CIS Controls v8 Mapping To NERC CIP 2 2023

This document contains mappings of the CIS Critical Securit Controls (CIS Controls) and CIS Safeguards to
Corporation-Critical Infrastructure Protection Standards (NERC-CIP Standards)

Last updated January 2023
Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
controlsinfo@cisecurity.org
Editors
Thomas Sager
License for Use
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
nd/4.0/legalcode
To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Con
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing t
the prior approval of CIS® (Center for Internet Security, Inc.).
es 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-
are authorized to copy and redistribute the content as a framework for use by you, within your
hat (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you
als. Users of the CIS Controls framework are also required to refer to
at users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to
Mapping Methodology
Mapping Methodology
This page describes the methodology used to map the CIS Controls to the North American Electric Reliabi
Reference link for NERC-CIP: https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
The general strategy used is to identify all of the aspects within a Control and attempt to discern if both item
CIS Control 6.1 - Establish an Access Granting Process

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new h
For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights
If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• Intersects: Although the CIS Control and the defensive mitigation have many similarities, neither is contai
awareness program and another requiring an information governance program.
• No relationship: This will be represented by a blank cell.
The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m
The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T
can often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.
If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
Remember to download the CIS Controls Version 8 Guide where you can learn more about:
- This Version of the CIS Controls

- The CIS Controls Ecosystem ("It's not about the list')
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Controls critical
- Procedures and tools
https://www.cisecurity.org/controls/v8/
A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/
Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
CIS Security
CIS Safeguard Asset Type
Control Function
1
1 1.1 Devices Identify
1 1.2 Devices Respond
1 1.3 Devices Detect
1 1.4 Devices Identify
2 2.1 Applications Identify

2 2.3 Applications Respond
2 2.4 Applications Detect
2 2.5 Applications Protect
3 3.1 Data Identify

3 3.1 Data Identify
3 3.2 Data Identify
3 3.3 Data Protect
3 3.4 Data Protect
3 3.5 Data Protect
3 3.5 Data Protect
3 3.6 Devices Protect
3 3.7 Data Identify
3 3.8 Data Identify
3 3.9 Data Protect
3 3.10 Data Protect

3 3.10 Data Protect
3 3.11 Data Protect
3 3.12 Network Protect
3 3.13 Data Protect
3 3.14 Data Detect
4

4 4.3 Users Protect

4 4.7 Users Protect
4 4.7 Users Protect
4 4.10 Devices Respond
5
5 5.1 Users Identify
5 5.2 Users Protect
5 5.3 Users Respond
5 5.4 Users Protect
5 5.6 Users Protect

6
6 6.1 Users Protect
6 6.2 Users Protect
6 6.2 Users Protect
6 6.2 Users Protect

6 6.2 Users Protect
6 6.3 Users Protect
6 6.4 Users Protect
6 6.5 Users Protect
6 6.7 Users Protect
6 6.8 Data Protect
6 6.8 Data Protect
6 6.8 Data Protect


8 8.2 Network Detect

8 8.12 Data Detect

10
11
11 11.1 Data Recover
11 11.3 Data Protect

12
12 12.4 Network Identify

13

14
14 14.1 N/A Protect
14 14.1 N/A Protect

14 14.1 N/A Protect
14 14.1 N/A Protect
14 14.2 N/A Protect
14 14.3 N/A Protect
14 14.4 N/A Protect
14 14.5 N/A Protect

14 14.6 N/A Protect
14 14.7 N/A Protect
14 14.8 N/A Protect
14 14.9 N/A Protect
15
15 15.1 N/A Identify

15 15.4 N/A Protect
15 15.6 Data Detect

15 15.6 Data Detect
15 15.7 Data Protect
16


17
17 17.1 N/A Respond
17 17.2 N/A Respond
17 17.3 N/A Respond

17 17.4 N/A Respond
17 17.4 N/A Respond
17 17.4 N/A Respond
17 17.4 N/A Respond
17 17.4 N/A Respond
17 17.5 N/A Respond

17 17.6 N/A Respond
17 17.7 N/A Recover
17 17.8 N/A Recover
17 17.8 N/A Recover
17 17.9 N/A Recover
18


