Attachment "C" CIP Data List For Sampling: RFC Action Required
Attachment "C" CIP Data List For Sampling: RFC Action Required
Sequence of Completion
Phase 1- RFC supplies Attachment C for entity to input required data.
Phase 2- Entity completes the three green colored tabs: Critical Assets, Cyber Assets, and Personnel and submits to R
for more details.
Phase 3 - RFC performs sample selection and sends back to entity for detailed information requests (Device Sample a
populated with requested samples)
Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and Personnel Sample tabs c
Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need
Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with d
Acronyms:
EACM - Electronic Access Control and Monitoring
AP - Access Point
CCA - Critical Cyber Asset
ESP - Electronic Security Perimeter
NCCA - Non-Critical Cyber Asset
PSP - Physical Security Perimeter
PACS - Physical Access Control System
Next Steps:
After this Workbook is completed, sent to and received by ReliabilityFirst, the audit team will apply a sampling meth
establish and define a specific random sample set to audit against. The audit team will then send Evidence Requests
audited entity within 10 calendar days of receipt of a completed Attachment C and/or no later than sixty five (65) cale
date of the Complaince Audit.
Requirement
CIP-002-3
R1
CIP-002-3
R1.1
CIP-002-3
R1.2
CIP-002-3
R1.2.1
CIP-002-3
R1.2.2
CIP-002-3
R1.2.3
CIP-002-3
R1.2.4
CIP-002-3
R1.2.5
CIP-002-3
R1.2.6
CIP-002-3
R1.2.7
CIP-002-3
R2
CIP-002-3
R3
CIP-002-3
R4
CIP-003-3
R1
CIP-003-3
R1.1
CIP-003-3
R1.2
CIP-003-3
R1.3
CIP-003-3
R2
CIP-003-3
R2.1
CIP-003-3
R2.2
CIP-003-3
R2.3
CIP-003-3
R2.4
CIP-003-3
R3
CIP-003-3
R3.1
CIP-003-3
R3.2
CIP-003-3
R3.2
CIP-003-3
R3.3
CIP-003-3
R4
CIP-003-3
R4.3
CIP-003-3
R5
CIP-003-3
R5.1
CIP-003-3
R5.1.2
CIP-003-3
R5.2
CIP-003-3
R5.3
CIP-003-3
R6
CIP-003-3
R6
CIP-004-3
R1
CIP-004-3
R1
CIP-004-3
R2
CIP-004-3
R2.1
CIP-004-3
R2.2
CIP-004-3
R2.3
CIP-004-3
R3
CIP-004-3
R3
CIP-004-3
R3.1
CIP-004-3
R3.2
CIP-004-3
R3.3
CIP-004-3
R4
CIP-004-3
R4.1
CIP-004-3
R4.1
CIP-004-3
R4.2
CIP-004-3
CIP-005-3
R1
CIP-005-3
R1
CIP-005-3
R1
CIP-005-3
R1
CIP-005-3
R1
CIP-005-3
R1
CIP-005-3
R2
CIP-005-3
R2.1, R2.2
CIP-005-3
R2
CIP-005-3
R2
CIP-005-3
R2
CIP-005-3
R2
CIP-005-3
R2
CIP-005-3
R2.4
CIP-005-3
R2.6
CIP-005-3
R3
CIP-005-3
R3
CIP-005-3
R3
CIP-005-3
R3
CIP-005-3
R3
CIP-005-3
R3.1
CIP-005-3
R3.2
CIP-005-3
R4
CIP-005-3
R4.1
CIP-005-3
R4.5
CIP-005-3
R4.5
CIP-005-3
R5 & R5.1
CIP-005-3
R5.2
CIP-005-3
R5.3
CIP-006-3
R1
CIP-006-3
R1
CIP-006-3
R1.1
CIP-006-3
R1.1
CIP-006-3
R1.2
CIP-006-3
R1.2
CIP-006-3
R1.3
CIP-006-3
R1.3
CIP-006-3
R1.4
CIP-006-3
R1.5
CIP-006-3
R1.6
CIP-006-3
R1.6
CIP-006-3
R1.7
CIP-006-3
R1.8
CIP-006-3
R2.1
CIP-006-3
R2.2
CIP-006-3
R3
CIP-006-3
R4
CIP-006-3
R5
CIP-006-3
R6
CIP-006-3
R7
CIP-006-3
R8
CIP-006-3
R8.1
CIP-006-3
R8.2
CIP-006-3
R8.3
CIP-007-3
R1
CIP-007-3
R1
CIP-007-3
R1
CIP-007-3
R1.1
CIP-007-3
R1.2
CIP-007-3
R1.3
CIP-007-3
R2
CIP-007-3
R2.3
CIP-007-3
R3
CIP-007-3
R3
CIP-007-3
R3
CIP-007-3
R4
CIP-007-3
R4
CIP-007-3
R4
CIP-007-3
R5
CIP-007-3
R5.1.1
CIP-007-3
R5.1.2
CIP-007-3
R5.1.3
CIP-007-3
R5.2
CIP-007-3
R5.2
CIP-007-3
R5.3
CIP-007-3
R5.3
CIP-007-3
R5.3.1
CIP-007-3
R5.3.2
CIP-007-3
R5.3.3
CIP-007-3
R6
CIP-007-3
R6
CIP-007-3
R6.1
CIP-007-3
R6.2
CIP-007-3
R6.2
CIP-007-3
R6.3
CIP-007-3
R6.4, R6.5
CIP-007-3
R7
CIP-007-3
R7.3
CIP-007-3
R8
CIP-007-3
R8.1
CIP-007-3
R8.4
CIP-007-3
R8.4
CIP-007-3
R9
CIP-008-3
R1
