Newsroom  Site Map  Contact NERC       




Individual or group.  (15 Responses)
Name  (8 Responses)
Organization  (8 Responses)
Group Name  (7 Responses)
Lead Contact  (7 Responses)
Question 1 Comments  (15 Responses)
Question 2 Comments  (15 Responses)
Question 3 Comments  (15 Responses)
Question 4 Comments  (15 Responses)
Question 5 Comments  (15 Responses)
 
Group
Exelon Generation Company, LLC - Exelon Nuclear
Alison Mackellar
The structure of the timeframe for compliance presents a generally reasonable approach; however, given that the nuclear industry has not yet performed an assessment in accordance with CIP-002 (R.2, R.3) the scope is difficult to determine.
The proposed implementation plan generally provides a reasonable timeframe for implementing NERC’s CIP Version 1 except as noted in the response to other questions, below. In addition, it is our understanding that “Auditably Compliant” will be required one year following the compliance milestone defined in the implementation plan. "Auditably Compliant" means the entity meets the full intent of the requirement and can demonstrate compliance to an auditor, including 12-calendar-months of auditable "data," "documents," "documentation," "logs," and "records."
The proposed time frame is suitable for implementation; however, the execution of the identification of a critical asset and identification of critical cyber assets will present a challenge especially during the later milestones that include final review and signoff from senior executives.
For CIP-003-1, CIP-006-1, and CIP-009-1, No. For CIP-004-1, the proposed time frame is reasonable; however, depending on the identified personnel within scope, completion of the training program (R.2) may be a challenge to have completed by the later of the R+18 or S+10 timeframes.
No. The time frames for the requirements in CIP-005-1, CIP-007-1, and CIP-008-1 are suitable for implementation.
Group
Southern Company
Hugh Francis
Yes, the structure of the timeframe is a reasonable approach for the implementation of the CIP requirements at the nuclear plants. The implementation plan accurately reflects the critical path items for the development of the MOU between NERC and the NRC and it also recognizes that a refueling outage is required to implement a portion of the requirements. While the structure is accurate there are a few clarifications that need to be made to the structure. While the definition of the “S – Scope of Systems Determination” timeframe includes a statement that the exemption process is included it is not clear if it includes time to file for the exemption. Southern Company would like to ensure the “S” timeframe allows time for the entity to review the requirements, file for an exemption, and receive a response on the outcome of the exemption before the “S” time clock starts. Is the “S” timeframe intended to allow for the exemption process to be complete before the clock starts?
With the exception of the above comment, concerning the “S” timeframe, the items that do not require a refueling outage to implement the timeframes are reasonable for implementing the CIP requirements. However, we do not feel the timeframe allowed for outage activities will provide enough time for identification, planning and implementing the requirements. The current plan provides a timeframe for outage activities of the first refueling outage 12 months after FERC approval. In order to comply with the requirements each unit will first need to be evaluated against the CIP-002 requirements and be identified as a critical asset. Compliance with this activity is required 12 months after FERC effective date. Once each unit is identified as a critical asset, the critical cyber assets will need to be identified. Once the critical cyber assets are identified a design change will need to be developed, planned and budgeted to be included into the next refueling outage. With the current implementation schedule each unit would be required to be compliant the latter of R+18, S+10, or RO+6. The worst case scenario is if an outage is scheduled to begin 13-14 months after FERC approval. The current timeframe would require the unit to have a plan, including design change, approval of the budget, implemented and documentation updated in 19-20 months to be compliant. In order to effectively plan and budget for the changes, we would first need to develop a design change. A design change of this type would take a minimum of 6 months. Once the development of the design change is complete we could accurately plan and budget for the change. This will take an additional 6 months. If the identification requires 12 months to be compliant then the total time required would be 24 months. In this scenario the plant is allowed approximately 7-10 months, after identifying it as a critical asset, to develop a design change, plan, implement and update the documentation. In order to allow for adequate time to identify, plan, budget, and implement the required design changes, the definition of RO should be: “RO=Next refueling outage beyond 18 months of FERC Effective Date”
With the exception of the comment to question 1 the time frames are suitable.
With the exception of the comment to question 1 the time frames are suitable. While these requirements do not require an outage to implement they are dependent on the strategy implemented under CIP-005-1. For instance R4 requires the entity to log access 24 hours a day, 7 days a week. If the plant identifies the need for a design to install the access controls per CIP-005 then this requirement can not be met until that design is implemented. This is also true for R5 and R6. The Outage Dependent column for these requirements (R4, R5, and R6) should be labeled as Possible and the RO+6 timeframe should be included. The entity should be able to assess the need for an outage to satisfy these requirements and report that during the self certification process.
