Navigating NERC CIP-013-1

Helping you comply with cybersecurity supply chain risk management reliability standards

October 1, 2020, marked the end of COVID-19-related extensions for NERC standard, Cybersecurity – Supply Chain Risk Management (CIP-013-1).  

The Federal Energy Regulatory Commission (FERC) has implemented a new regulatory requirement, NERC CIP-013-1, which places increased responsibility on Power & Utility (P&U) companies to evaluate the cybersecurity of their third-party vendors and partners. Failures carry significant financial penalties.

The supply chain risk management reliability standards are forward-looking and objective, requiring each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with system operations.

At the moment, this standard applies to the energy industry, but based on prior regulatory trends, will also be expanded to cover other utility-based sectors.

Key considerations

  • Are you able to identify and leverage any overlaps within your current security audits or reviews to comply with the NERC standard, Cybersecurity - Supply Chain Risk Management (CIP-013-1)?
  • Do you have an integrated cybersecurity and supply chain policy, procedures, and controls effectively designed and implemented to mitigate risk?
  • Have you identified mission-critical vendors and tailored your vendor lifecycle procedures using a risk-based approach?
  • Do you have management reporting tools to communicate and manage how external parties are impacting your supply chain cybersecurity risk, internally in accordance with your enterprise risk management framework, and externally to investors and regulators?

How we can help

Implementing controls that limit exposure to malware

Implementing controls that limit exposure to tampering

Conduct a SOC 2 readiness review and SOC 2 examination

Provide a SOC 2 report to submit to your customers and regulators that your organization has robust security, confidentiality, and/or privacy controls that are operating effectively

Vendor procurement guidelines

Vendor permissions

Vendor monitoring

Conduct a Third-Party Risk Management Current State Assessment

Deliver a Third-Party Current State Assessment report summarizing gaps in, and recommendations for, your organization’s third-party risk management processes, including an evaluation of the following components:

  • Vendor Sourcing
  • Due Diligence
  • Onboarding
  • Risk Monitoring/Surveillance
  • Termination

Submit RFP