CIP-008-3
R1.1
CIP-008-3
R1.2
CIP-008-3
R1.2
CIP-008-3
R1.2
CIP-008-3
R1.3
CIP-008-3
R1.3
CIP-008-3
R1.4
CIP-008-3
R1.4
CIP-008-3
R1.5
CIP-008-3
R1.6
CIP-008-3
R2
CIP-009-3
R1
CIP-009-3
R1
CIP-009-3
R1.1
CIP-009-3
R1.1
CIP-009-3
R1.2
CIP-009-3
R1
CIP-009-3
R2
CIP-009-3
R3
CIP-009-3
R4
CIP-009-3
R5
Notes
1. Evidence identified in this listing is the result of each requirement. This listing is inten
audits or continued compliance. Submission of identified evidence does not guarantee a fi
all relevant evidence submitted and make final determinations of compliance based upon
compliance.
2. Evidence identified in this column must be submitted 40 days before the scheduled aud
3. Evidence identified in this column must be submitted as designated by Reliability
Provide evidence that the senior manager or delegate approved RBAM, CA list, and CCA list
If applicable, provide evidence of delegation of authority, including the specific actions for which authority is delegated and
the effective date of the delegation
If applicable, provide evidence of that exceptions from the requirements of the cyber security policy were documented and
authorized by the semior manager or delegate(s).
Provide documentation of exceptions to the Cyber Security Policy, including expired exceptions, or an assertion that there
have been no exceptions to the Cyber Security Policy during the compliance period
For each exception to the cyber security policy, provide evidence of the date of approval
For each exception to the cyber security policy, provide evidence of the explanation of the necessity for the exception
For each exception to the cyber security policy, provide evidence of any compensating measures
For each exception to the cyber security policy, provide evidence of the annual review
Provide information protection program
Provide evidence of an annual assessment of information protection program
Provide access control program
Provide list of designated personnel who are responsible for authorizing logical or physical access to protected information
Provide evidence of annual verification of the list of personnel responsible for authorizing access to protected information
Provide evidence of annual review of access privileges
Provide evidence of the annual assessment of processes for controlling access privileges to protected information
Provide the process for change control and configuration management
Provide evidence that the change control and configuration management process has been implemented
For each Critical Cyber Asset identified per CIP-002-3 R3, identify the Electronic Security Perimeter (ESP) within which it
resides
For each ESP, identify each Cyber Asset residing within the perimeter
For each ESP, identify each access point to the ESP
For each ESP, identify each cyber asset used in the access control of the ESP
For each ESP, identify each cyber asset used in the monitoring of the ESP
For each ESP, provide a high-level diagram showing the major systems protected, all access points, and all access control
devices
For each ESP, provide documentation of processes and mechanisms for control of electronic access to the ESP
For R2.1, provide evidence that deny-by-default policy is deployed to sampled Access Points. For R2.2, provide evidence for
each sampled Access Point that Ports and Services are configured/implemented for operations and for monitoring of cyber
assets, including justification, within the respective ESP.
