PCS has been providing mock audit services using the NERC Evidence Request Tool (ERT), or participated in regional audits using the ERT across all of the NERC Regions for well over a year. During this time, we’ve noticed that many of our clients struggled when preparing for their first CIP audit using the ERT. In order to help alleviate that struggle, PCS has put together the following tips to help entities navigate the ERT tool when preparing for a NERC CIP audit:
- Read the information in each Request ID very carefully and provide sufficient information to answer the request.
- Several of your program documents will appear in multiple folders. Ensure the document is provided for each request ID and don’t reference another Request ID for the auditor to find the document.
- Several Request IDs ask for multiple items. Ensure each item in the request is addressed. Do not hesitate to ask your regional audit team lead to further clarify a request.
- Organize responses by Request ID. Most regions provide guidance on how they want the responses organized.
- Most regional CIP audits have a limited scope of CIP Standards and Requirements. Sampling methodologies may depend on an out-of-scope tab being completed in order to select samples. For example, the CIP-002-related ‘BES Assets’, ‘CA’, and ‘Low CA’ tabs may be needed to perform sampling for other Standards, such asCIP-007 and CIP-010. These out-of-scope tabs should be completed when they are required for sampling. Reach out to your regional audit team lead if you have any questions regarding required evidence for sampling.
- Do not assume that the documentation and evidence you provided with your RSAWs in the past will address all of the Request IDs. You will notice that some of the requests go well above the language of the Standards and associated measures, but you should answer as completely as possible, as your regional audit team is attempting to measure your CIP compliance program’s maturity.
- Many of the sample sets are used for multiple Request IDs and across multiple Requirements and even Standards. Don’t let the nomenclature of the sample set confuse you.
- Pay attention to sample bookend dates associated with some of the ERT Level 2 Request IDs. Ensure that your evidence covers the entire sample period and do not provide evidence outside of the selected sample period.
- Ensure all in-scope Tabs are fully populated when providing your ERT Level 1 response.
- Do not complete the orange section in the tabs. This is reserved for the auditors to perform their sampling.
- Use care in populating fields in each of the tabs. Some tabs used a dropdown that must be selected when populating the tabs and other tabs are designed for free-form data entry.
- Under the TCA Tab, make sure you understand the differences between TCAs managed in an ‘on-going’ and ‘on-demand’ manner and complete the TCA Management Type tab appropriately.
- Under the CSI Tab, a Cyber Security Incident Response Plan exercise is considered an activation of the Cyber Security Incident Response Plan and must be listed on this tab.Select Yes in column F and column H for all tests.
- Ensure that all in-scope procurements are listed in the Procurements tab – this could include purchases made with P-Cards and credit cards.
- Provide a narrative for each Request ID. Narratives can be provided in the ‘Entity Response’ column on the Level 2 tab of the ERT or can be provided in a document that you include inside each Request ID folder. The narrative helps the auditors to quickly find the appropriate information to confirm compliance and can be used to further explain how compliance objectives were obtained (similar to the RSAW narrative). Your regional audit team may provide additional guidance on which method they prefer. Annotate within the evidence whenever possible, as this will help guide the auditor through data that could otherwise be misinterpreted.
PCS is available to assist your organization with everything from training on how to use the ERT, to conducting a complete NERC CIP mock audit that follows the same process of your actual upcoming CIP audit. Our professional CIP consultants have many years of experience as NERC and regional auditors and have been active participants in NERC CIP audits across all the NERC regions.