Standard
Requirement
Evidence
140 Days
2Upon Request
3CIP-002-3 R1 Provide Risk Based Assessment Methodology (RBAM) X
CIP-002-3 R1.1 Provide evidence that the RBAM includes both procedures and evaluation criteria, and that the evaluation criteria are
risk-based X
CIP-002-3 R1.2 Provide evidence that all required BES asset categories were evaluated by the RBAM for inclusion on Critical Asset List X CIP-002-3 R1.2.1 Provide evidence that all control centers and backup control centers were considered by the RBAM X CIP-002-3 R1.2.2 Provide evidence that all transmission substations were considered by the RBAM, and that evaluation of these assets was performed at the substation level X CIP-002-3 R1.2.3 Provide evidence that all generation resources were considered by the RBAM, and that evaluation of these assets was performed at the level of greatest commonality X CIP-002-3 R1.2.4 Provide evidence that at least the generator(s) used in the preferred resoration path are identified as Critical Assets
If applicable, provide system restoration plan X
CIP-002-3 R1.2.5 Provide evidence that all automatic load shedding systems meeting the parameters of the standard were considered by the
RBAM X
CIP-002-3 R1.2.6 Provide evidence that all special protection systems were considered by the RBAM X CIP-002-3 R1.2.7 Provide evidence of any additional assets considered by the RBAM X
CIP-002-3 R2
Provide Critical Asset List derived through annual application of RBAM Provide evidence of annual review of the Critical Asset list
Supporting Evidence:
For BES assets that were added or acquired, provide evidence that said assets were evaluated by the RBAM
X
CIP-002-3 R3
Provide list of Critical Cyber Assets
Provide evidence that all cyber assets associated with each Critical Asset were evaluated as possible Critical Cyber Assets Supporting Evidence:
If a comprehensive list of Cyber Assets was used as the basis for evaluation, provide this list. The list should be 1) grouped by Critical Asset 2) have a unique identifier for the Cyber asset such as a device name 3) the type of Cyber Asset (e.g. server, workstation, network device, etc. 4) The reliability functions the Cyber Asset supports 5) The network segments the Cyber Asset is connected to (network segment identifier or Class C address space as depicted on a network topology diagram). If a comprehensive list of Cyber Assets was not used as a basis for this evaluation, provide an explanation of how the Cyber Assets associated with the Critical Asset were identified for consideration as a Critical Cyber Asset and the list of Cyber Assets considered
X
CIP-002-3 R4 Provide evidence that the senior manager or delegate approved RBAM, CA list, and CCA list X
CIP-003-3 R1
Provide Cyber Security Policy Supporting Evidence:
Provide all policies referenced by the cyber security policy that address any of the requirements in 002-3 through CIP-009-3
X X
CIP-003-3 R1.1 Provide evidence that each version of the cyber security policy addresses each of the requirements in CIP-002-3 through CIP-009-3 and contains provision for emergency situations X CIP-003-3 R1.2 Provide evidence that the Cyber Security Policy, including any policy incorporated by reference, has been made readily
available to all personnel with authorized electronic or unescorted physical access to any Critical Cyber Asset X CIP-003-3 R1.3 Provide evidence that each version of the cyber security policy, including any policy incorporated by reference, has been
approved by the senior manager assigned in per R2 X
ReliabilityFirst CIP Evidence List
Standard
Requirement
Evidence
40 Days
Upon Request
CIP-003-3 R2 Provide evidence of the assignment of a senior manager, including date of designation and effective date of any changes X CIP-003-3 R2.1 Provide evidence that the assignment of the senior manager includes the required information X CIP-003-3 R2.2 If applicable, provide the effective date of any change to the assignment of the senior manager X CIP-003-3 R2.3 If applicable, provide evidence of delegation of authority, including the specific actions for which authority is delegated and