For each cyber asset used in the access control of an ESP, provide evidence that the access control model denies access by
default
Provide the procedure for securing dial-up access to each ESP
Provide evidence that the procedure for securing dial-up access to each ESP has been implemented, or an attestation that
no dial-up access exists for the ESP in question
For each ESP, if external interactive access to the ESP has been enabled, describe the controls used to authenticate the
user
For each access control device, provide the document identifying the content of the acceptable use banner
If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C)
If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C)
For each ESP, provide the documented electronic or manual processes for monitoring and logging access at access points
to each ESP
Provide evidence that the above processes have been implemented
Provide evidence that the above processes are operational twenty-four hours a day, seven days as week
If applicable, provide evidence of alerts and notification of response personnel
If applicable, provide evidence of review or assessment of access logs
If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C)
Provide evidence of alerts for each sampled Access Point where attempts at or actual unauthorized accesses were detected.
If alerting was not technically feasible for sampled Access Points provide evidence of manual review of logs at least every
90-days. Provide evidence of the 90 days prior to the 90 day notification.
For each ESP, provide documentation of the annual cyber vulnerability assessment
Provide documentation of vulnerability assessment process
For Access Points selected provide evidence that access logs are retained for at least ninety
calendar days.
Provide evidence for the following dates:
Date1
Date2
Date3
Date4
Date5
Provide Physical Security Plan
Provide documentation of approval of Physical Security Plan by the senior manager or delegate(s)
For each Cyber Asset within an ESP, identify the Physical Security Perimeter (PSP) associated with that Cyber Asset.
If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C)
For each PSP, provide identification of all physical access points through the PSP and measures to control entry at those
access points
For each PSP, provide evidence that the measures above have been implemented
For each PSP, provide documentation of the processes, tools, and procedures for monitoring of physical access to the PSP
For each PSP, provide evidence that the processes, tools and procedures above have been implemented
Provide documentation of visitor pass management, response to loss, and prohibition of inappropriate us of physical access
controls
Provide documentation Review of access authorization requests and revocation of access authorization, in accordance with
CIP-004-3 Requirement R4.
For each PSP, provide logs of visitor entry and exit
For each PSP, provide evidence of continuous escorted access of visitors
Provide evidence that Physical Security Plan was updated within 30 calendar days of a physical security change
Provide evidence of an annual review of the Physical Security Plan
Provide documentation that physical access control systems are protected from unauthorized physical access
Provide documentation that physical access control systems are afforded the protective measures in the referenced
requirements; this may be addressed as part of the individual applicable requirements or directly in response to this
requirement
Provide documentation that electronic access control systems are located within an identified Physical Security Perimeter
For each PSP, provide documentation of operational and procedural controls to manage physical access at all access points
to the PSP
Provide evidence that Unauthorized access attempts are reviewed immediately and handled in accordance with the
procedures specified in Requirement CIP-008-3. Provide evidence of the 90 days prior to the 90 day notification.
(Supply for all PSPs that the Sampled Assets reside in)
Provide documentation identifying the methods for logging physical access
Provide evidence of physical access logs for the implemented logging solution(s) that
demonstrates 90 calendar days worth of logs .
Provide evidence for the following dates:
Date1
Date2
Date3
Date4
Date5
(Supply for all PSPs that the Sampled Assets reside in)
For each PSP, provide evidence of a maintenance and testing program for all physical security systems
For each PSP, provide evidence of testing and maintenance of all physical security mechanisms
For each PSP, provide the retention period for the testing and maintenance records
For each PSP, provide the retention period for outage records regarding access controls, logging and monitoring
Provide evidence that all Cyber Assets within the Electronic Security Perimeter are subject to the required test procedures
Provide evidence that all cyber security controls have been included in the test plans
Provide evidence (including test results) that all significant updates made to Cyber Assets selected have been tested.
Provide evidence for the past year immediately prior to the 90 day notification.
Provide documentation that testing was performed in a manner that minimizes impact on the production environment
Provide documentation that testing was performed in a manner that reflects the production environment
Provide documentation of test results
For each Cyber Asset selected, provide a list of each active port and service. For each active port and service identified,
provide a description of the port or service and identify the need to that port or service to be enabled
If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C)
Provide the security patch management program
For each Cyber Asset selected, provide evidence of the assessment and implementation of security patches.
