Standard. TRE also found that the more recent version of FFT Entity’s cyber security policy is more representative of the intent of the Reliability Standard and minimized the risk to BPS reliability.

Find, Fix and Track Entity, Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-003-1

Requirement: R1; R1.3

Region: NPCC

Issue: FFT Entity self-reported a violation of CIP-003-1 R1 because, during an audit of FFT Entity’s affiliate, it was discovered that FFT Entity’s cyber security policy was not signed by the CIP-003-2 R2 designated senior manager. The cyber security policy is a single corporate document that is relied upon by multiple affiliated registered entities for compliance with CIP-003-2.

Finding: This issue posed only a minimal risk to the reliability of the BPS because the cyber security policy was reviewed by another department responsible for performing the annual NERC-CIP review of information security requirements, and was signed by another officer designated by the CIP-003 R2 manager as his or her delegate. NPCC noted that FFT Entity violated the Standard previously, but determined the instant remediated issue arose from the same conduct and, consequently, should not be viewed as an aggravating factor.

Find, Fix and Track Entity, FERC Docket No. RC12-8 (February 29, 2012)

Reliability Standard: CIP-003-1

Requirement: R4/4.1

Region: SPP

Issue: FFT Entity self-certified that it had not properly inventoried and protected its security configuration information, including its system configurations, system rule sets, and critical security settings.

Finding: SPP found that this issue constituted only a minimal risk to the BPS since FFT Entity’s relevant security configuration information was contained in machines with FFT Entity’s ESP. In addition, FFT Entity had protected other parts of its CCA information, such as network topology, floor plans and computing centers with CCAs, equipment layout, disaster recovery plans and incident response plans. FFT Entity also had a written policy addressing the identification, classification and protection of CCA information (even though the policy did not discuss security configuration information).

Find, Fix and Track, Unidentified Registered Entity, Docket No. RC12-10 (March 30, 2012)

Reliability Standard: CIP-003-1

Requirement: R2.2/2.3

Region: TRE

Issue: It was found that URE’s records of CIP compliance were signed by an individual other than the senior manager charged with responsibility and authority for CIP Reliability Standards compliance. URE had no signed document confirming the senior manager responsible for CIP compliance nor any documentation indicating a change had been made to the person assigned with CIP compliance duties within 30 calendar days of any change that may have been made. TRE ultimately found that URE was not in compliance with the requirements of CIP-003-1 R2.2 and R2.3 from the date that CIP-003-2 became enforceable and the requirements for identification of the senior manager and delegate became enforceable for entities without Critical Assets, through the date that the senior manager and delegate were identified and documented.

Finding: TRE found the violation constituted a minimal risk to BPS reliability because the issue was documentation related only and the risk was mitigated by several factors. First, the senior manager was identified in a document that was not signed but was backed up by emails that lead up to the signing of the delegation letter allowing the plant manager to sign for the senior manager. Prior to the requirement to document and identify a delegated individual, the plant manager was verbally given delegated authority to sign documents on behalf of the senior manager, which he did, including signing off on URE’s risk-based assessment methodology and Critical Assets lists. URE did show an attestation regarding its tries to document the delegated authority to the plant manager but the outcome of that documentation effort could not be provided to Texas RE. URE did not have any Critical Assets or Critical Cyber Assets.

Unidentified Registered Entity, Docket No. NP12-11 (April 30, 2012)

Reliability Standard: CIP-003-1

Requirement: R6

Region: RFC

Issue: URE self-reported that it failed to document its assessment and application of various patches on five applications.

Finding: RFC determined that the violation posed a minimal risk to BPS reliability because none of the affected applications were considered CCAs, only one of the five applications was issued a security patch during the relevant time period, URE assessed and applied patches for 97.8% of the applications within its ESP, the affected CAs are protected by URE’s security system, and URE has an established change management program. URE mitigated the issue by documenting the implementation of identified patches and improving its patch management process.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

Reliability Standard: CIP-003-1

Requirement: R2

Region: MRO

Issue: URE submitted a self-certification of noncompliance with the CIP-003-1 due to its failure to delegate to a single senior manager the responsibility and authority for its CIP obligations, including implementation and compliance and management of a CIP program.

Finding: The issue was found to pose minimal risk to BPS reliability because even though URE had not delegated the CIP responsibilities to a senior manager, there was a senior manager in charge of CIP compliance, but he had not been formally assigned as required by the Standard.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

Reliability Standard: CIP-003-1

Requirement: R2

Region: SERC

Issue: SERC Audit Staff reported that URE failed to delegate to a single senior manager the responsibility and authority for its CIP obligations, including implementation and compliance and management of a CIP program. URE did comply with the documentation requirement three months after the audit.

Finding: The issue was found to pose minimal risk to BPS reliability because URE has no CAs nor does it own or operate facilities considered CAs and even through URE had not assigned the responsibility of CIP compliance in writing, there was a manager performing the CIP compliance functions.