With the exception of the items that require an outage to perform, the time frames are acceptable. For the items that require an outage to perform, the time frames allowed are not suitable. See answer to question 2 above for details. While these requirements do not require an outage to implement they are dependent on the strategy implemented under CIP-005-1. For instance R4 requires the entity to log access 24 hours a day, 7 days a week. If the plant identifies the need for a design to install the access controls per CIP-005 then this requirement can not be met until that design is implemented. This is also true for R5 and R6. The Outage Dependent column for these requirements (R4, R5, and R6) should be labeled as Possible and the RO+6 timeframe should be included. The entity should be able to assess the need for an outage to satisfy these requirements and report that during the self certification process.
Individual
Doug Engraf
Black & Veatch - Consulting Engineers
We are concerned the time frame between the plant determining the SSCs that are subject to FERC jurisdiction with Memo of Understanding between NERC and NRC and the time to acceptance of that memo. In other words, we are concerned that NERC or the NRC might not accept the SSCs as submitted and the plant's work plan may need significant changes. We would like to see the time to completion tied to acceptance of the SSC list by the NRC and NERC.
The time frame is acceptable as long as long as it is tied to the agreement on which SSCs require NERC CIP compliance.
should not be a problem
With regard to CIP-009-1, deployment of some types of backup and restore systems (including development of complete system backups of CCA's), might be best performed during an outage to prevent impact traffic to ESP network.
Refer to response to Question #1 - If the timeframe is not tied to the NRC and NERC acceptance of the SSC list, the schedule for deployement of the required network security systems, including potential upgrades to existing systems, may be of concern.
Group
PPL Supply Group
Annette Bannon
The structure of the timeframe is reasonable. It reflects the critical path items for the MOU between NERC and the NRC and it also recognizes that a refueling outage is required to implement a portion of the requirements. The "S" designation is not clear that it includes time to file for an exemption. PPL would like to ensure that the S timeframe allow time for the entity to review the requirements, file for an exemption, and receive a response on the outcome before the S timeclock starts.
PPL does not feel the timeframe allowed for outage activities will provide enough time for identifying solutions, planning, and implementing the requirements. The order of compliance within 12 months is too short considering once each unit is identified as a critical asset, the critical asset changes budgeted and designed, and then planning and implementing the changes via the work management system. The current implementation schedule is determined as the latter of R+18, S+10, or RO+6. This becomes apparent when an outage would begin 13-14 months after FERC approval. This would require a plant to be compliant in 19-20 months. When we add up all of the design, plan, implement timeframes utilizing our process this would take 24 months...in this case we would have to be compliant in 7-10 months. Therefore the definition of RO needs to change to next refueling outage beyond 18 months of the FERC effective date.
With the exception of the comment to question 1, the time frames are acceptable.
With the exception of the comment to question 1, the time frames are acceptable.
With the exception of the items that require an outage to implement, the timeframes are acceptable. For the items that require an outage to perform, the timeframes are not acceptable, see answer to question 2 above. Consideration needs to be given in these CIPs for the possibility of having to fully implement them in an outage and depends upon the strategy implemented under CIP-005-1.
Individual
Janardan Amin
Luminant Power- CPNPP
Yes, the structure represents a reasonable approach for the implementation of the CIP requirements at the nuclear plants. The implementation plan accurately reflects the critical path items for the development of the MOU between NERC and the NRC and it also recognizes that a refueling outage is required to implement a portion of the requirements. While the structure is accurate there are a few clarifications that need to be made to the associated timeframes. While the definition of the “S – Scope of Systems Determination” timeframe includes a statement that the exemption process is included it is not clear if it includes time to file for the exemption. Luminant Power would like to ensure the “S” timeframe allows time for the entity to review the requirements, file for an exemption, and receive a response on the outcome of the exemption before the “S” time clock starts. Is the “S” timeframe intended to allow for the exemption process to be complete before the clock starts?