If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C)
For each Cyber Asset selected, provide evidence of the implemention of anti-virus and malware prevention tools and testing
and installation of signatures updates.
Provide documentation of the process uses to update anti-malware signatures
If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C)
Provide documentation of technical and procedural controls that enforce access authentication and accountability of all user
activity
Provide evidence that user accounts are implemented as authorized
Provide evidence of audit trails of individual user account activity demonstrating 90 days worth of
logs/audit trails. Provide evidence for the following dates:
Date1
Date2
Date3
Date4
Date5
For each Cyber Asset selected provide evidence that logs of system events related to cyber
security are maintained and reviewed.
Provide evidence for the following dates:
Date1
Date2
Date3
Date4
Date5
Provide documentation on methods, processes, and procedures for disposal or redeployment of Cyber Assets within the ESP
Provide records that assets were disposed of or redeployed in accordance with documented procedures
Provide documentation of the annual vulnerability assessment of all Cyber Assets within the ESP
Provide documentation of vulnerability assessment process
Provide documentation of results of annual cyber vulnerability assessment
If applicable, provide action plan to remediate or mitigate vulnerabilities and the execution status of the action plan
Provide documentation and records demonstrating the annual review and update of all documentation for CIP-007
Notes
in this listing is the result of each requirement. This listing is intended to provide guidance to the
mpliance. Submission of identified evidence does not guarantee a finding of compliance to the requ
ubmitted and make final determinations of compliance based upon the literal language of the requ
in this column must be submitted 40 days before the scheduled audit review date.
in this column must be submitted as designated by ReliabilityFirst.
Upon Request3
X
X
X
X
X
X
X
X
X
X
X
Not in Scope
X
X
X
X
X
X
X
Not in Scope
Not in Scope
Not in Scope
Not in Scope
Not in Scope
X
X
X
X
X
X
See Device Sampling Tab
Not in Scope
Not in Scope
X
See Personnel Sampling Tab
See Personnel Sampling Tab
X
X
X
X
X
X
X
X
X
X
X
X
X
Not in Scope
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
See Device Sampling Tab
X
X
X
X
X
See Device Sampling Tab
X
See Device Sampling Tab
X
X
X
X
X
X
X
X
X
X
X
X
X
X
x
x
x
X
X
Not in Scope
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
See Device Sampling Tab
X
X
X
X
X
Not in Scope
X
X
e.
Asset Function - Enter the function of the Critical Asset, e.g. Primary/Back-Up/Aleternate Control Center, Substatio
Responsible Registered Entity- For a combined audit of multiple registered entities
Cyber Assets (List of all Cyber Assets and the associated ESP and PSP- Indicate CCA, NCCA, AP, EACM, PACS)
Cyber Asset Name - Name of the Cyber Asset
Critical Asset Name - Name of the Critical Asset where the Cyber Asset resides
ESP Name - Name of ESP containing Cyber Asset
PSP Name - Name of PSP containing Cyber Asset
Vendor - Name of vendor for identified Cyber Asset
Model - Model Name and Number of identified Cyber Asset
IOS / Platform or Operating System - Name of platform or operating system running on the Cyber Asset (e.g. Wind
etc.
Virtual Machine - Enter "Yes" or "No" if the asset is a virtual machine
Asset Type - Enter the type of device, e.g. workstation, server, firewall, switch, IDS, printer, database, etc.
Supporting Organization - Name of internal organization supporting identified CA (e.g. EMS, Substation, Corp IT,
Cyber Asset Type (CCA, NCCA, AP, EACM, PACS)
Responsible Registered Entity- For a combined audit of multiple registered entities
Indicate if Critical under CIP-002 Version 3 criteria-(Y/N)
Indicate if Critical under CIP-002 Version 4 criteria-(Y/N)-This is only relevant if Entity has incorporated or adopte
BES Cyber Systems Impact Rating-(High/Medium/Low)- This is only relevant if Entity has incorporated or adopted
Personnel Sample (List of all personnel with authorized cyber or authorized unescorted physical access to NERC CI
protected information only and identification of terminated personnel or personnel role changes within the past twel
Name - Name of individual
Access Type - Should be Physical, Cyber, Both or Protected Information only
Personnel Type - Should be Employee, Contractor, Vendor or Other
Date of Termination and/or Personnel Role Change - Identify the date of termination or personnel organization cha
personnel role and responsibility change within past twelve (12) months.