Title
Inventory and Control of Enterprise Assets
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including p
devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructu
remotely, and those within cloud environments, to accurately know the totality of assets that need
protected within the enterprise. This will also support identifying unauthorized and unmanaged ass
Establish and Maintain Detailed

Enterprise Asset Inventory
Address Unauthorized Assets
Utilize an Active Discovery Tool
Use Dynamic Host

Configuration Protocol (DHCP)
Logging to Update Enterprise
Asset Inventory
Use a Passive Asset Discovery

Tool
Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software (operating systems and applications) o
authorized software is installed and can execute, and that unauthorized and unmanaged software is
installation or execution.
Establish and Maintain a

Software Inventory
Ensure Authorized Software is
Currently Supported
Address Unauthorized Software
Utilize Automated Software

Inventory Tools
Allowlist Authorized Software
Allowlist Authorized Libraries
Allowlist Authorized Scripts
Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose
Establish and Maintain a Data

Management Process
Management Process

Inventory
Configure Data Access Control

Lists
Enforce Data Retention
Securely Dispose of Data
Securely Dispose of Data
Encrypt Data on End-User

Devices

Classification Scheme
Document Data Flows
Encrypt Data on Removable

Media
Encrypt Sensitive Data in

Transit
Encrypt Sensitive Data in
Transit
Encrypt Sensitive Data at Rest
Segment Data Processing and

Storage Based on Sensitivity
Deploy a Data Loss Prevention

Solution
Log Sensitive Data Access
Secure Configuration of Enterprise Assets and Software
Establish and maintain the secure configuration of enterprise assets (end-user devices, including p
network devices; non-computing/IoT devices; and servers) and software (operating systems and ap
Secure Configuration Process

for Network Infrastructure

for Network Infrastructure
Configure Automatic Session

Locking on Enterprise Assets
Implement and Manage a

Firewall on Servers

Firewall on End-User Devices


Securely Manage Enterprise

Assets and Software
Manage Default Accounts on

Enterprise Assets and Software
Manage Default Accounts on

Uninstall or Disable
Unnecessary Services on
Configure Trusted DNS Servers
on Enterprise Assets
Enforce Automatic Device

Lockout on Portable End-User
Devices
Enforce Remote Wipe

Capability on Portable End-User
Devices
Separate Enterprise
Workspaces on Mobile End-
User Devices
Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, inclu
accounts, as well as service accounts, to enterprise assets and software.
Establish and Maintain an
Inventory of Accounts
Use Unique Passwords
Disable Dormant Accounts

Restrict Administrator Privileges
to Dedicated Administrator
Accounts

Inventory of Service Accounts
Centralize Account
Management
Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges f
service accounts for enterprise assets and software.
Establish an Access Granting

Process
Establish an Access Revoking

Process

Process

Process
Process
Require MFA for Externally-

Exposed Applications
Require MFA for Remote

Network Access
Require MFA for Administrative
Access
Inventory of Authentication and
Authorization Systems
Centralize Access Control
Define and Maintain Role-

Based Access Control


Continuous Vulnerability Management

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the e
in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and pr
new threat and vulnerability information.

Vulnerability Management
Process
Vulnerability Management
Process

Remediation Process
Perform Automated Operating

System Patch Management
Perform Automated Application

Patch Management
Perform Automated
Vulnerability Scans of Internal
Enterprise Assets
Perform Automated
Vulnerability Scans of
Externally-Exposed Enterprise
Assets
Remediate Detected
Vulnerabilities
Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover
Establish and Maintain an Audit

Log Management Process
Collect Audit Logs
Ensure Adequate Audit Log

Storage
Standardize Time
Synchronization
Collect Detailed Audit Logs
Collect DNS Query Audit Logs

Collect URL Request Audit
Logs
Collect Command-Line Audit
Logs
Centralize Audit Logs
Retain Audit Logs
Conduct Audit Log Reviews
Collect Service Provider Logs
Email and Web Browser Protections

Improve protections and detections of threats from email and web vectors, as these are opportuniti
manipulate human behavior through direct engagement.
Ensure Use of Only Fully
Supported Browsers and Email
Clients
Use DNS Filtering Services
Maintain and Enforce Network-