With the exception of the above comment, concerning the “S” timeframe, the items that do not require a refueling outage to implement, the timeframes are reasonable for implementing the CIP requirements. However, we do not feel the timeframe allowed for outage activities will provide enough time for identification, planning and implementing the requirements. The current plan provides a timeframe for outage activities of the first refueling outage 12 months after FERC approval. In order to comply with the requirements each unit will first need to be evaluated against the CIP-002 requirements and be identified as a critical asset. Compliance with this activity is required 12 months after FERC effective date. Once each unit is identified as a critical asset, the critical cyber assets will need to be identified. Once the critical cyber assets are identified, a design change will need to be developed, planned and budgeted to be included into the next refueling outage. With the current implementation schedule each unit would be required to be compliant the latter of R+18, S+10, or RO+6. The worst case scenario is if an outage is scheduled to begin 13-14 months after FERC approval. The current timeframe would require the unit to have a plan, including design change, approval of the budget, implemented and documentation updated in 19-20 months to be compliant. In order to effectively plan and budget for the changes, we would first need to develop a design change. A design change of this type would take a minimum of 6 months. Once the development of the design change is complete we could accurately plan and budget for the change. This will take an additional 6 months. If the identification requires 12 months to be compliant then the total time required would be 24 months. In this scenario the plant is allowed approximately 7-10 months, after identifying it as a critical asset, to develop a design change, plan, implement and update the documentation. In order to allow for adequate time to identify, plan, budget, and implement the required design changes, the definition of RO should be: “RO=Next refueling outage beyond 18 months of FERC Effective Date”
With the exception of the comment to question 1 the time frames are suitable.
For CIP-003-1, CIP-004-1: With the exception of the comment to question 1 the time frames are suitable. For CIP-006-1: While these requirements do not require an outage to implement they are dependent on the strategy implemented under CIP-005-1. For instance R4 requires the entity to log access 24 hours a day, 7 days a week. If the plant identifies the need for a design to install the access controls per CIP-005 then this requirement can not be met until that design is implemented. This is also true for R5 and R6. The Outage Dependent column for these requirements (R4, R5, and R6) should be labeled as Possible and the RO+6 timeframe should be included. The entity should be able to assess the need for an outage to satisfy these requirements and report that during the self certification process For CIP-009-1: While these requirements do not require an outage to implement they are dependent on the strategy implemented under CIP-005-1. For instance R4 requires the entity to log access 24 hours a day, 7 days a week. If the plant identifies the need for a design to install the access controls per CIP-005 then this requirement can not be met until that design is implemented. This is also true for R5 and R6. The Outage Dependent column for these requirements (R4, R5, and R6) should be labeled as Possible and the RO+6 timeframe should be included. The entity should be able to assess the need for an outage to satisfy these requirements and report that during the self certification process.
For CIP-005-1:The time frames allowed for implementing these requirements are not suitable. See answer to question 2 above for details. For CIP-007-1 & CIP-008-1: With the exception of the items that require an outage to perform, the time frames are acceptable. For the items that require an outage to perform, the time frames allowed are not suitable. See answer to question 2 above for details.
Individual
Marcus Lotto - on behalf of SCE’s subject matter experts
Southern California Edison Company
Yes, the structure of the timeframe is a reasonable approach for the implementation of the CIP requirements at the nuclear plants. The implementation plan accurately reflects the critical path items for the development of the MOU between NERC and the NRC and it also recognizes that a refueling outage is required to implement a portion of the requirements. While the structure is accurate there are a few clarifications that need to be made to the structure. While the definition of the “S – Scope of Systems Determination” timeframe includes a statement that the exemption process is included it is not clear if it includes time to file for the exemption. Southern California Edison would like to ensure the “S” time frame allows time for the entity to review the requirements, file for an exemption, and receive a response on the outcome of the exemption before the “S” time clock starts. Is the “S” timeframe intended to allow for the exemption process to be complete before the clock starts? One other item that should be taken into consideration is that the proposed timeline identified in the implementation plan is contingent, in part, on the development of the Memorandum of Understanding (MOU) between NERC and NRC. Because the MOU is intended to address both the "exception process" and audit responsibilities, SCE is concerned with the lack of transparency in MOU development. SCE believes stakeholders would have valuable input into the MOU development, input that would ultimately benefit the industry. Therefore, SCE strongly recommends the MOU development include direct stakeholder participation, or at minimum, solicitation of stakeholder comment prior to adoption.