Unidentified Registered Entity, Docket No. RC12-12 (May 30, 2012)

Reliability Standard: CIP-003-1

Requirement: R2

Region: SERC

Issue: URE submitted a self-report reporting that it failed to document the delegation to a single senior manager responsibility and authority for its CIP obligations, including implementation and compliance and management of a CIP program. SERC Staff discovered that URE had assigned CIP compliance responsibility to its general manager, identifying the individual by name and title and dating the document; and on that same day, the general manager delegated his authority to a different manager.

Finding: The issue was found to pose minimal risk to BPS reliability because URE has no CAs nor does it own or operate facilities considered CAs. And, URE is a small utility.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-003-1

Requirement: 1.3

Region: WECC

Issue: URE self-certified noncompliance stating that it did not annually review its entire cyber security policy in 2009 and 2010 (per R1.3). Although the policies that URE failed to review were outdated and not presently used, they were nevertheless a part of URE’s cyber security policy. URE’s employees were aware not to follow the outdated policies; however, WECC concluded that URE had failed to perform a complete annual review of its cyber security policy for the calendar years 2009 and 2010.

Finding: WECC determined the issue posed a minimal risk to the reliability of the BPS because while the procedures in question were not reviewed, the policies were outdated and not implemented by URE. In response, URE performed annual reviews and approved the current policies in use.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-003-1

Requirement: 1.3

Region: WECC

Issue: URE self-certified noncompliance stating that it did not annually review its entire cyber security policy in 2010 (per R1.3). Although the policies that URE failed to review were outdated and not presently used, they were nevertheless a part of URE’s cyber security policy. WECC concluded that URE had failed to perform a complete annual review of its cyber security policy for the calendar year 2010.

Finding: WECC determined the issue posed a minimal risk to the reliability of the BPS because while the procedures in question were not reviewed, the policies were outdated and not implemented by URE. In response, URE performed annual reviews and approved the current policies in use.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-003-1

Requirement: 2

Region: SERC

Issue: During an audit, SERC found that URE failed to provide evidence assigning a senior manager with overall responsibility for leading and managing URE’s application of, and compliance with, CIP-002 to CIP-009, in accordance with R2, for approximately three years. URE produced documentation indicating it had authorized the signing of documents on behalf of URE by senior vice-presidents for SERC and NERC matters, as well as identified a single point of contact for the URE internal compliance program. However the documentation did not establish that URE had assigned a senior manager responsible for leading and managing URE’s implementation of and adherence to the Standard for approximately three years.

Finding: SERC determined the issue posed a minimal risk to the reliability of the BPS because URE had identified a senior manager as its single point of contact who was responsible for approving the risk-based assessment methodology, list of Critical Assets, and list of Critical Cyber Assets. In addition, URE has no Critical Assets and does not own or operate any facilities that meet the criteria for Critical Assets set forth in CIP-002-4.

Unidentified Registered Entity (URE), Docket No. RC12-15 (August 31, 2012)

Reliability Standard: CIP-003-1

Requirement: 2

Region: WECC

Issue: WECC performed an offsite audit of URE’s compliance with R2 (among other Standards) and found that URE failed to designate a CIP senior manager with overall responsibility and authority for CIP-002 through CIP-009 (per R2). The Audit Team also determined that URE knew it did not have any CCAs because it had developed a null list of its Critical Assets. WECC determined the issue occurred from when the Standard became enforceable until URE designated a CIP senior manager with overall responsibility and authority for CIP-002 through CIP-009.

Finding: WECC determined this issue posed a minimal risk to the reliability of the BPS because URE had previously applied its RBAM and already knew prior to the occurrence of the issue that it did not have any Critical Assets and, as a result, did not have any CCAs. Consequently, WECC determined the potential for malicious conduct to CCAs did not exist.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-003-1

Requirement: 1.2

Region: SERC

Issue: During a spot check, SERC determined that URE had not made its cyber security policy readily available to all personnel who have access to, or are responsible for, the CCAs. URE's personnel were only able to access the portions of the cyber security policy that were applicable to their job responsibilities.

Finding: SERC found that the issue constituted only a minimal risk to BPS reliability since URE did provide portions of the cyber security policy to its personnel based on their roles and responsibilities. In addition, only 3.5% of URE's personnel who had access to CCAs, but did not have intranet access, had to depend on others to obtain a hard copy of the cyber security policy.

Unidentified Registered Entity (URE), Docket No. RC12-16 (September 28, 2012)

Reliability Standard: CIP-003-1

Requirement: 4

Region: SPP

Issue: During a spot check, SPP found that URE did not label certain documents as required by its energy information security classification policy.

Finding: SPP found that the issue constituted only a minimal risk to BPS reliability since the relevant documents were in electronic format and URE had installed a document security program that limits electronic access to the authorized users of the documents.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-003-1

Requirement: 1

Region: WECC

Issue: FFT Entity self-certified that it was not conducting full annual reviews of its cyber security policy, as required, since it was not reviewing its policies that were outdated and not being used.

Finding: WECC found that the issue only constituted a minimal risk to BPS reliability since FFT Entity's relevant cyber security policies were outdated and not being used by FFT Entity. In addition, FFT Entity was performing annual reviews of its current cyber security policies.

