NERC CIP V5 Compliance Survey

Have you updated your PACS design specifications and templates for all risk profiles of substations and plants? *

Provide additional comments?:

Have you updated your visitor control program and supporting technology? *

With respect to both system and physical monitoring for your high risk facilities, does your SOC/NOC meet the needs and intent of CIP Version 5?


Is your identity and access management policy and technology deployment capable of meeting the needs and timelines of CIP Version 5?

Have all of your business units bought into the update process for Asset Categorization?

Are you confident that your asset inventory, and risk decisions is maintained in an efficient and effective manner?

Have you considered using a hybrid approach combining top-down (facilities to BES Cyber Assets) and bottoms-up (BES Cyber Assets discovery to facilities) perspectives in your asset categorization process?

Do you fully understand the implications of the HML risk categorizations for your systems and their related facilities?

Is your asset categorization scheme resulting in realistic and achievable results?

Did you deploy your BES Cyber Assets with consideration of minimizing the number of PSP/ESP boundaries?

Do you have a good sense of which requirements/standards will be the easiest to fulfill? Or which will be the hardest?

Have you identified metrics to guage your readiness with CIP Version 5?

Are the controls clearly defined for ensuring the security of transient devices used for testing and diagnostics?

Are you able to measure improvements in your patch and vulnerability management functions?

Have you updated your policies and desktop procedures to deal with the cyber asset reuse and disposal?

Have your OT development and testing environments been verified that they meet the new configuration management requirements?

Are your NERC CIP controls sufficient to meet your company’s cyber security objectives?

Have you identified the set of basic physical and electronic protections (controls) that your low impact facilities/systems will receive?

Can you describe what qualifies as a cyber-event in your company?

Is there a defined schedule for reviewing your security event logs?

Do you have an incident commander for cyber events in your company?

Do people know who to call if they see a cyber security event?

Can you identify the operational data that is in-use or stored in each of your systems and its sensitivity with regard to critical operations?

Have you updated your policies and definitions regarding information classification and data privacy?

Are you required to report your assessment of risk and compliance status to enterprise risk Management?

Does your IT staff understand the ramifications and constraints of NERC CIP?

Have you considered declaring early compliance with NERC CIP Version 5 to simplify ongoing compliance operations?

Have you considered the way that BES Cyber System classification may reach as far back as your billing and customer service systems?

Are disaster recovery controls part of your NERC/CIP readiness review?

Have your disaster recovery plans been updated to meet the needs of CIP Version 5?

Are OT development resources trained to perform code review?

Can you demonstrate an ongoing program of code review for OT development

Do you have a defined schedule for performing application security reviews for your web facing and third party provided services?

Are you comfortable with the way that Cyber Vulnerability Assessments have been handled in the past?

Do you have a plan and an update process for performing periodic Vulnerability Assessments?

Is your training and awareness plan updated and deployment planned for all affected personnel and facilities?

Are you leveraging change management techniques to drive awareness across the impacted personnel?

Are you confident in your schedule to achieve compliance on time?

Are you using metrics and milestones to measure your progress against your plan?

Have you updated your PACS design specifications and templates for all risk profiles of substations and plants?