Based URL Filters
Restrict Unnecessary or
Unauthorized Browser and
Email Client Extensions
Implement DMARC
Block Unnecessary File Types

Deploy and Maintain Email
Server Anti-Malware
Protections
Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts
Deploy and Maintain Anti-

Malware Software
Deploy and Maintain Anti-
Malware Software
Configure Automatic Anti-
Malware Signature Updates
Disable Autorun and Autoplay
for Removable Media
Malware Scanning of
Removable Media

Malware Scanning of
Removable Media
Enable Anti-Exploitation
Features
Centrally Manage Anti-Malware

Software
Use Behavior-Based Anti-
Malware Software
Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a
state.
Recovery Process

Recovery Process
Perform Automated Backups
Protect Recovery Data

Isolated Instance of Recovery
Data
Test Data Recovery
Test Data Recovery

Test Data Recovery
Test Data Recovery
Network Infrastructure
Management
Establish, implement, and actively manage (track, report, correct) network devices, in order to prev
exploiting vulnerable network services and access points.
Ensure Network Infrastructure is

Up-to-Date

Secure Network Architecture
Secure Network Architecture
Securely Manage Network
Infrastructure
Establish and Maintain

Architecture Diagram(s)

Architecture Diagram(s)
Centralize Network
Authentication, Authorization,
and Auditing (AAA)
Use of Secure Network

Management and
Communication Protocols
Ensure Remote Devices Utilize
a VPN and are Connecting to
an Enterprise’s AAA
Infrastructure
Ensure Remote Devices Utilize
a VPN and are Connecting to
an Enterprise’s AAA
Infrastructure

Dedicated Computing
Resources for All Administrative
Work
Network Monitoring and

Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and d
threats across the enterprise’s network infrastructure and user base.
Centralize Security Event

Alerting
Deploy a Host-Based Intrusion

Detection Solution
Deploy a Network Intrusion

Detection Solution
Perform Traffic Filtering

Between Network Segments
Manage Access Control for

Remote Assets

Remote Assets

Remote Assets
Collect Network Traffic Flow
Logs
Deploy a Host-Based Intrusion

Prevention Solution
Deploy a Network Intrusion

Prevention Solution
Deploy Port-Level Access

Control
Perform Application Layer

Filtering
Tune Security Event Alerting
Thresholds
Security Awareness and Skills Training
Establish and maintain a security awareness program to influence behavior among the workforce t
properly skilled to reduce cybersecurity risks to the enterprise.

Security Awareness Program


Train Workforce Members to

Recognize Social Engineering
Attacks
Train Workforce Members on
Authentication Best Practices
Train Workforce on Data

Handling Best Practices

Causes of Unintentional Data
Exposure
Recognizing and Reporting
Security Incidents
Train Workforce on How to

Identify and Report if Their
Enterprise Assets are Missing
Security Updates
Train Workforce on the Dangers

of Connecting to and
Transmitting Enterprise Data
Over Insecure Networks
Conduct Role-Specific Security

Awareness and Skills Training
Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an
platforms or processes, to ensure these providers are protecting those platforms and data appropr

Inventory of Service Providers
Service Provider Management
Policy
Classify Service Providers
Ensure Service Provider

Contracts Include Security
Requirements
Assess Service Providers
Monitor Service Providers

Monitor Service Providers
Securely Decommission
Service Providers
Application Software Security

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, dete
weaknesses before they can impact the enterprise.

Secure Application
Development Process

Process to Accept and Address
Software Vulnerabilities
Perform Root Cause Analysis

on Security Vulnerabilities
Establish and Manage an

Inventory of Third-Party
Software Components
Use Up-to-Date and Trusted

Third-Party Software
Components

Severity Rating System and
Process for Application
Vulnerabilities
Use Standard Hardening
Configuration Templates for
Application Infrastructure
Separate Production and Non-

Production Systems
Train Developers in Application

Security Concepts and Secure
Coding
Apply Secure Design Principles

in Application Architectures
Leverage Vetted Modules or

Services for Application
Security Components
Implement Code-Level Security

Checks
Conduct Application Penetration

Testing
Conduct Application Penetration

Testing
Conduct Threat Modeling
Incident Response Management

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, p
training, and communications) to prepare, detect, and quickly respond to an attack.
Designate Personnel to Manage

