WIXLIB

Project 2014-02 - CIP Version 5 RevisionsMapping Document Showing Translation of the Version 5 standards into CIP-003-6,CIP-004-6, CIP-006-6, CIP-007-6, CIP-009-6, CIP-010-2, and CIP-011-2 (CIP-002-5,CIP-005-5, and CIP-008-5 were not modified)Standard: CIP-003-5 – Cyber Security—Security Management ControlsRequirement in Approved StandardTranslation to New StandardDescription and Change Justificationor Other ActionCIP-003-5 R1CIP-003-6 R1To incorporate a policy or policies for low impact BES Cyber Systems,the main requirement language was modified. “For its high impact andmedium impact BES Cyber Systems” was struck from the language asnew requirement parts were created. See below for part 1.1 and part1.2 to see the change justification.NEWCIP-003-6 R1.1“For its high impact and medium impact BES Cyber Systems” was addedas a qualifier to the sub-parts below.CIP-003-5 R1.1CIP-003-6 R1.1.1Requirement parts for 1.1 through 1.9 have become 1.1.1 through 1.1.9with the clarifier added above in part 1.1 of CIP-003-6.CIP-003-5 R1.2CIP-003-6 R1.1.2No change.CIP-003-5 R1.3CIP-003-6 R1.1.3No change.CIP-003-5 R1.4CIP-003-6 R1.1.4No change.CIP-003-5 R1.5CIP-003-6 R1.1.5No change.CIP-003-5 R1.6CIP-003-6 R1.1.6No change.CIP-003-5 R1.7CIP-003-6 R1.1.7No change.CIP-003-5 R1.8CIP-003-6 R1.1.8No change.CIP-003-5 R1.9CIP-003-6 R1.1.9No change.

CIP Version 5 RevisionsStandard: CIP-003-5 – Cyber Security—Security Management ControlsRequirement in Approved StandardTranslation to New StandardDescription and Change Justificationor Other ActionNEWCIP-003-6 R1.2“For its assets identified in CIP-002 containing low impact BES CyberSystems, if any:” was added as a qualifier to the sub-parts below.CIP-003-5 R2CIP-003-6 R2To respond to the FERC Order No. 791 directive to remove ambiguouslanguage from the requirement, the phrase “in a manner thatidentifies, assesses, and corrects deficiencies” was stricken.Furthermore, as the SDT modified its approach of using Attachment 1instead of the table approach, it modified Requirement R2 to“implement one or more document cyber security plan(s) that includethe applicable elements in Attachment 1.”CIP-003-5 R2.1CIP-003-6 R1.2.1The security awareness requirement part for inclusion in one or moreof the documented cyber security policies was moved to CIP-003-6,Requirement R1, Part 1.2.1.CIP-003-5 R2.2CIP-003-6, R1.2.2The physical security controls requirement part for inclusion in one ormore of the documented cyber security policies was moved to CIP-0036, Requirement R1, Part 1.2.2.Mapping DocumentProject 2014-02 CIP Version 5 Revisions2

CIP Version 5 RevisionsStandard: CIP-003-5 – Cyber Security—Security Management ControlsRequirement in Approved StandardTranslation to New StandardDescription and Change Justificationor Other ActionCIP-003-5 R2.3CIP-003-6 R1.2.3The electronic access controls requirement part for inclusion in one ormore of the documented cyber security policies was moved to CIP-0036, Requirement R1, Part 1.2.3. Furthermore, the SDT modified the“external routable protocol connections” as a new definition is beingproposed by the SDT for “Low Impact External Routable Connectivity.”CIP-003-5 R2.4CIP-003-6 R1.2.4The incident response to a Cyber Security Incident requirement part forinclusion in one or more of the documented cyber security policies wasmoved to CIP-003-6, Requirement R1, Part 1.2.4.NEWCIP-003-6, Attachment 1CIP-003-6 Attachment 1 lists the elements required for low impactasset cyber security plan(s). The attachment satisfies the directive fromFERC Order No. 791 on addressing the lack of objective criteria for LowImpact assets protections.CIP-003-5 R3CIP-003-6 R3No change.CIP-003-5 R4CIP-003-6 R4To respond to the FERC Order No. 791 directive to remove ambiguouslanguage from the requirement, the phrase “in a manner thatidentifies, assesses, and corrects deficiencies” was stricken.Requirement in Approved StandardCIP-004-5.1 R1CIP-004-5.1 R1.1Mapping DocumentProject 2014-02 CIP Version 5 RevisionsStandard: CIP-004-5.1– Cyber Security—Personnel & TrainingTranslation to New StandardDescription and Change Justificationor Other ActionCIP-004-6 R1No change.CIP-004-6 R1.1No change.3

