Issue: While conducting a compliance audit, ReliabilityFirst determined that FFT Entity violated CIP-008-3 R1.6 because its Cyber Security Incident Response Plan (Response Plan) did not include a procedure directing FFT Entity to test the Response Plan at least annually. While no documented procedure was in place, FFT Entity proved that it did annually test the Response Plan.
Finding: The issue posed only a minimal risk to BPS reliability because, although FFT Entity did not have a documented procedure to test the Response Plan, it did test the Response Plan annually.
Issue: RFC_URE4 self-reported an issue with CIP-008-3 R1 to RFC, when on several occasions the entity failed to implement its procedure for updating its Cyber Response Plans within 30 calendar days of any changes. In particular, the entity did not change referenced procedure versions or designation numbers in its Cyber Response Plans and did not update the Standard and Requirement language within 30 calendar days of the change from version 2 to version 3 of the CIP Reliability Standards.
Finding: RFC found that the issue posed a minimal risk to the reliability of the BPS because the issue was a documentation issue, and the changes that the entity failed to update were administrative in nature, rather than substantive changes to the Cyber Response Plan.