Incident Handling
Establish and Maintain Contact

Information for Reporting
Security Incidents

Enterprise Process for
Reporting Incidents
Incident Response Process




Assign Key Roles and

Responsibilities
Define Mechanisms for
Communicating During Incident
Response
Conduct Routine Incident

Response Exercises
Conduct Post-Incident Reviews
Establish and Maintain Security

Incident Thresholds
Penetration Testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weakn
processes, and technology), and simulating the objectives and actions of an attacker.
Penetration Testing Program


Perform Periodic External

Penetration Tests
Remediate Penetration Test

Findings
Validate Security Measures
Perform Periodic Internal

Penetration Tests
Description
l of Enterprise Assets
entory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network
ing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually,
within cloud environments, to accurately know the totality of assets that need to be monitored and
enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the
potential to store or process data, to include: end-user devices (including portable and mobile), network
devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if
static), hardware address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user devices, MDM
type tools can support this process, where appropriate. This inventory includes assets connected to the
infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it
includes assets that are regularly connected to the enterprise’s network infrastructure, even if they
are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-
annually, or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may
choose to remove the asset from the network, deny the asset from connecting remotely to the network,
or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the
active discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update
the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory
weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use
scans to update the enterprise’s asset inventory at least weekly, or more frequently.
l of Software Assets
entory, track, and correct) all software (operating systems and applications) on the network so that only
s installed and can execute, and that unauthorized and unmanaged software is found and prevented from
ion.
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The
software inventory must document the title, publisher, initial install/use date, and business purpose for
each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s),
deployment mechanism, and decommission date. Review and update the software inventory bi-
annually, or more frequently.
Ensure that only currently supported software is designated as authorized in the software inventory for
enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s
mission, document an exception detailing mitigating controls and residual risk acceptance. For any
unsupported software without an exception documentation, designate as unauthorized. Review the
software list to verify software support at least monthly, or more frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives a
documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery
and documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized software can
execute or be accessed. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so,
etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a
system process. Reassess bi-annually, or more frequently.
Use technical controls, such as digital signatures and version control, to ensure that only authorized
scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from
executing. Reassess bi-annually, or more frequently.
nd technical controls to identify, classify, securely handle, retain, and dispose of data.
Establish and maintain a data management process. In the process, address data sensitivity, data
owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and
retention standards for the enterprise. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a data management process. In the process, address data sensitivity, data
owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and
retention standards for the enterprise. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process.
Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a
priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access control lists,
also known as access permissions, to local and remote file systems, databases, and applications.
Retain data according to the enterprise’s data management process. Data retention must include both
minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal
process and method are commensurate with the data sensitivity.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal
process and method are commensurate with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations can include:
Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use
labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those
labels. Review and update the classification scheme annually, or when significant enterprise changes
occur that could impact this Safeguard.
Document data flows. Data flow documentation includes service provider data flows and should be
based on the enterprise’s data management process. Review and update documentation annually, or
when significant enterprise changes occur that could impact this Safeguard.
Encrypt data on removable media.
Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS)
and Open Secure Shell (OpenSSH).
Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS)
and Open Secure Shell (OpenSSH).
Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data.
Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this
Safeguard. Additional encryption methods may include application-layer encryption, also known as
client-side encryption, where access to the data storage device(s) does not permit access to the plain-
text data.
Segment data processing and storage based on the sensitivity of the data. Do not process sensitive
data on enterprise assets intended for lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all
sensitive data stored, processed, or transmitted through enterprise assets, including those located
onsite or at a remote service provider, and update the enterprise's sensitive data inventory.
Log sensitive data access, including modification and disposal.
of Enterprise Assets and Software
in the secure configuration of enterprise assets (end-user devices, including portable and mobile;
-computing/IoT devices; and servers) and software (operating systems and applications).
Establish and maintain a secure configuration process for enterprise assets (end-user devices,
including portable and mobile, non-computing/IoT devices, and servers) and software (operating
systems and applications). Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Establish and maintain a secure configuration process for enterprise assets (end-user devices,
including portable and mobile, non-computing/IoT devices, and servers) and software (operating
systems and applications). Review and update documentation annually, or when significant enterprise
Establish and maintain a secure configuration process for network devices. Review and update
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a secure configuration process for network devices. Review and update
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Configure automatic session locking on enterprise assets after a defined period of inactivity. For
general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user
devices, the period must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example implementations include a
virtual firewall, operating system firewall, or a third-party firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-
deny rule that drops all traffic except those services and ports that are explicitly allowed.
Securely manage enterprise assets and software. Example implementations include managing
configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces
over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure
(HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP,
unless operationally essential.
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-
configured vendor accounts. Example implementations can include: disabling default accounts or
making them unusable.
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-
configured vendor accounts. Example implementations can include: disabling default accounts or
making them unusable.
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file
sharing service, web application module, or service function.
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring
assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed authentication
attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed
authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts.
Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile
maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed
appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported.
Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to
separate enterprise applications and data from personal applications and data.
ools to assign and manage authorization to credentials for user accounts, including administrator
service accounts, to enterprise assets and software.
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must
include both user and administrator accounts. The inventory, at a minimum, should contain the
person’s name, username, start/stop dates, and department. Validate that all active accounts are
authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum,
an 8-character password for accounts using MFA and a 14-character password for accounts not using
MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct
general computing activities, such as internet browsing, email, and productivity suite use, from the
user’s primary, non-privileged account.
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain
department owner, review date, and purpose. Perform service account reviews to validate that all
active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Centralize account management through a directory or identity service.
ools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and
enterprise assets and software.
Establish and follow a process, preferably automated, for granting access to enterprise assets upon
new hire, rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through
disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling
accounts, instead of deleting accounts, may be necessary to preserve audit trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported.
Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this
Safeguard.
Require MFA for remote network access.
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether
managed on-site or through a third-party provider.
Establish and maintain an inventory of the enterprise’s authentication and authorization systems,
including those hosted on-site or at a remote service provider. Review and update the inventory, at a
minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO provider, where
supported.
Define and maintain role-based access control, through determining and documenting the access
rights necessary for each role within the enterprise to successfully carry out its assigned duties.
Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a
recurring schedule at a minimum annually, or more frequently.
ility Management
ntinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure,
and minimize, the window of opportunity for attackers. Monitor public and private industry sources for
rability information.
Establish and maintain a documented vulnerability management process for enterprise assets. Review
and update documentation annually, or when significant enterprise changes occur that could impact
this Safeguard.
Establish and maintain a documented vulnerability management process for enterprise assets. Review
this Safeguard.
Establish and maintain a risk-based remediation strategy documented in a remediation process, with
monthly, or more frequent, reviews.
Perform operating system updates on enterprise assets through automated patch management on a
monthly, or more frequent, basis.
Perform application updates on enterprise assets through automated patch management on a monthly,
or more frequent, basis.
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent,
basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability
scanning tool.
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-

compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more
frequent, basis, based on the remediation process.
and retain audit logs of events that could help detect, understand, or recover from an attack.
Establish and maintain an audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise
assets. Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been
enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log
management process.
Standardize time synchronization. Configure at least two synchronized time sources across enterprise
assets, where supported.
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source,
date, username, timestamp, source addresses, destination addresses, and other useful elements that
could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from
PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential
threat. Conduct reviews on a weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include collecting
authentication and authorization events, data creation and disposal events, and user management
events.
ser Protections
and detections of threats from email and web vectors, as these are opportunities for attackers to
ehavior through direct engagement.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only
using the latest version of browsers and email clients provided through the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially
malicious or unapproved websites. Example implementations include category-based filtering,
reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email
client plugins, extensions, and add-on applications.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and
verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys
Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or
sandboxing.
e installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Deploy and maintain anti-malware software on all enterprise assets.
Deploy and maintain anti-malware software on all enterprise assets.
Configure automatic updates for anti-malware signature files on all enterprise assets.
Disable autorun and autoplay auto-execute functionality for removable media.
Configure anti-malware software to automatically scan removable media.
Configure anti-malware software to automatically scan removable media.
Enable anti-exploitation features on enterprise assets and software, where possible, such as
Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple®
System Integrity Protection (SIP) and Gatekeeper™.
Centrally manage anti-malware software.
Use behavior-based anti-malware software.
in data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted
Establish and maintain a data recovery process. In the process, address the scope of data recovery
activities, recovery prioritization, and the security of backup data. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a data recovery process. In the process, address the scope of data recovery
activities, recovery prioritization, and the security of backup data. Review and update documentation
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently,
based on the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference encryption or data
separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example implementations include,
version controlling backup destinations through offline, cloud, or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
, and actively manage (track, report, correct) network devices, in order to prevent attackers from
network services and access points.
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest
stable release of software and/or using currently supported network-as-a-service (NaaS) offerings.
Review software versions monthly, or more frequently, to verify software support.
Establish and maintain a secure network architecture. A secure network architecture must address
segmentation, least privilege, and availability, at a minimum.
Establish and maintain a secure network architecture. A secure network architecture must address
segmentation, least privilege, and availability, at a minimum.
Securely manage network infrastructure. Example implementations include version-controlled-
infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system documentation. Review
this Safeguard.
Establish and maintain architecture diagram(s) and/or other network system documentation. Review
this Safeguard.
Centralize network AAA.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access
2 (WPA2) Enterprise or greater).
Require users to authenticate to enterprise-managed VPN and authentication services prior to
accessing enterprise resources on end-user devices.
Require users to authenticate to enterprise-managed VPN and authentication services prior to

