FERC Issues Final Rule Approving Supply Chain Risk Management Reliability Standards

On October 18, 2018, in Docket No. RM17-13-000, FERC issued a final rule approving supply chain risk management Reliability Standards CIP-013-1 (Cyber Security – Supply Chain Risk Management), CIP-005-6 (Cyber Security – Electronic Security Perimeter(s)) and CIP-010-3 (Cyber Security – Configuration Change Management and Vulnerability Assessments). The standards require entities to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations. The standards focus on four objectives: (1) software integrity and authenticity; (2) vendor remote access protections; (3) information system planning; and (4) vendor risk management and procurement controls. In the final rule, the Commission recognizes that the Reliability Standards do not address Electronic Access Control and Monitoring Systems (EACMS). In order to address this gap, the Commission is requiring NERC to  the Commission directs NERC to develop and submit modifications to the Reliability Standards so that the scope of the Reliability Standards includes EACMS.