Responsible Registered Entity- For a combined audit of multiple registered entities
Red colored tabs are meant to illustrate the information required once samples are selected by RFC. There is no need
Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in scope requirements with d
Sequence of Completion
Phase 1- RFC supplies Attachment C for entity to input required data.
Phase 2- Entity completes the three green colored tabs Critical Assets, Cyber Assets, and Personnel and submits to RF
Phase 3 - RFC performs sample selection and sends back to entity for detailed information requests (Device Sample a
populated with requested samples)
Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and Personnel Sample tabs c
Acronyms:
EACM - Electronic Access Control and Monitoring
AP - Access Point
CCA - Critical Cyber Asset
ESP - Electronic Security Perimeter
NCCA - Non-Critical Cyber Asset
PSP - Physical Security Perimeter
PACS - Physical Access Control System
Next Steps:
After this Workbook is completed, sent to and received by ReliabilityFirst, the audit team will apply a sampling meth
establish and define a specific random sample set to audit against. The audit team will then send Evidence Requests
audited entity within 10 calendar days of receipt of a completed Attachment C and/or no later than sixty five (65) cale
date of the Complaince Audit.
Sequential
number
Critical Asset
1 SOUTHPARK
2 NORTHPARK
3 CEDARCREEK
Asset Function
PRIMARY CONTROL CENTER
BACK-UP CONTROL CENTER
SUBSTATION
Responsible
Registered
Entity
RE1
RE2
RE3
Indicate if
Critical under
Version 3
criteria
Y
Y
N
Indicate if
Critical under
Version 4
criteria
N
Y
Y
BES Cyber
Systems Impact
Rating Version 5
Criteria
High
Medium
Low
Sequential
number
1
2
3
4
5
Cyber Asset
Name
EXAMPLE_ABC
EXAMPLE_DEF
EXAMPLE_GHI
EXAMPLE_JKL
EXAMPLE_MNO
Critical Asset
where CCA resides
SOUTHPARK
NORTHPARK
SOUTHPARK
SOUTHPARK
SOUTHPARK
Name of ESP
where CA resides
EXAMPLE_PCC
EXAMPLE_SCC
EXAMPLE_SUBSTATION
EXAMPLE_SUBSTATION
EXAMPLE_SUBSTATION
Name of PSP
where CA resides
EXAMPLE_PSP
EXAMPLE2_PSP
EXAMPLE3_PSP
EXAMPLE4_PSP
EXAMPLE5_PSP
Vendor
IBM
HP
Gener
Gener
Gener
Model
NetVista
AU600
B2NR8NX0D
B2NR8NX0D
B2NR8NX0D
IOS / Platform or
Operating System
Windows 2000
TRU64 UNIX
N/A
N/A
N/A
Virtual Machine
Yes
Yes
No
No
No
Asset Type
PC/Laptop
Server
Relay
Router
Server
Supporting
Organization
EMS
Corporate IT
Substation
Corporate IT
Corporate IT
Indicate if
Cyber Asset Type Responsible Critical under
Choose only one Registered
Version 3
from example list
Entity
criteria
CCA
RE1
Y
NCCA
RE2
Y
AP
RE3
N
EACM
RE4
Y
PACS
RE5
Y
Indicate if
Critical under
Version 4
criteria
N
Y
Y
Y
Y
BES Cyber
Systems
Impact
Rating
High
Medium
Low
Low
Low
Sequential
number
1
2
3
4
Name
LASTNAME, FIRSTNAME
LASTNAME2, FIRSTNAME2
LASTNAME3, FIRSTNAME3
LASTNAME3, FIRSTNAME4
Access Type
Physical Access
Cyber Access
Both
Protected Information only
Personnel Type
Contractor
Vendor
Employee
Employee
Date of Termination
N/A
12/15/2011
N/A
N/A
Date of Personnel
Change
12/15/2011
12/15/2011
1/3/2012
1/3/2012
Responsible
Registered
Entity
RE1
RE2
RE3
RE3
Terminated
for Cause?