CIP Version 5 RevisionsRequirement in Approved StandardCIP-004-5.1 R2CIP-004-5.1 R2.1CIP-004-5.1 R2.1.1CIP-004-5.1 R2.1.2CIP-004-5.1 R2.1.3CIP-004-5.1 R2.1.4CIP-004-5.1 R2.1.5CIP-004-5.1 R2.1.6CIP-004-5.1 R2.1.7CIP-004-5.1 R2.1.8CIP-004-5.1 R2.1.9CIP-004-5.1 R2.2Mapping DocumentProject 2014-02 CIP Version 5 RevisionsStandard: CIP-004-5.1– Cyber Security—Personnel & TrainingTranslation to New StandardDescription and Change Justificationor Other ActionCIP-004-6 R2To respond to the FERC Order No. 791 directive to remove ambiguouslanguage from the requirement, the phrase “in a manner thatidentifies, assesses, and corrects deficiencies” was stricken. The SDT hasalso revised the requirement to allow Responsible Entities the flexibilityto have one or more cyber security training programs, as the existingCIP-004-5 R2 had Responsible Entities shall implement “a cyber securitytraining program(s).” That modification was made for clarity andconsistency across the standards.CIP-004-6 R2.1No change.CIP-004-6 R2.1.1No change.CIP-004-6 R2.1.2No change.CIP-004-6 R2.1.3No change.CIP-004-6 R2.1.4No change.CIP-004-6 R2.1.5No change.CIP-004-6 R2.1.6No change.CIP-004-6 R2.1.7No change.CIP-004-6 R2.1.8No change.CIP-004-6 R2.1.9To respond to the FERC Order No. 791 directives regarding transientdevices, the SDT has added Transient Cyber Assets and RemovableMedia as contents that must be included in a Registered Entity’s cybersecurity training program. The training must address cyber security risksassociated with a BES Cyber System’s electronic interconnectivity andinteroperability with Transient Cyber Assets and Removable Media.CIP-004-6 R2.2No change.4

CIP Version 5 RevisionsRequirement in Approved StandardCIP-004-5.1 R2.3CIP-004-5.1 R3CIP-004-5.1 R3.1CIP-004-5.1 R3.2CIP-004-5.1 R3.2.1CIP-004-5.1 R3.2.2CIP-004-5.1 R3.3CIP-004-5.1 R3.4CIP-004-5.1 R3.5CIP-004-5.1 R4CIP-004-5.1 R4.1CIP-004-5.1 R4.1.1CIP-004-5.1 R4.1.2CIP-004-5.1 R4.1.3CIP-004-5.1 R4.2CIP-004-5.1 R4.3CIP-004-5.1 R4.4CIP-004-5.1 R5Mapping DocumentProject 2014-02 CIP Version 5 RevisionsStandard: CIP-004-5.1– Cyber Security—Personnel & TrainingTranslation to New StandardDescription and Change Justificationor Other ActionCIP-004-6 R2.3No change.CIP-004-6 R3To respond to the FERC Order No. 791 directive to remove ambiguouslanguage from the requirement, the phrase “in a manner thatidentifies, assesses, and corrects deficiencies” was stricken.CIP-004-6 R3.1No change.CIP-004-6 R3.2No change.CIP-004-6 R3.2.1No change.CIP-004-6 R3.2.2No change.CIP-004-6 R3.3No change.CIP-004-6 R3.4No change.CIP-004-6 R3.5No change.CIP-004-6 R4To respond to the FERC Order No. 791 directive to remove ambiguouslanguage from the requirement, the phrase “in a manner thatidentifies, assesses, and corrects deficiencies” was stricken.CIP-004-6 R4.1No change.CIP-004-6 R4.1.1No change.CIP-004-6 R4.1.2No change.CIP-004-6 R4.1.3No change.CIP-004-6 R4.2No change.CIP-004-6 R4.3No change.CIP-004-6 R4.4No change.CIP-004-6 R5To respond to the FERC Order No. 791 directive to remove ambiguouslanguage from the requirement, the phrase “in a manner thatidentifies, assesses, and corrects deficiencies” was stricken.5