accessing enterprise resources on end-user devices.
Establish and maintain dedicated computing resources, either physically or logically separated, for all
administrative tasks or tasks requiring administrative access. The computing resources should be
segmented from the enterprise's primary network and not be allowed internet access.
nd tooling to establish and maintain comprehensive network monitoring and defense against security
terprise’s network infrastructure and user base.
Centralize security event alerting across enterprise assets for log correlation and analysis. Best
practice implementation requires the use of a SIEM, which includes vendor-defined event correlation
alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this
Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or
supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example
implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud
service provider (CSP) service.
Perform traffic filtering between network segments, where appropriate.
Manage access control for assets remotely connecting to enterprise resources. Determine amount of
access to enterprise resources based on: up-to-date anti-malware software installed, configuration
compliance with the enterprise’s secure configuration process, and ensuring the operating system and
applications are up-to-date.
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or
supported. Example implementations include use of an Endpoint Detection and Response (EDR) client
or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example implementations include
the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access
control protocols, such as certificates, and may incorporate user and/or device authentication.
Perform application layer filtering. Example implementations include a filtering proxy, application layer
firewall, or gateway.
Tune security event alerting thresholds monthly, or more frequently.
and Skills Training
in a security awareness program to influence behavior among the workforce to be security conscious and
duce cybersecurity risks to the enterprise.
Establish and maintain a security awareness program. The purpose of a security awareness program is
to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure
manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and
tailgating.
Train workforce members on authentication best practices. Example topics include MFA, password
composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive
data. This also includes training workforce members on clear screen and desk best practices, such as
locking their screen when they step away from their enterprise asset, erasing physical and virtual
whiteboards at the end of meetings, and storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure. Example topics
include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to
unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such an
incident.
Train workforce to understand how to verify and report out-of-date software patches or any failures in
automated processes and tools. Part of this training should include notifying IT personnel of any
failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure
networks for enterprise activities. If the enterprise has remote workers, training must include guidance
to ensure that all users securely configure their home network infrastructure.
Conduct role-specific security awareness and skills training. Example implementations include secure
system administration courses for IT professionals, (OWASP® Top 10 vulnerability awareness and
prevention training for web application developers, and advanced social engineering awareness
training for high-profile roles.
evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT
es, to ensure these providers are protecting those platforms and data appropriately.
Establish and maintain an inventory of service providers. The inventory is to list all known service
providers, include classification(s), and designate an enterprise contact for each service provider.
Review and update the inventory annually, or when significant enterprise changes occur that could
impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy addresses the
classification, inventory, assessment, monitoring, and decommissioning of service providers. Review
and update the policy annually, or when significant enterprise changes occur that could impact this
Safeguard.
Classify service providers. Classification consideration may include one or more characteristics, such
as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and
mitigated risk. Update and review classifications annually, or when significant enterprise changes occur
that could impact this Safeguard.
Ensure service provider contracts include security requirements. Example requirements may include
minimum security program requirements, security incident and/or data breach notification and
response, data encryption requirements, and data disposal commitments. These security requirements
must be consistent with the enterprise’s service provider management policy. Review service provider
contracts annually to ensure contracts are not missing security requirements.
Assess service providers consistent with the enterprise’s service provider management policy.
Assessment scope may vary based on classification(s), and may include review of standardized
assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI)
Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes.
Reassess service providers annually, at a minimum, or with new and renewed contracts.
Monitor service providers consistent with the enterprise’s service provider management policy.
Monitoring may include periodic reassessment of service provider compliance, monitoring service
provider release notes, and dark web monitoring.
Monitor service providers consistent with the enterprise’s service provider management policy.
Monitoring may include periodic reassessment of service provider compliance, monitoring service
provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and service account
deactivation, termination of data flows, and secure disposal of enterprise data within service provider
systems.
Security
ife cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security
hey can impact the enterprise.
Establish and maintain a secure application development process. In the process, address such items
as: secure application design standards, secure coding practices, developer training, vulnerability
management, security of third-party code, and application security testing procedures. Review and
update documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain a process to accept and address reports of software vulnerabilities, including
providing a means for external entities to report. The process is to include such items as: a vulnerability
handling policy that identifies reporting process, responsible party for handling vulnerability reports, and
a process for intake, assignment, remediation, and remediation testing. As part of the process, use a
vulnerability tracking system that includes severity ratings, and metrics for measuring timing for
identification, analysis, and remediation of vulnerabilities. Review and update documentation annually,
or when significant enterprise changes occur that could impact this Safeguard.
Third-party application developers need to consider this an externally-facing policy that helps to set
expectations for outside stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause
analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows
development teams to move beyond just fixing individual vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in development, often