Y/N
Y/N
Y/N
Y/N
Sequential
number
Critical
Cyber
Asset
Name
Critical
Asset
where
CCA
resides
Name of
ESP
where
CCA
resides
Name of
PSP
where
CCA
resides
Vendor
Model
IOS /
Platform
or
Operating Virtual
System Machine
Asset
Type
Supporting
Organization
Cyber
Asset
Type
CCA
NCCA
AP
EACM
PACS
Responsible
Registered
Entity
Indicate if
Critical
under
Version 3
criteria
Indicate if
Critical
under
Version 4
criteria
BES Cyber
Systems
Impact Rating
(Version 5
Only)
CIP3 R6
For the selected Cyber
Assets, provide
documentation to
demonstrate that the
change control and
configuration
management process
has been implemented.
Provide changes for the
past year immediately
prior to the 90 day
notification.
CIP5 R3.2
CIP5 R5.3
CIP6 R5
CIP6 R7
CIP7 R1
CIP7 R2
CIP7 R3
CIP7 R4
CIP7 R5.1.2
CIP7 R6
CIP 9 R1
Entity
TRAINING
Oldest on
record
Sequential
number Name Access Type Personnel Type
Responsible
Registered
Entity
TRAINING
2012
DATES
2013
DATES
PRA DATES
ATTENDA
NCE LOG
REQUEST
ED (Y/N)
OLDEST
ON
RECORD
MOST
RECENT
PRA CONTENTS
NEXT
SS#
CHECK
(Y/N)
7 YR
CRIMINAL
CHECK
(Y/N)
PRA CONTENTS
(RFC to
REDACTED
complete)
CURRENT
ANY
PRA SAMPLE
DATE
REDACTED PRA AUTHORIZ
STATUS - CHANGE
REQUESTED
GRANTED
CHANGE
SAMPLE
ATION
ACTIVE / IN ACCESS
(for most
DATE
IDENTIFIE
RECEIVED (for
DATE
NON
RIGHTS
recent PRA)
D
most recent PRA)
ACTIVE
(Y/N)
(Y/N)
DATE
EMPLOYM
ACCESS
ACCESS
ENT
IF YES,
DATE
REVOCATI
IF YES,
NO
ACCESS AUTHORIZ
TERMINAT
DATE
CHANGE
ON
TERMINATI LONGER
REVOCATI
ATION
ED FOR
IDENTIFIE
MADE
REQUIRED
ON DATE REQUIRED
ON DATE
DATE
CAUSE
D
(Y/N)
(Y/N)
(Y/N)
CURRENT
ANY
DATE
STATUS - CHANGE
GRANTED
CHANGE
ACTIVE / IN ACCESS
DATE
IDENTIFIE
NON
RIGHTS
D
ACTIVE
(Y/N)
EMPLOYM
ACCESS
ENT
DATE
REVOCATI
IF YES,
TERMINAT
CHANGE
ON
TERMINATI
ED FOR
MADE
REQUIRED
ON DATE
CAUSE
(Y/N)
(Y/N)
AL ACCESS
Provide evidence of
ACCESS
IF YES,
redacted
ENTITY
RFC
NO
ACCESS
DATE
background
check
LONGER
REVOCATI COMMENT COMMENT
IDENTIFIE
and
training
records.
S
S
REQUIRED
ON DATE
D
(Y/N)
(Name of PDF file for
submitted evidence)
CIP 6 R1.5
CIP 7 R5
Personnel Sample (List of selected personnel with authorized cyber or authorized unescorted
physical access to NERC CIP cyber assets or personnel with access to protected information
only and identification of terminated personnel or personnel role changes within the past
twelve (12) months)
Pull required samples using approved methodology and merge with Personnel Sample
Template. Change Personnel Sample tab color to Green prior to sending to entity.
Name - Name of individual
Access Type - Should be Physical, Cyber, Both or Protected Information only
Personnel Type - Should be Employee, Contractor, Vendor or Other
Date of Termination and/or Personnel Role Change - Identify the date of termination or
personnel organization change. Enter N/A if active employee and no personnel role and
responsibility change within past twelve (12) months.
Responsible Registered Entity- For a combined audit of multiple registered entities
Colored Coded Tabs
Entity populates green tabs
Red colored tabs are meant to illustrate the information required once samples are selected by
RFC. There is no need to fill in this information.
Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in
scope requirements with due dates and Samples as appropriate
Sequence of Completion
Phase 1- RFC supplies Attachment C for entity to input required data.
Phase 2- Entity completes the three green colored tabs Critical Assets, Cyber Assets, and
Personnel and submits to RFC via extranet
Phase 3 - RFC performs sample selection and sends back to entity for detailed information
requests (Device Sample and Personnel Sample tabs will be populated with requested samples)
Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and
Personnel Sample tabs completed)
Acronyms:
EACM - Electronic Access Control and Monitoring
AP - Access Point
CCA - Critical Cyber Asset
ESP - Electronic Security Perimeter
NCCA - Non-Critical Cyber Asset
Device Sample (List of selected Cyber Assets and the associated Standards and Requirements)
Please provide an evidence file reference for each Standard/Requirement column listed that is
not "greyed out". It is preferred that each requirement will have one PDF file with the
information contained within for all the samples within that requirement.
Personnel Sample (List of selected personnel with authorized cyber or authorized unescorted
physical access to NERC CIP cyber assets or personnel with access to protected information
only and identification of terminated personnel or personnel role changes within the past
twelve (12) months)
Complete the required fields for each person
In the PRA and Training column, it is required to have one evidence file for all the samples
within this column. In this file, please include the appropriate training records and redacted
background check for the selected individuals.
Colored Coded Tabs
Entity populates green tabs
Red colored tabs are meant to illustrate the information required once samples are selected by
RFC. There is no need to fill in this information.
Yellow colored Tab is customized by the ATL to assist the entity via a list of applicable in
scope requirements with due dates and Samples as appropriate
Sequence of Completion
Phase 1- RFC supplies Attachment C for entity to input required data.
Phase 2- Entity completes the three green colored tabs Critical Assets, Cyber Assets, and
Personnel and submits to RFC via extranet
Phase 3 - RFC performs sample selection and sends back to entity for detailed information
requests (Device Sample and Personnel Sample tabs will be populated with requested
samples)
Phase 4 - Entity supplies detailed information back to RFC via extranet (Device Sample and
Personnel Sample tabs completed)
Acronyms:
EACM - Electronic Access Control and Monitoring
AP - Access Point
CCA - Critical Cyber Asset
ESP - Electronic Security Perimeter
NCCA - Non-Critical Cyber Asset
PSP - Physical Security Perimeter
PACS - Physical Access Control System
Date
Name
Bob Yates
Bob Yates
Version
Number
1
2
Bob Yates
Kristie Purcell
Rhonda Bramer
Changes
Initial release of Attachment C spreadsheet
Added type to Critical assets, critical cyber assets and non-critical cyber assets
Added a changes tab and instruction to gather the total population of changes from
10/1/2010 through the 90 notification. This will allow for sampling of changes for CIP-003
R6
Changed due date in instructions from 30 days to 75 days.
Rhonda Bramer
5.1
Todd Thompson
5.2
John
John
John
John
John
John
John
Kellerhals
Kellerhals
Kellerhals
Kellerhals
Kellerhals
Kellerhals
Kellerhals
5.3
5.4
5.5
6
6.1
6.2
6.3
John Kellerhals
6.4
Added columns AS and AT to personnel sample matrix and revised Personnel sample
instructions for phase 2 and 3.
John Kellerhals
6.5
Added columns E,F,G to Critical Assets Tab and columns N,O,P to Cyber Assets Tab and
Columns N,O,P to Device Sample Matrix tab to accommodate transition from V3 to V4 to
V5 of the CIP Standards. Added related instructions to the Phase 2 and Phase 3
Instructions tabs.
John Kellerhals
6.6
John Kellerhals
6.7
John Kellerhals
6.8
Added a "Yes" or "No" column for "Virtual Machine" in the following tabs: Critical Cyber
Assets, Non-Critical Cyber Assets, ESP Access Points and Access Control and Monitoring.
Also updated the Instructions Tab to reflect the change above.
Incorporated multiple sample sheets into this spreadsheet for ease of use.
Added Responsible Registered Entity Columns to support combined audits
Included feedback suggestions from entities
Release including instructions for 4 phases
Release including instructions for 4 phases
Aligned Custom Evidence List with the updated samples
Adjusted Device Sample Matrix for AP CIP-005