Curricula is now Huntress Security Awareness Training


Nick Santora

There has been a lot of talk and rumors around what FERC CIP audits will be. I have heard many worries that NERC and FERC have been in discussion about the goals of these audits. At the CIPC meeting here in Atlanta, FERC staff discussed openly the purpose behind these new FERC CIP audits and why they are doing them. I thought I would share some of our insights on how these audits will be performed and what to expect.

Why is FERC performing CIP audits?

Can they even do that? Yes, of course they can. The Division of Compliance at FERC in the Office of Electric Reliability states the following in their objective statement:

[emphasize]”Independently conduct or partner with the Office of Enforcement in conducting compliance audits of the users, owners, and/or operators of the bulk power system with or without the ERO/REs.”[/emphasize]

So besides having the ability to be able to perform audits without the ERO, FERC is looking to get more out of this. As described by FERC staff, FERC is looking to become better educated on the processes and procedures for the entire CIP audit process. The goal is to really gain a better understanding and awareness of the process NERC and the Regions have put in place. FERC staff also discussed these audits should help the industry by bringing some real world experience to the agency and understand some of the challenges the industry has in meeting CIP compliance.

Who is in scope of a FERC CIP audit?

A lot of questions have been asked who will be in scope of FERC CIP audits? FERC discussed that a sampling method will be used to select entities for the audits. That means they will be looking for a mix of large, medium, and small entities with a diverse set of assets. The goal is to look at the entire pulse of the industry and their performance to meet compliance with NERC CIP. With only about 12-15 staff members in the division at FERC, I would only expect a handful of these audits to be performed throughout the year.

Scheduling will also be coordinated with the Regions. Entities that normally would have been on the audit schedule for a CIP audit with their Region, will only be impacted by this one audit during their cycle. So if you are selected you don’t need to worry about an audit with your Region as well as an additional audit with FERC.

What will FERC CIP audits be like?

FERC CIP audits will look and feel just like a traditional CIP audit. That means notices, data requests, and a traditional scope of the NERC CIP Reliability Standards. FERC will be leading the audit process and any associated data requests. The Regions and NERC may participate in the audit as well but will be in a supporting role. From the sounds of it, FERC would be more of an audit team lead with the rest of the team comprised of Regional and/or NERC staff.

Any findings or PVs that come out of the audit will not be opened as an investigation or part of an additional compliance oversight function. Findings and PVs will be turned over to the Regional Entity for normal processing. So this will continue to follow the traditional process we are all used to in the compliance audit process.

So as of right now that is all of the information we have from FERC and NERC on FERC CIP audits and their goals. Again, I would not be too worried about what this new process will mean for the industry and your entity. In my opinion this will allow FERC staff to gain some very valuable field experience and truly understand all of the processes and procedures that take place in preparation, coordinating, and completing a CIP audit. Check back and we will provide more details as they become available.

Ready to level-up your security culture?

© 2024 Curricula Group, Inc. All rights reserved.