Today’s LiveWire Spotlight examines the second draft of CIP-003-X, which specifies the low impact cyber security supply chain controls in Attachment 1, Section 6.  The latest posting offers surprisingly few updates given that Draft 1 approval was a dismally low 29%.  But only a handful of objections were raised repeatedly – and their adjustment may make a big difference.

  • Language taken from the Board of Trustee’s resolution outlining the supply chain policy goals did not limit malicious activity detection to vendor data traffic.
  • The reference in the Section 6 heading to “vendor remote access” is too general and should clearly indicate that monitoring-only data traffic is not in scope.
  • The requirements seem to apply to other forms of vendor communication with low impact BES Cyber Systems, such as those initiated by Transient Cyber Assets.

Draft 2 of CIP-003-X and its supporting materials have been posted for a 45-day review and concurrent ballot.  Clients have until April 15, 2022 to return their comments back to the drafting team and to place their votes in NERC’s polling system.