2011 Sufficiency Review Program

1. 2011 Sufficiency Review Program

2. 2011 CIP Sufficiency Review Background • Three Sufficiency Reviews conducted in 2010 • Large, multiple function registered entities. • Selected one from each of three regions. • Conducted outside of the NERC compliance monitoring and audit program. • Anonymized summary report published late 2010 • Posted on NERC web site at http://www.nerc.com/news_pr.php?npr=708

3. Sufficiency Review Purpose • Purpose • Conduct a risk-based assessment of responsible entity methodologies used to identify Critical Assets pursuant to and expanded version of CIP-002-3, R.1, R.2. • Encourage open and more complete discussions with Entities regarding the purpose of CIP-002-3 and overall good practices

4. Isn’t Version 4 Approved? • Why Now? • CIP-002-4 was filed with FERC in February 2011 and substitutes “bright line” Critical Asset identification criteria for the Risk Based Assessment Methodology. • Realistically, full compliance with CIP-002-4 is not expected before April 1, 2013. • The sufficiency review will help bridge the period of time before the CIP-002-4 standards become effective. V.4 issues can be added/discussed.

5. What is a Sufficiency Review? • A comprehensive review of the Entity’s Risk Based Assessment Methodology using a list of applicable questions that guide the SRP engagement. • A full, open dialog between the NERC-led Sufficiency Review Program team and the Responsible Entity to ensure an understanding of the potential risks an entity could face in its Critical Asset determinations. • Lessons-learned and best practices designed to go beyond the minimum requirements of CIP Standards and increase BPS security and reliability. • Voluntary.

6. What it is NOT • The Sufficiency Review Program is not an audit, spot check, or other compliance enforcement activity. • The only circumstance where compliance could become a factor is if an IMMEDIATE THREAT to the integrity of the BPS is discovered during the Sufficiency Review Program engagement. • Example: an immediate threat so severe it may require a Remedial Action Directive. • “IMMEDIATE THREAT” listed and in program documentation.

7. Team Composition • The Sufficiency Review Team • NERC led • Regional Entity staff – generally two • CIP auditors, “693” auditor or other qualified staff. • RE Staff will agree prior to engagement that this is NOT an audit – we all abide with the program. • May include second NERC staff observer for training purposes. • May include FERC observers, although no requests to date. • Web conferences will be held prior to the Sufficiency Review to help you prepare.

8. 2011 Sufficiency Review Program • At the conclusion of the Sufficiency Review • An exit presentation will be conducted and provided to the entity. • No anticipated follow-up by NERC or the RE. • NERC anticipates you will strongly consider the results of the Sufficiency Review and take appropriate action as required. • One copy of the exit presentation will be securely maintained at NERC for the purpose of review to improve the Sufficiency Review Program and also provide anonymized feedback to industry.

9. Expectations • The goal • Perform at least one Sufficiency Review in each Region plus one NRECA and one APPA identified volunteer. • Entity Expectations • Volunteer entity should have identified Critical Assets or have no Critical Assets, be “on the fence,” and could use the help. • Should be registered for multiple functions (BA, TOP. and/or GOP at a minimum). • A moderate to large entity is preferred, however all volunteers will be considered. • Will consider IPP with multiple units.

10. Rules of Engagement • Rules of Engagement • No documents containing Critical Asset information, or information that could impact the security of the BPS, will be removed from the conference room where the Sufficiency Review is being held. • The entity will be expected to maintain control of its documentation and ensure it remains secure throughout the duration of the SRP engagement. • Members of the Sufficiency Review team will develop and securely maintain notes throughout the review. • Two copies of notes will be securely maintained by NERC as reference for future trending and analyses.

11. Rules of Engagement (cont) • Rules of Engagement • Entities is encouraged to invite participants to the Sufficiency Review to participate, learn, and become familiar with the process. • Additional personnel participation needs to be approved by the Team Lead in advance of the Sufficiency Review. • Will work with entity if critical matters need to be discussed in private • A redacted Risk Based Assessment Methodology will be requested several weeks prior to the Sufficiency Review.

12. Rules of Engagement (cont) • Rules of Engagement • All documentation provided electronically will be provided on USB flash drives • Anti-virus checked by Entity IT staff. • One USB flash assigned to each specific team member to ensure no cross-contamination. • Stays at the entity facility at all times. • Documentation encrypted

13. How do I Benefit? • What’s in it for me? • You get the undivided attention of several industry experts at no cost. • Excellent learning opportunity. • Validate your Risk Based Assessment Methodology. • Learn how you can improve your Methodology. • Time commitment • Pre-review prep time: a couple of days at most. • On-site: 2.5-3.5 days, depending upon the entity size and complexity of the RBAM.

14. I MAY be Interested • Contact me – I will set up a WebEx where you can ask any question about the program. • No Commitment • Nothing to lose by inquiring • I will notify your Region so they may listen in

15. Reference Documents • 2010 Sufficiency Review Report http://www.nerc.com/news_pr.php?npr=708 • Critical Asset Identification Guideline http://www.nerc.com/fileUploads/File/Standards/Critcal_Asset_Identification_2009Nov19.pdf

16. Contact Information • For more information, contact: Ralph Anderson CIP Risk Specialist, NERC (321) 247-5687 ralph.anderson@nerc.net • You can also contact your Region.