Today’s LiveWire Spotlight examines FERC Docket RD23-3-000, which authorizes without comment NERC’s uncontested filing of CIP-003-9 with new provisions for low impact BES Cyber System supply chain policies and plans. The standard calls for applicable owners and operators to create a “vendor remote access security controls” policy document dealing with three actions:
- Assure that operators have a means to detect that a vendor has initiated remote access with a low impact BES Cyber System.
- Confirm that controls exist allowing operators to disable third-party remote access to a low impact BES Cyber System.
- Detect known and suspicious malicious vendor sessions for inbound and outbound low-impact BES Cyber System communications.
The CIP low impact supply chain security implementation plan calls for CIP-003-9 to take effect thirty-six months after the approval of the proper authority. This corresponds to a mandatory and enforceable date of April 1, 2026 in the U.S.