With the exception of the above comment, concerning the “S” timeframe, the items that do not require a refueling outage to implement the timeframes are reasonable for implementing the CIP requirements. However, we do not feel the timeframe allowed for outage activities will provide enough time for identification, planning and implementing the requirements. The current plan provides a timeframe for outage activities of the first refueling outage 12 months after FERC approval. In order to comply with the requirements each unit will first need to be evaluated against the CIP-002 requirements and be identified as a critical asset. Compliance with this activity is required 12 months after FERC effective date. Once each unit is identified as a critical asset, the critical cyber assets will need to be identified. Once the critical cyber assets are identified a design change will need to be developed, planned and budgeted to be included into the next refueling outage. With the current implementation schedule each unit would be required to be compliant the latter of R+18, S+10, or RO+6. The worst case scenario is if an outage is scheduled to begin 13-14 months after FERC approval. The current timeframe would require the unit to have a plan, including design change, approval of the budget, implemented and documentation updated in 19-20 months to be compliant. In order to effectively plan and budget for the changes, we would first need to develop a design change. A design change of this type would take a minimum of 6 months. Once the development of the design change is complete we could accurately plan and budget for the change. This will take an additional 6 months. If the identification requires 12 months to be compliant then the total time required would be 24 months. In this scenario the plant is allowed approximately 7-10 months, after identifying it as a critical asset, to develop a design change, plan, implement and update the documentation. In order to allow for adequate time to identify, plan, budget, and implement the required design changes, the definition of RO should be: “RO=Next refueling outage beyond 18 months of FERC Effective Date”
With the exception of the comment to question 1, the time frames are suitable.
With the exception of the comment to question 1 the time frames are suitable. While these requirements do not require an outage to implement they are dependent on the strategy implemented under CIP-005-1. For instance R4 requires the entity to log access 24 hours a day, 7 days a week. If the plant identifies the need for a design to install the access controls per CIP-005, then this requirement can not be met until that design is implemented. This is also true for R5 and R6. The Outage Dependent column for these requirements (R4, R5, and R6) should be labeled as Possible and the RO+6 timeframe should be included. The entity should be able to assess the need for an outage to satisfy these requirements and report that during the self certification process.
With the exception of the items that require an outage to perform, the time frames are acceptable. For the items that require an outage to perform, the time frames allowed are not suitable. See answer to question 2 above for details. While these requirements do not require an outage to implement they are dependent on the strategy implemented under CIP-005-1. For instance, R4 requires the entity to log access 24 hours a day, 7 days a week. If the plant identifies the need for a design to install the access controls per CIP-005, then this requirement can not be met until that design is implemented. This is also true for R5 and R6. The Outage Dependent column for these requirements (R4, R5, and R6) should be labeled as Possible and the RO+6 timeframe should be included. The entity should be able to assess the need for an outage to satisfy these requirements and report that during the self certification process.
Group
Electric Market Policy
Jalal Babik
The structure of the timeframe is a reasonable approach for the implementation of the CIP requirements at the nuclear plants. The implementation plan accurately reflects the critical path items for the development of the MOU between NERC and the NRC and it also recognizes that a refueling outage is required to implement a portion of the requirements. While the structure is adequate, there are a few clarifications that need to be made to the structure. While the definition of the “S – Scope of Stems Determination” timeframe includes a statement that the exemption process is included, it is not clear if it includes time to file for the exemption. Dominion would like to ensure the “S” timeframe allows time for the entity to review the requirements, file for an exemption, and receive a response on the outcome of the exemption before the “S” time clock starts. Is the “S” timeframe intended to allow for the exemption process to be complete before the clock starts?
With the exception of the above comment, concerning the “S” timeframe, the timeframes are reasonable for implementing CIP requirements for the items that do not require a refueling outage to implement. However, we do not feel the timeframe allowed for outage activities will provide enough time for identification, planning and implementing the requirements. The current plan provides a timeframe for outage activities of the first refueling outage 12 months after FERC approval. In order to comply with the requirements, each unit will first need to be evaluated against the CIP-002 requirements and be identified as a critical asset. Compliance with this activitiy is required 12 months after the FERC effective date. Once each unit is identified as a critical asset, the critical cyber assets will need to be identified. Once the critical cyber assets are identified, a design change will need to be developed, planned and budgeted to be included in the next refueling outage. With the current implementation schedule, each unit would be required to be compliant the latter of R+18, S+10 or RO+6. The worst case scenario is if an outage is scheduled to begin 13-14 months after FERC approval. The current timeframe would require the unit to have a plan, including design change, approval of the budget, implemented and documentation updated in 19-20 months to be compliant. In order to effectively plan and budget, we would first need to develop a design change. A design change of this type would take a minimum of 6 months. Once the development of the design change is complete we could accurately plan and budget for the change. This will take an additional 6 months. If the identification requires 12 months to be compliant, then the total time required would be 24 months. In this scenario, the plant is allowed approximately 7-10 months, after identifying it as a critical asset, to develop a design change, plan, implement and update the documentation. In order to allow for adequate time to identify, plan, budget and implement the required design changes, the definition of RO should be: “RO=Next refueling outage beyond 18 months of FERC effective date.”