referred to as a “bill of materials,” as well as components slated for future use. This inventory is to
include any risks that each third-party component could pose. Evaluate the list at least monthly to
identify any changes or updates to these components, and validate that the component is still
supported.
Use up-to-date and trusted third-party software components. When possible, choose established and
proven frameworks and libraries that provide adequate security. Acquire these components from
trusted sources or evaluate the software for vulnerabilities before use.
Establish and maintain a severity rating system and process for application vulnerabilities that
facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes
setting a minimum level of security acceptability for releasing code or applications. Severity ratings
bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the
most severe bugs are fixed first. Review and update the system and process annually.
Use standard, industry-recommended hardening configuration templates for application infrastructure
components. This includes underlying servers, databases, and web servers, and applies to cloud
containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house
developed software to weaken configuration hardening.
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code for their specific
development environment and responsibilities. Training can include general security principles and
application security standard practices. Conduct training at least annually and design in a way to
promote security within the development team, and build a culture of security among the developers.
Apply secure design principles in application architectures. Secure design principles include the
concept of least privilege and enforcing mediation to validate every operation that the user makes,
promoting the concept of "never trust user input." Examples include ensuring that explicit error
checking is performed and documented for all input, including for size, data type, and acceptable
ranges or formats. Secure design also means minimizing the application infrastructure attack surface,
such as turning off unprotected ports and services, removing unnecessary programs and files, and
renaming or removing default accounts.
Leverage vetted modules or services for application security components, such as identity
management, encryption, and auditing and logging. Using platform features in critical security functions
will reduce developers’ workload and minimize the likelihood of design or implementation errors.
Modern operating systems provide effective mechanisms for identification, authentication, and
authorization and make those mechanisms available to applications. Use only standardized, currently
accepted, and extensively reviewed encryption algorithms. Operating systems also provide
mechanisms to create and maintain secure audit logs.
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding
practices are being followed.
Conduct application penetration testing. For critical applications, authenticated penetration testing is
better suited to finding business logic vulnerabilities than code scanning and automated security
testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an
authenticated and unauthenticated user.
Conduct application penetration testing. For critical applications, authenticated penetration testing is
better suited to finding business logic vulnerabilities than code scanning and automated security
testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an
authenticated and unauthenticated user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing application
security design flaws within a design, before code is created. It is conducted through specially trained
individuals who evaluate the application design and gauge security risks for each entry point and
access level. The goal is to map out the application, architecture, and infrastructure in a structured way
to understand its weaknesses.
anagement
o develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles,
nications) to prepare, detect, and quickly respond to an attack.
Designate one key person, and at least one backup, who will manage the enterprise’s incident handling
process. Management personnel are responsible for the coordination and documentation of incident
response and recovery efforts and can consist of employees internal to the enterprise, third-party
vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to
the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes
Establish and maintain contact information for parties that need to be informed of security incidents.
Contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers,
relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other
stakeholders. Verify contacts annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The process
includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum
information to be reported. Ensure the process is publicly available to all of the workforce. Review
Establish and maintain an incident response process that addresses roles and responsibilities,
compliance requirements, and a communication plan. Review annually, or when significant enterprise
Assign key roles and responsibilities for incident response, including staff from legal, IT, information
security, facilities, public relations, human resources, incident responders, and analysts, as applicable.
Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Determine which primary and secondary mechanisms will be used to communicate and report during a
security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind that certain
mechanisms, such as emails, can be affected during a security incident. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the
incident response process to prepare for responding to real-world incidents. Exercises need to test
communication channels, decision making, and workflows. Conduct testing on an annual basis, at a
minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through
identifying lessons learned and follow-up action.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through
identifying lessons learned and follow-up action.
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an
incident and an event. Examples can include: abnormal activity, security vulnerability, security
weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes
s and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people,
ology), and simulating the objectives and actions of an attacker.
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity
of the enterprise. Penetration testing program characteristics include scope, such as network, web
application, Application Programming Interface (API), hosted services, and physical premise controls;
frequency; limitations, such as acceptable hours, and excluded attack types; point of contact
information; remediation, such as how findings will be routed internally; and retrospective requirements.
Perform periodic external penetration tests based on program requirements, no less than annually.
External penetration testing must include enterprise and environmental reconnaissance to detect
exploitable information. Penetration testing requires specialized skills and experience and must be
conducted through a qualified party. The testing may be clear box or opaque box.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and
prioritization.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and
capabilities to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less than annually. The
testing may be clear box or opaque box.
IG1 IG2 IG3 Relationship Requirement
X X X
X X X
X X
X X
X X X
CIP-010-4, Requirement R1
X X X Superset
Part 1.6
X X X
X X
X X
X X
X X X Subset CIP-003-8, Requirement R1