the effective date of the delegation X
CIP-003-3 R2.4 If applicable, provide evidence of that exceptions from the requirements of the cyber security policy were documented and
authorized by the semior manager or delegate(s). X
CIP-003-3 R3 Provide documentation of exceptions to the Cyber Security Policy, including expired exceptions, or an assertion that there
have been no exceptions to the Cyber Security Policy during the compliance period Not in Scope X CIP-003-3 R3.1 For each exception to the cyber security policy, provide evidence of the date of approval Not in Scope X CIP-003-3 R3.2 For each exception to the cyber security policy, provide evidence of the explanation of the necessity for the exception Not in Scope X CIP-003-3 R3.2 For each exception to the cyber security policy, provide evidence of any compensating measures Not in Scope X CIP-003-3 R3.3 For each exception to the cyber security policy, provide evidence of the annual review Not in Scope X
CIP-003-3 R4 Provide information protection program x X
CIP-003-3 R4.3 Provide evidence of an annual assessment of information protection program x X
CIP-003-3 R5 Provide access control program X
CIP-003-3 R5.1 Provide list of designated personnel who are responsible for authorizing logical or physical access to protected information X CIP-003-3 R5.1.2 Provide evidence of annual verification of the list of personnel responsible for authorizing access to protected information X
CIP-003-3 R5.2 Provide evidence of annual review of access privileges X
CIP-003-3 R5.3 Provide evidence of the annual assessment of processes for controlling access privileges to protected information X CIP-003-3 R6 Provide the process for change control and configuration management X
CIP-003-3 R6 Provide evidence that the change control and configuration management process has been implemented See Device Sampling Tab
CIP-004-3 R1 Provide awareness program Not in Scope
CIP-004-3 R1 Provide evidence of awareness reinforcement Not in Scope See Personnel Sampling Tab
CIP-004-3 R2
Provide Cyber Security Training Program Supporting Evidence:
Addresses to whom it applies, delivery, review, and update frequencies
See Personnel Sampling Tab
CIP-004-3 R2.1
Provide Training Documentation, i.e., attendance records Supporting Evidence:
Include all relevant personnel that documents date of authorization and date of training
See Personnel Sampling Tab CIP-004-3 R2.2 Provide training material that addresses all of R2.2 and its sub requirements See Personnel Sampling Tab CIP-004-3 R2.3 Provide training documentation that includes annual training completion dates See Personnel Sampling Tab
CIP-004-3 R3 Provide Personnel Risk Assessment program X
Standard
Requirement
Evidence
40 Days
Upon Request
CIP-004-3 R3.3
Provide documentation of assessment results for all relevant personnel Supporting Evidence:
Documentation, i.e., database, application or spreadsheet that shows proof of assessments matched against CIP-004 R4 list(s)
Contract agreements and associated documentation
See Personnel Sampling Tab
CIP-004-3 R4
Provide list(s), i.e., spreadsheet, database or other application that tracks all electronic and physical access rights Supporting Evidence:
Documentation of authorized access approvals
See Personnel Sampling Tab
CIP-004-3 R4.1 Provide documentation that the list(s) is reviewed quarterly and updated within seven days of any change of access X
CIP-004-3 R4.1 Provide documentation that access list(s) for contractors and service vendors are properly maintained See Personnel Sampling Tab CIP-004-3 R4.2 Provide documentation that access is revoked within 24 for personnel terminated for cause and within seven calendar days