With the exception of the comment to Question 1, the time frames are suitable.
With the exception of the comment to Question 1, the time frames are suitable. While these requirements do not require an outage to implement, they are dependent on the strategy implemented under CIP-005. For instance R4 requires the entity to log access 24 hours a day, 7 days a week. If the plant identifies the need for a design change to install the access controls per CIP-005, then this requirement cannot be met until the design change is implemented. This is also true for R5 and R6. The Outage dependent column for these requirements (R4, R5 and R6) should be labeled as Possible and the RO+6 timeframe should be included. The entity should be able to assess the need for an outage to satisfy these requirements and report that during the self-certification process.
With the exception of the items that require an outage to perform, the time frames are not acceptable. For the items that require an outage to perform, the time frames allowed are not suitable. See response to Question 2 above for details. While these requirements do not require an outage to implement, they are dependent on the strategy implemented under CIP-005. For instance R4 requires the entity to log access 24 hours a day, 7 days a week. If the plant identifies the need for a design change to install the access controls per CIP-005, then this requirement cannot be met until the design change is implemented. This is also true for R5 and R6. The Outage dependent column for these requirements (R4, R5 and R6) should be labeled as Possible and the RO+6 timeframe should be included. The entity should be able to assess the need for an outage to satisfy these requirements and report that during the self-certification process.
Group
Northeast Power Coordinating Council
Guy Zito
The structure of the timeframe is a reasonable approach for the implementation of the CIP requirements at the nuclear plants. The implementation plan accurately reflects the critical path items for the development of the MOU between NERC and the NRC and it also recognizes that a refueling outage is required to implement a portion of the requirements. While the structure is adequate, there are a few clarifications that need to be made to it. While the definition of the “S – Scope of Stems Determination” timeframe includes a statement that the exemption process is included, it is not clear if it includes time to file for the exemption. It should be ensured that the “S” timeframe allows time for the entity to review the requirements, file for an exemption, and receive a response on the outcome of the exemption before the “S” time clock starts. Is the “S” timeframe intended to allow for the exemption process to be complete before the clock starts?
With the exception of the above comment concerning the “S” timeframe, the timeframes are reasonable for implementing CIP requirements for the items that do not require a refueling outage to implement. However, we do not feel the timeframe allowed for outage activities will provide enough time for identification, planning and implementing the requirements. The current plan provides a timeframe for outage activities of the first refueling outage 12 months after FERC approval. In order to comply with the requirements, each unit will first need to be evaluated against the CIP-002 requirements and be identified as a critical asset. Compliance with this activitiy is required 12 months after the FERC effective date. Once each unit is identified as a critical asset, the critical cyber assets will need to be identified. Once the critical cyber assets are identified, a design change will need to be developed, planned and budgeted to be included in the next refueling outage. With the current implementation schedule, each unit would be required to be compliant the latter of R+18, S+10 or RO+6. The worst case scenario is if an outage is scheduled to begin 13-14 months after FERC approval. The current timeframe would require the unit to have a plan, including design change, approval of the budget, implemented and documentation updated in 19-20 months to be compliant. In order to effectively plan and budget, we would first need to develop a design change. A design change of this type would take a minimum of 6 months. Once the development of the design change is complete we could accurately plan and budget for the change. This will take an additional 6 months. If the identification requires 12 months to be compliant, then the total time required would be 24 months. In this scenario, the plant is allowed approximately 7-10 months, after identifying it as a critical asset, to develop a design change, plan, implement and update the documentation. In order to allow for adequate time to identify, plan, budget and implement the required design changes, the definition of RO should be: “RO=Next refueling outage beyond 18 months of FERC effective date.”
With the exception of the comment to Question 1, the timeframes are suitable.
With the exception of the comment to Question 1, the timeframes are suitable. While these requirements do not require an outage to implement, they are dependent on the strategy implemented under CIP-005. For instance, R4 requires the entity to log access 24 hours a day, 7 days a week. If the plant identifies the need for a design change to install the access controls per CIP-005, then this requirement cannot be met until the design change is implemented. This is also true for R5 and R6. The Outage dependent column for these requirements (R4, R5 and R6) should be labeled as Possible and the RO+6 timeframe should be included. The entity should be able to assess the need for an outage to satisfy these requirements and report that during the self-certification process.