Unidentified FFT Entity, FERC Docket No. RC13-1 (October 31, 2012)

Reliability Standard: CIP-003-1

Requirement: 1.1

Region: TRE

Issue: During a compliance audit, TRE determined that the 2009 and 2010 versions of FFT Entity's cyber security policy did not address all of the required Reliability Standards.

Finding: TRE found that the issue only constituted a minimal risk to BPS reliability since the 2011 version of FFT Entity's cyber security policy satisfied the Reliability Standard. In addition, FFT Entity has had a cyber security policy for many years (including prior to the mandatory compliance date) which has been reviewed on an annual basis and updated as needed that addressed the majority of the requirements in the Reliability Standards.

Unidentified Registered Entity 1 (URE1), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-003-1

Requirement: 1

Region: SERC

Issue: URE1 submitted a self-report to SERC explaining a compliance issue with CIP-003-1 when it found it had not provided all personnel having access or responsibility for CCAs a copy of its cyber security policy.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. Only 12 contractors had not received the CSP, which URE1 did eventually provide. In addition, the contractors worked with a reputable company that provided support for many cyber systems. The contractors were very familiar with cyber security controls.

Unidentified Registered Entity 1 (URE1), Docket No. RC13-6-000 (February 28, 2013)

Reliability Standard: CIP-003-1

Requirement: 3

Region: SERC

Issue: URE1 submitted a self-report to SERC explaining a compliance issue with CIP-003-1. Due to a collective bargaining agreement, URE1 was unable to perform PRAs on union employees who had access to URE1's CCAs. Based on the circumstances, URE1 should have taken an exception to its cyber security policy, but it did not done so. Eventually, URE1 was granted authorization to conduct the PRAs on the union employees, and PRAs were completed.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. The reason an exception was required was because of the collective bargaining agreement in place during the relevant time frame. CIP-004-3 has specific language stating that PRAs for employees with authorized CCA access are subject to existing collective bargaining agreements.

Unidentified Registered Entity 1 (RFC_URE1), Docket No. RC13-9, May 30, 2013

Reliability Standard: CIP-003-1

Requirement: 2; 2.1

Region: RFC

Issue: RFC_URE1 self-reported an issue with CIP-003-1 R2.1 to RFC when RFC_URE1 found that it lacked a separate specific document identifying the CIP senior manager by name, title, and date of designation for one year. The individual at issue is no longer the CIP senior manager, but he/she maintains a position with RFC_URE1 as the director of technical operations for an affiliate company.

Finding: RFC found that the issue posed a minimal risk to the reliability of the BPS because it was a documentation issue that lasted only for a short time, and pertained to an individual that is a trusted employee of an affiliate company.

Unidentified Registered Entity 1 (SERC_URE1), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-003-1

Requirement: R2

Region: SERC

Issue: SERC found, during a scheduled Compliance Audit, that SERC_URE1, prior to the enforceable period, failed to identify the CIP senior manager by name, title and date of designation. After the standard became mandatory, SERC_URE1 still did not assign a senior manager, and instead its parent company delegated power to and authorized SERC_URE1’s manager to sign any documentation required to certify NERC Reliability Standards compliance. SERC_URE1 also had changed the employee authorized to sign this documentation without notifying NERC of the change within 30 days. SERC_URE1 took 43 days before documenting the change.

Finding: SERC found that this issue posed a minimal, but not a serious or substantial, risk to BPS reliability. SERC_URE1’s parent company did authorize the manager to sign required documentation to certify NERC Reliability Standards compliance. SERC_URE1 does not have any Critical Assets or own or operate any facilities meeting CIP-002-4’s definition of Critical Asset.

Unidentified Registered Entity 1 (SPP_URE1), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-003-1

Requirement: R4

Region: SPP RE

Issue: SPP RE, during a CIP Compliance Audit, determined that SPP_URE1 failed to classify its recovery plan for its physical access control system, its response plan, and its corporate procedure for all incident reporting and responding, as confidential. This classification is required by URE1’s information protection program.

Finding: SPP RE found that this issue posed a minimal, but not serious or substantial, risk to BPS reliability. SPP_URE1 failed to mark the three documents appropriately, but it did keep close control over document access, including use of password protection to access electronic copies. SPP_URE1 kept the confidential documents hardcopies behind access-controlled doors.

Unidentified Registered Entity 5 (SPP_URE5), Docket No. RC13-9-000 (May 30, 2013)

Reliability Standard: CIP-003-1

Requirement: R6

Region: SPP RE

Issue: SPP_URE5 self-reported that it failed to follow its documented change control and configuration management process for adding, modifying, replacing, or removing Critical Cyber Asset (CCA) hardware or software, as personnel other than the designated personnel approved changes to its CCAs.

Finding: SPP RE found that the issue posed a minimal, but not a serious or substantial, risk to BPS reliability. SPP_URE5’s senior engineer was not designated to approve changes under SPP_URE5’s procedures for change control and configuration management, but the changes would have been approved in any event by the director, the designated official.