for personnel who no longer need access See Personnel Sampling Tab
CIP-004-3
Supporting Evidence for CIP-004 R2, R3, & R4:
Provide the following in a spreadsheet, database, etc. for anyone with electronic or physical access to a CCA Employee name and ID (unique identifier)
Date electronic access granted Specific electronic access granted Date physical access granted Specific physical access granted Date electronic access removed Date physical access removed Date of original training Date of annual training Date initial PRA completed Date PRA updated
See Personnel Sampling Tab
CIP-005-3 R1 For each Critical Cyber Asset identified per CIP-002-3 R3, identify the Electronic Security Perimeter (ESP) within which it
resides X
CIP-005-3 R1 For each ESP, identify each Cyber Asset residing within the perimeter X
CIP-005-3 R1 For each ESP, identify each access point to the ESP X
CIP-005-3 R1 For each ESP, identify each cyber asset used in the access control of the ESP X CIP-005-3 R1 For each ESP, identify each cyber asset used in the monitoring of the ESP X CIP-005-3 R1 For each ESP, provide a high-level diagram showing the major systems protected, all access points, and all access control
devices X
CIP-005-3 R2 For each ESP, provide documentation of processes and mechanisms for control of electronic access to the ESP X
CIP-005-3 R2.1, R2.2
For R2.1, provide evidence that deny-by-default policy is deployed to sampled Access Points. For R2.2, provide evidence for each sampled Access Point that Ports and Services are configured/implemented for operations and for monitoring of cyber
assets, including justification, within the respective ESP. See Device Sampling Tab CIP-005-3 R2 For each cyber asset used in the access control of an ESP, provide evidence that the access control model denies access by
default X
CIP-005-3 R2 Provide the procedure for securing dial-up access to each ESP X
Standard
Requirement
Evidence
40 Days
Upon Request
CIP-005-3 R2 For each access control device, provide the document identifying the content of the acceptable use banner X CIP-005-3 R2.4 If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C) X CIP-005-3 R2.6 If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C) X CIP-005-3 R3 For each ESP, provide the documented electronic or manual processes for monitoring and logging access at access points to
each ESP X
CIP-005-3 R3 Provide evidence that the above processes have been implemented X
CIP-005-3 R3 Provide evidence that the above processes are operational twenty-four hours a day, seven days as week X CIP-005-3 R3 If applicable, provide evidence of alerts and notification of response personnel X CIP-005-3 R3 If applicable, provide evidence of review or assessment of access logs X CIP-005-3 R3.1 If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C) X
CIP-005-3 R3.2
Provide evidence of alerts for each sampled Access Point where attempts at or actual unauthorized accesses were detected. If alerting was not technically feasible for sampled Access Points provide evidence of manual review of logs at least every 90-days. Provide evidence of the 90 days prior to the 90 day notification.
See Device Sampling Tab
CIP-005-3 R4 For each ESP, provide documentation of the annual cyber vulnerability assessment X
CIP-005-3 R4.1 Provide documentation of vulnerability assessment process X
CIP-005-3 R4.5 Provide documentation of results of annual vulnerability assessment X CIP-005-3 R4.5 If applicable, provide action plan to remediate or mitigate vulnerabilities and the execution status of the action plan X CIP-005-3 R5 & R5.1 Provide documentation of annual review for all evidence for CIP-005 X CIP-005-3 R5.2 Provide evidence that updates to network control documentation were made within 90 days of a change X
CIP-005-3 R5.3
For Access Points selected provide evidence that access logs are retained for at least ninety
calendar days.