With the exception of the items that require an outage to perform, the time frames are not acceptable. For the items that require an outage to perform, the time frames allowed are not suitable. See response to Question 2 above for details. While these requirements do not require an outage to implement, they are dependent on the strategy implemented under CIP-005. For instance R4 requires the entity to log access 24 hours a day, 7 days a week. If the plant identifies the need for a design change to install the access controls per CIP-005, then this requirement cannot be met until the design change is implemented. This is also true for R5 and R6. The Outage dependent column for these requirements (R4, R5 and R6) should be labeled as Possible and the RO+6 timeframe should be included. The entity should be able to assess the need for an outage to satisfy these requirements and report that during the self-certification process.
Individual
James Starling
SCE&G
Yes, the structure of the timeframe is a reasonable approach for the implementation of the CIP requirements at the nuclear plants. The implementation plan accurately reflects the critical path items for the development of the MOU between NERC and the NRC and it also recognizes that a refueling outage is required to implement a portion of the requirements. While the structure is accurate there are a few clarifications that need to be made to the structure. While the definition of the “S – Scope of Systems Determination” timeframe includes a statement that the exemption process is included it is not clear if it includes time to file for the exemption. South Carolina Electric & Gas would like to ensure the “S” timeframe allows time for the entity to review the requirements, file for an exemption, and receive a response on the outcome of the exemption before the “S” time clock starts. Is the “S” timeframe intended to allow for the exemption process to be complete before the clock starts?
With the exception of the previous comment, concerning the “S” timeframe, the items that do not require a refueling outage to implement the timeframes are reasonable for implementing the CIP requirements. However, we do not feel the timeframe allowed for outage activities will provide enough time for identification, planning and implementing the requirements. The current plan provides a timeframe for outage activities of the first refueling outage 12 months after FERC approval. In order to comply with the requirements the unit will first need to be evaluated against the CIP-002 requirements and be identified as a critical asset. Compliance with this activity is required 12 months after FERC effective date. Once the unit is identified as a critical asset, the critical cyber assets will need to be identified. Once the critical cyber assets are identified a design change will need to be developed, planned and budgeted to be included into the next refueling outage. With the current implementation schedule each unit would be required to be compliant the latter of R+18, S+10, or RO+6. The worst case scenario is if an outage is scheduled to begin 13-14 months after FERC approval. The current timeframe would require the unit to have a plan, including design change, approval of the budget, implemented and documentation updated in 19-20 months to be compliant. In order to effectively plan and budget for the changes, we would first need to develop a design change. A design change of this type would take a minimum of 6 months. Once the development of the design change is complete we could accurately plan and budget for the change. This will take an additional 6 months. If the identification requires 12 months to be compliant then the total time required would be 24 months. In this scenario the plant is allowed approximately 7-10 months, after identifying it as a critical asset, to develop a design change, plan, implement and update the documentation. In order to allow for adequate time to identify, plan, budget, and implement the required design changes, the definition of RO should be: “RO=Next refueling outage beyond 18 months of FERC Effective Date”
With the exception of the comment to question 1 the time frames are suitable.
CIP-003-1: With the exception of the comment to question 1 the time frames are suitable. CIP-004-1: With the exception of the comment to question 1 the time frames are suitable. CIP-006-1: While these requirements do not require an outage to implement they are dependent on the strategy implemented under CIP-005-1. For instance R4 requires the entity to log access 24 hours a day, 7 days a week. If the plant identifies the need for a design to install the access controls per CIP-005 then this requirement cannot be met until that design is implemented. This is also true for R5 and R6. The Outage Dependent column for these requirements (R4, R5, and R6) should be labeled as Possible and the RO+6 timeframe should be included. The entity should be able to assess the need for an outage to satisfy these requirements and report that during the self certification process. CIP-009-1: While these requirements do not require an outage to implement they are dependent on the strategy implemented under CIP-005-1. For instance R4 requires the entity to log access 24 hours a day, 7 days a week. If the plant identifies the need for a design to install the access controls per CIP-005 then this requirement cannot be met until that design is implemented. This is also true for R5 and R6. The Outage Dependent column for these requirements (R4, R5, and R6) should be labeled as Possible and the RO+6 timeframe should be included. The entity should be able to assess the need for an outage to satisfy these requirements and report that during the self certification process.
