Revised Critical Infrastructure Protection Reliability Standard CIP-003-7-Cyber Security-Security Management Controls

The Federal Energy Regulatory Commission (Commission) approves Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security--Security Management Controls), submitted by the North American Electric Reliability Corporation (NERC). Reliability Standard CIP-003-7 clarifies the obligations pertaining to electronic access control for low impact BES Cyber Systems; requires mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems; and requires responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. In addition, the Commission directs NERC to develop modifications to the CIP Reliability Standards to mitigate the risk of malicious code that could result from third-party transient electronic devices.