Provide evidence for the following dates:
Date1
Date2
Date3
Date4
Date5
See Device Sampling Tab
CIP-006-3 R1 Provide Physical Security Plan X
CIP-006-3 R1 Provide documentation of approval of Physical Security Plan by the senior manager or delegate(s) X CIP-006-3 R1.1 For each Cyber Asset within an ESP, identify the Physical Security Perimeter (PSP) associated with that Cyber Asset. X CIP-006-3 R1.1 If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C) X CIP-006-3 R1.2 For each PSP, provide identification of all physical access points through the PSP and measures to control entry at those
access points X
Standard
Requirement
Evidence
40 Days
Upon Request
CIP-006-3 R1.4 Provide documentation of visitor pass management, response to loss, and prohibition of inappropriate us of physical access
controls X
CIP-006-3 R1.5 Provide documentation Review of access authorization requests and revocation of access authorization, in accordance with
CIP-004-3 Requirement R4. X
CIP-006-3 R1.6 For each PSP, provide logs of visitor entry and exit X
CIP-006-3 R1.6 For each PSP, provide evidence of continuous escorted access of visitors X CIP-006-3 R1.7 Provide evidence that Physical Security Plan was updated within 30 calendar days of a physical security change X CIP-006-3 R1.8 Provide evidence of an annual review of the Physical Security Plan X CIP-006-3 R2.1 Provide documentation that physical access control systems are protected from unauthorized physical access X CIP-006-3 R2.2
Provide documentation that physical access control systems are afforded the protective measures in the referenced requirements; this may be addressed as part of the individual applicable requirements or directly in response to this requirement
X CIP-006-3 R3 Provide documentation that electronic access control systems are located within an identified Physical Security Perimeter X CIP-006-3 R4 For each PSP, provide documentation of operational and procedural controls to manage physical access at all access points
to the PSP X
CIP-006-3 R5 Provide evidence that Unauthorized access attempts are reviewed immediately and handled in accordance with the
procedures specified in Requirement CIP-008-3. Provide evidence of the 90 days prior to the 90 day notification. See Device Sampling Tab CIP-006-3 R6 Provide documentation identifying the methods for logging physical access X
CIP-006-3 R6 For each PSP, provide logs of physical entry to the PSP X
CIP-006-3 R7
Provide evidence of physical access logs for the implemented logging solution(s) that
demonstrates 90 calendar days worth of logs .
Provide evidence for the following dates:
Date1
Date2
Date3
Date4
Date5
See Device Sampling Tab
CIP-006-3 R8 For each PSP, provide evidence of a maintenance and testing program for all physical security systems X CIP-006-3 R8.1 For each PSP, provide evidence of testing and maintenance of all physical security mechanisms X CIP-006-3 R8.2 For each PSP, provide the retention period for the testing and maintenance records X CIP-006-3 R8.3 For each PSP, provide the retention period for outage records regarding access controls, logging and monitoring X
CIP-007-3 R1 Provide evidence that all Cyber Assets within the Electronic Security Perimeter are subject to the required test procedures X CIP-007-3 R1 Provide evidence that all cyber security controls have been included in the test plans X
CIP-007-3 R1
Provide evidence (including test results) that all significant updates made to Cyber Assets selected have been tested. Provide
evidence for the past year immediately prior to the 90 day notification. See Device Sampling Tab CIP-007-3 R1.1 Provide documentation that testing was performed in a manner that minimizes impact on the production environment X
Standard
Requirement
Evidence
40 Days
Upon Request
CIP-007-3 R1.3 Provide documentation of test results X
CIP-007-3 R2
For each Cyber Asset selected, provide a list of each active port and service. For each active port and service identified,
provide a description of the port or service and identify the need to that port or service to be enabled See Device Sampling Tab
CIP-007-3 R2.3 If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C) X
CIP-007-3 R3 Provide the security patch management program X
CIP-007-3 R3 For each Cyber Asset selected, provide evidence of the assessment and implementation of security patches. See Device Sampling Tab CIP-007-3 R3 If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C) X
CIP-007-3 R4
For each Cyber Asset selected, provide evidence of the implemention of anti-virus and malware prevention tools and testing
and installation of signatures updates. See Device Sampling Tab
CIP-007-3 R4 Provide documentation of the process uses to update anti-malware signatures X CIP-007-3 R4 If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C) X CIP-007-3 R5 Provide documentation of technical and procedural controls that enforce access authentication and accountability of all user
activity X
CIP-007-3 R5.1.1 Provide evidence that user accounts are implemented as authorized X
CIP-007-3 R5.1.2
Provide evidence of audit trails of individual user account activity demonstrating 90 days worth of
logs/audit trails. Provide evidence for the following dates:
Date1
Date2
Date3
Date4
Date5
See Device Sampling Tab
CIP-007-3 R5.1.3 Provide evidence of an annual review of user accounts to verify access privileges X CIP-007-3 R5.2 Provide policy on use of administrator, shared, and other generic account privileges X
CIP-007-3 R5.2 Identify those individuals with access to shared accounts X
CIP-007-3 R5.3 Provide evidence that passwords adhere to 5.3 sub requirements as technically feasible X CIP-007-3 R5.3 If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C) X CIP-007-3 R5.3.1 If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C) X CIP-007-3 R5.3.2 If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C) X CIP-007-3 R5.3.3 If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C) X CIP-007-3 R6 Provide explanation of how security status monitoring is implemented X CIP-007-3 R6 If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C) X
CIP-007-3 R6.1 Provide documentation of the mechanisms to monitor security events within each ESP See Device Sampling Tab
Standard
Requirement
Evidence
40 Days
Upon Request
CIP-007-3 R6.2 Provide a listing of alerts generated by the monitoring systems See Device Sampling Tab CIP-007-3 R6.3 Provide evidence that logs of system events related to cyber security are maintained See Device Sampling Tab CIP-007-3 R6.3 If TFE is used to meet this requirement include information in the TFE Workbook (Separate spreadsheet from Attachment C) X
CIP-007-3 R6.4, R6.5
For each Cyber Asset selected provide evidence that logs of system events related to cyber
security are maintained and reviewed.