CIP-005-1: The time frames allowed for implementing these requirements are not suitable. See answer to question 2 above for details. CIP-007-1: With the exception of the items that require an outage to perform, the time frames are acceptable. For the items that require an outage to perform, the time frames allowed are not suitable. See answer to question 2 above for details. CIP-008-1: With the exception of the items that require an outage to perform, the time frames are acceptable. For the items that require an outage to perform, the time frames allowed are not suitable. See answer to question 2 above for details.
Individual
Benjamin Church
NextEra Energy Resources, LLC
Yes, in general the basic structure provides a foundation to establish the correct schedule to implement the reliability standards. One area of concern is in the detail of "S - Scope of Systems Determination" date. There is uncertainty as to whether the MOU between NERC and the NRC will include a matrix or other methodology that will clearly define standard plant systems assigned to NERC or the NRC (i.e., identify the “bright line”). Determination of the "bright line" can also be accomplished by including a period for nuclear plants to evaluate the exemption process, file for exemptions, and receive rulings on filed exemptions. This approach should allow adequate time completion of the exception process before declaring the "S" date.
The prerequisite approvals or activities do not allow for adequate time to implement a compliant program as follows: 1) Nuclear plants will need 12 months to identify assets and any mitigation items that will be required for compliance to CIP-002. Also, there may be plant design changes required in support of the program requirements. Industry standard "fast track" design changes take 9 months to complete which includes completing the detailed design and establishing complete configuration documentation. Implementation of the engineering design takes an additional 3 months to prepare instructions and complete the work which must be coordinated within the plant work management process. This requires R+24 to perform implementation. 2) Comments from question 1 above identifies the adjustment to "S". 3) Design changes that require a refueling outage impact generation or the safe operation of the plant. Refueling Outages are budgeted, engineered, and planned with longer lead times due to the complexity of work activities. The proposed implementation plan will require some facilities to execute design change packages without adequate time to meet the refueling planning window of 24 months. Adding the 24 months for the refueling design and planning window implementation to the previously stated 12 months for the completion of CIP-002 requires a refueling outage 36 months from the effective date. Some plants have longer fuel cycles so it is recommended the RO effective date is "First refueling outage beyond R +18 month+ one fuel cycle".
See comments from question 1 and 2 above for time frame comments. Implementation of the CIP standards on some Balance of Plant systems is focused on regulatory compliance and the alignment of processes. Due to compliance with NEI 04-04, the industry has implemented cyber security barriers that protect generation and there is no cyber security or reliability gap.
See comments from question 1 and 2 above for time frame comments. Until detailed assessments are completed, it is generally unknown if there are items that can not be installed without a design change during a refueling outage to fully meet all requirements in CIP R03,R04, R06, and R09. The plant should be able to assess the need for a refueling outage to completely satisfy the requirements and provide final reporting during the self certification process. See comments from question 3 above for comments on no reliability gap.
See comments from question 1 and 2 above for time frame comments. See comments from question 3 above for comments on no reliability gap.
Group
Generator Operator
Silvia Parada-Mitchell
Yes, in general the basic structure provides a foundation to establish the correct schedule to implement the reliability standards. One area of concern is in the detail of "S - Scope of Systems Determination" date. There is uncertainty as to whether the MOU between NERC and the NRC will include a matrix or other methodology that will clearly define standard plant systems assigned to NERC or the NRC (i.e., identify the “bright line”). Determination of the "bright line" can also be accomplished by including a period for nuclear plants to evaluate the exemption process, file for exemptions, and receive rulings on filed exemptions. This approach should allow adequate time completion of the exception process before declaring the "S" date.
The prerequisite approvals or activities do not allow for adequate time to implement a compliant program as follows: 1) Nuclear plants will need 12 months to identify assets and any mitigation items that will be required for compliance to CIP-002. Also, there may be plant design changes required in support of the program requirements. Industry standard "fast track" design changes take 9 months to complete which includes completing the detailed design and establishing complete configuration documentation. Implementation of the engineering design takes an additional 3 months to prepare instructions and complete the work which must be coordinated within the plant work management process. This requires R+24 to perform implementation. 2) Comments from question 1 above identifies the adjustment to "S". 3) Design changes that require a refueling outage impact generation or the safe operation of the plant. Refueling Outages are budgeted, engineered, and planned with longer lead times due to the complexity of work activities. The proposed implementation plan will require some facilities to execute design change packages without adequate time to meet the refueling planning window of 24 months. Adding the 24 months for the refueling design and planning window implementation to the previously stated 12 months for the completion of CIP-002 requires a refueling outage 36 months from the effective date. Some plants have longer fuel cycles so it is recommended the RO effective date is "First refueling outage beyond R +18 month+ one fuel cycle".
