CIP–008–3: Incident Reporting and Response Planning

Purpose 
Standard CIP-008-3 ensures the identification, classification, response, and reporting of Cyber Security Incidents related toCritical Cyber Assets. Standard CIP-008-23 should be read as part of a group of standards numbered Standards CIP-002-3 through CIP-009-3.

Applicability
Within the text of Standard CIP-008-3, “Responsible Entity” shall mean:

• Reliability Coordinator.
• Balancing Authority.
• Interchange Authority.
• Transmission Service Provider.
• Transmission Owner.
• Transmission Operator.
• Generator Owner.
• Generator Operator.
• Load Serving Entity.
• NERC.
• Regional Entity.

The following are exempt from Standard CIP-008-3:

1. Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety Commission.
2. Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters.
3. Responsible Entities that, in compliance with Standard CIP-002-3, identify that they have no Critical Cyber Assets.

Effective Date
The first day of the third calendar quarter after applicable regulatory approvals have been received (or the Reliability Standard otherwise becomes effective the first day of the third calendar quarter after BOT adoption in those jurisdictions where regulatory approval is not required).

Requirements
R1. Cyber Security Incident Response Plan — The Responsible Entity shall develop and maintain a Cyber Security Incident response plan and implement the plan in response to Cyber Security Incidents. The Cyber Security Incident response plan shall address, at a minimum, the following:

R1.1. Procedures to characterize and classify events as reportable Cyber Security Incidents.

R1.2. Response actions, including roles and responsibilities of Cyber Security Incident response teams, Cyber Security Incident handling procedures, and communication plans.

R1.3. Process for reporting Cyber Security Incidents to the Electricity Sector Information Sharing and Analysis Center (ES-ISAC). The Responsible Entity must ensure that all reportable Cyber Security Incidents are reported to the ES-ISAC either directly or through an intermediary.

R1.4. Process for updating the Cyber Security Incident response plan within thirty calendar days of any changes.

R1.5. Process for ensuring that the Cyber Security Incident response plan is reviewed at least annually.

R1.6. Process for ensuring the Cyber Security Incident response plan is tested at least annually. A test of the Cyber Security Incident response plan can range from a paper drill, to a full operational exercise, to the response to an actual incident.

R2. Cyber Security Incident Documentation — The Responsible Entity shall keep relevant documentation related to Cyber Security Incidents reportable per Requirement R1.1 for three calendar years.

Measures
M1. The Responsible Entity shall make available its Cyber Security Incident response plan as indicated in Requirement R1 and documentation of the review, updating, and testing of the plan.

M2. The Responsible Entity shall make available all documentation as specified in Requirement R2.