Provide evidence for the following dates:
Date1
Date2
Date3
Date4
Date5
See Device Sampling Tab
CIP-007-3 R7 Provide documentation on methods, processes, and procedures for disposal or redeployment of Cyber Assets within the ESP X CIP-007-3 R7.3 Provide records that assets were disposed of or redeployed in accordance with documented procedures X CIP-007-3 R8 Provide documentation of the annual vulnerability assessment of all Cyber Assets within the ESP X
CIP-007-3 R8.1 Provide documentation of vulnerability assessment process X
CIP-007-3 R8.4 Provide documentation of results of annual cyber vulnerability assessment X CIP-007-3 R8.4 If applicable, provide action plan to remediate or mitigate vulnerabilities and the execution status of the action plan X CIP-007-3 R9 Provide documentation and records demonstrating the annual review and update of all documentation for CIP-007 X
CIP-008-3 R1 Provide Cyber Security Incident Response Plan X
CIP-008-3 R1.1 Provide procedure for characterizing and classifying events as reportable Cyber Security Incidents X
CIP-008-3 R1.2 Provide roles and responsibilities X
CIP-008-3 R1.2 Provide incident handling procedure X
CIP-008-3 R1.2 Provide communication plans X
CIP-008-3 R1.3 Provide process for reporting incidents to the ES-ISAC X
CIP-008-3 R1.3 Provide evidence that all reportable incidents were reported to the ES-ISAC or an assertion that there have been no
reportable incidents during the spot check period X
CIP-008-3 R1.4 Provide process for updating response procedures X
CIP-008-3 R1.4 Provide history of Response Plan updates or an assertion that there have been no updates made during the spot check period X
CIP-008-3 R1.5 Provide evidence of annual review X
CIP-008-3 R1.6 Provide history of incident response tests conducted, including 1) type of test (e.g. paper drill, table-top exercise, full
response drill, etc.) 2) date of test 3) incident(s) or event(s) tested X
CIP-008-3 R2 Provide cyber security incident documentation X
CIP-009-3 R1 Provide Critical Cyber Asset Recovery Plans X
CIP-009-3 R1 List the Recovery plan that covers the selected cyber assets. See Device Sampling Tab
CIP-009-3 R1.1 Provide conditions that would invoke the recovery plan X
Standard
Requirement
Evidence
40 Days
Upon Request
CIP-009-3 R1.2 Provide roles and responsibilities X
CIP-009-3 R1 Provide evidence of annual review X
CIP-009-3 R2 Provide history of recovery plan exercises conducted, including 1) type of test (e.g. paper drill, table-top exercise, full
response drill, etc.) 2) date of test 3) event(s) or condition(s) tested X
CIP-009-3 R3 Provide documentation of changes to the recovery plan(s) and documentation of all communications Not in Scope X CIP-009-3 R4 Provide documentation regarding the backup and storage of information X
CIP-009-3 R5 Provide documentation of annual testing of backup media X