See comments from question 1 and 2 above for time frame comments. Implementation of the CIP standards on some Balance of Plant systems is focused on regulatory compliance and the alignment of processes. Due to compliance with NEI 04-04, the industry has implemented cyber security barriers that protect generation and there is no cyber security or reliability gap.
See comments from question 1 and 2 above for time frame comments. Until detailed assessments are completed, it is generally unknown if there are items that can not be installed without a design change during a refueling outage to fully meet all requirements in CIP R03,R04, R06, and R09. The plant should be able to assess the need for a refueling outage to completely satisfy the requirements and provide final reporting during the self certification process. See comments from question 3 above for comments on no reliability gap.
See comments from question 1 and 2 above for time frame comments. See comments from question 3 above for comments on no reliability gap.
Individual
Greg Rowland
Duke Energy
Overall, the structure represents a reasonable approach. However, as described in the implementation plan, the “S” (Scope of Systems Determination) seems to include only completion of the NERC/NRC MOU and establishment of the exemption process. 10 months following “S” is barely adequate time for an entity to review the Scope of Systems Determination, identify exemptions and seek NERC approval of the exemptions. NERC will then need time to process exemption requests. NERC’s denial of an exemption should be the event which starts the clock on the “S+10” month timeframe for compliance. That point of denial by NERC would place the item “in scope” and the clock for implementation of CIP standards for that item would start. “S+10” would mean that 10 months after denial of the exemption by NERC you would have to be in compliance. Also, defining “RO” as the first refueling outage 12 months after the FERC effective date does not allow adequate time to design, develop, budget, plan and implement modifications requiring a refueling outage, since some utilities are on a 24-month refueling cycle. “RO” should be defined as the first refueling outage greater than 24 months after the FERC effective date. However, in cases where exemptions are sought for items that require a refueling outage and are subsequently denied by NERC, “RO” should be the first refueling outage greater than 24 months after the denial of the exemption by NERC.
Timeframes are suitable, except for our concern as noted in response to Question #1 above.
Timeframes are suitable, except for our concern as noted in response to Question #1 above.
The implementation plan for CIP-006-1 requirements doesn’t include any “RO+6” timeframes. Depending upon how the physical security plan is implemented, some elements of it might require a refueling outage. Otherwise, timeframes are suitable, except for our concern as noted in response to Question #1 above.
In addition to our concern noted in response to Question #1 above, we have a concern with Requirement R3 of CIP-007-1 which requires installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s). There are many cyber security system devices such as relays and programmable logic controllers which cannot accept software patches. NERC’s technical feasibility exception process doesn’t currently allow an exemption for Requirement R3. If such devices will be required to meet R3, then the timeframe for compliance would be significantly longer than “RO+6”. In some cases, CIP-compliant replacement equipment may not even be available for nuclear-grade applications, and we could NEVER achieve compliance. Similarly, Requirement R5.3.2 requires that passwords shall consist of a combination of alpha, numeric, and “special” characters. Commonly used tools, including Active Directory can enforce password parameters such the following: The password contains characters from at least three of the following five categories: (i) English uppercase characters (A - Z); (ii) English lowercase characters (a - z); (iii) Base 10 digits (0 - 9); (iv) Non-alphanumeric (For example: !, $, #, or %); (v) Unicode characters. We are not aware of password products typically available which can guarantee compliance with the requirement that all three of the parameters (alpha, numeric, and “special” characters) listed in the standard be included in passwords. Unless technical feasibility exceptions are allowed for such legacy Account Management systems, the timeframe for compliance could be significantly longer than “R+18”, “S+10” or “RO+6”.
Group
Progress Energy Nuclear Generation
Chris Georgeson
It can be improved by clarifying that the "S - Scope of Systems Determination" timeframe allows time for the entity to review the requirements, file for an exemption, and receive a response regarding the outcome of the exemption before the "S" time clock starts. This allows time for implementation of requirements for items where an exemption request could be denied.
 
 
 
 
Individual
William Guldemond
Pacific Gas and Electric/Diablo Canyon Power Plant
Yes
Yes
No
No
No
Individual
Kirit Shah
Ameren
YES.
YES.
NO.
Yes. CIP-006-1 R1, R2, R3 currently do not allow enough time. These requirements need to be changed to outage dependent. Depending on the physical access control changes or a “six-wall” border change the plant may need to be on outage to make these changes.
No.