Today’s LiveWire Spotlight examines FERC Docket RD23-3-000, which authorizes without comment NERC’s uncontested filing of CIP-003-9 with new provisions for low impact BES Cyber System supply chain policies and plans.  The standard calls for applicable owners and operators to create a “vendor remote access security controls” policy document dealing with three actions: 

  1. Assure that operators have a means to detect that a vendor has initiated remote access with a low impact BES Cyber System.
  2. Confirm that controls exist allowing operators to disable third-party remote access to a low impact BES Cyber System.
  3. Detect known and suspicious malicious vendor sessions for inbound and outbound low-impact BES Cyber System communications.

The CIP low impact supply chain security implementation plan calls for CIP-003-9 to take effect thirty-six months after the approval of the proper authority.  This corresponds to a mandatory and enforceable date of April 1, 2026 in the U.S.