CIP Version 5 RevisionsRequirement in Approved StandardCIP-004-5.1 R5.1CIP-004-5.1 R5.2CIP-004-5.1 R5.3CIP-004-5.1 R5.4CIP-004-5.1 R5.5Standard: CIP-004-5.1– Cyber Security—Personnel & TrainingTranslation to New StandardDescription and Change Justificationor Other ActionCIP-004-6 R5.1No change.CIP-004-6 R5.2No change.CIP-004-6 R5.3No change.CIP-004-6 R5.4No change.CIP-004-6 R5.5No change.Standard: CIP-006-5 – Cyber Security—Physical Security of BES Cyber SystemsRequirement in Approved StandardTranslation to New StandardDescription and Change Justificationor Other ActionCIP-006-5 R1CIP-006-6 R1To respond to the FERC Order No. 791 directive to remove ambiguouslanguage from the requirement, the phrase “in a manner thatidentifies, assesses, and corrects deficiencies” was stricken.CIP-006-5 R1.1CIP-006-6 R1.1No change.CIP-006-5 R1.2CIP-006-6 R1.2No change.CIP-006-5 R1.3CIP-006-6 R1.3No change.CIP-006-5 R1.4CIP-006-6 R1.4No change.CIP-006-5 R1.5CIP-006-6 R1.5No change.CIP-006-5 R1.6CIP-006-6 R1.6No change.CIP-006-5 R1.7CIP-006-6 R1.7No change.CIP-006-5 R1.8CIP-006-6 R1.8No change.CIP-006-5 R1.9CIP-006-6 R1.9No change.Mapping DocumentProject 2014-02 CIP Version 5 Revisions6

CIP Version 5 RevisionsStandard: CIP-006-5 – Cyber Security—Physical Security of BES Cyber SystemsRequirement in Approved StandardTranslation to New StandardDescription and Change Justificationor Other ActionNEWCIP-006-6 R1.10To respond to the FERC Order No. 791 directive to protect thenonprogrammable components of communication networks, the SDThas added a new Requirement R1, Part 1.10 to restrict physical accessto cabling and other nonprogrammable components used forcommunication between applicable Cyber Assets within the sameElectronic Security Perimeter. There are three other mechanisms for anentity to adequately protect those networks, including encryption ofdata that transits such cabling and components; monitoring the statusof the communication link and issuing alarms to detect communicationfailures; or an equally effective logical protection.CIP-006-5 R2CIP-006-6 R2To respond to the FERC Order No. 791 directive to remove ambiguouslanguage from the requirement, the phrase “in a manner thatidentifies, assesses, and corrects deficiencies” was stricken.CIP-006-5 R2.1CIP-006-6 R2.1No change.CIP-006-5 R2.2CIP-006-6 R2.2No change.CIP-006-5 R2.3CIP-006-6 R2.3No change.CIP-006-5 R3CIP-006-6 R3No change.CIP-006-5 R3.1CIP-006-6 R3.1No change.Mapping DocumentProject 2014-02 CIP Version 5 Revisions7

CIP Version 5 RevisionsStandard: CIP-007-5 – Cyber Security—Systems Security ManagementRequirement in Approved StandardTranslation to New StandardDescription and Change Justificationor Other ActionCIP-007-5 R1CIP-007-6 R1To respond to the FERC Order No. 791 directive to remove ambiguouslanguage from the requirement, the phrase “in a manner that identifies,assesses, and corrects deficiencies” was stricken.CIP-007-5 R1.1CIP-007-6 R1.1No change.CIP-007-5 R1.2CIP-007-6 R1.2The applicable systems column was modified to include the ProtectedCyber Assets and nonprogrammable communication componentslocated inside both a Physical Security Perimeter and an ElectronicSecurity Perimeter. The protection again the use of unnecessaryphysical input/output ports used for network connectivity, consolecommands, or removable media for these additions address thecommunication networks directive from FERC Order No. 791.Removable Media was capitalized in the requirement because it isnewly defined.CIP-007-5 R2CIP-007-6 R2To respond to the FERC Order No. 791 directive to remove ambiguouslanguage from the requirement, the phrase “in a manner that identifies,assesses, and corrects deficiencies” was stricken.CIP-007-5 R2.1CIP-007-6 R2.1No change.CIP-007-5 R2.2CIP-007-6 R2.2No change.CIP-007-5 R2.3CIP-007-6 R2.3No change.CIP-007-5 R2.4CIP-007-6 R2.4No change.CIP-007-5 R3CIP-007-6 R3To respond to the FERC Order No. 791 directive to remove ambiguouslanguage from the requirement, the phrase “in a manner that identifies,assesses, and corrects deficiencies” was stricken.CIP-007-5 R3.1CIP-007-6 R3.1No change.Mapping DocumentProject 2014-02 CIP Version 5 Revisions8