X X X Subset
Part 1.2
X X X Subset
Part 1.1
X X X Subset
Part 4.1
X X X
X X X Subset
Part 2.1
X X X Subset
Part 2.2
X X X
X X Subset
Part 1.1
X X Subset
Part 1.2
X X Subset CIP-010-4, Requirement R4
X X Subset
Part 2.2
X X Subset
Part 1.1
X X Subset
Part 1.1
X Subset
Part 1.1
X Subset
Part 4.1
X X X Subset
Part 1.1
X X X Subset
Part 1.1
X X X
X X X
X X X Subset
Part 1.3
X X X Subset
Part 1.1
X X X
X X X Subset
Part 5.2
X X X Subset
Part 5.2
X X Subset
Part 5.4
X X
X X Subset
Part 5.7
X X
X
X X X Subset
Part 4.3
X X X Equivalent
Part 5.5
X X X
X X X
X X Superset
Part 5.3
X X
X X X Subset
Part 4.1
X X X Equivalent
Part 5.1
X X X Superset
Part 5.2
X X X Superset
Part 5.3
X X X Superset
Part 5.4
X X X
X X X Equivalent
Part 2.3
X X X
X X
X X Subset
Part 5.1
X Subset
Part 4.1
X Superset
Part 4.3
X Subset
Part 1.3
X X X Equivalent
Part 2.1
X X X
X X X Subset
Part 2.1
X X X Subset
Part 2.1
X X
X X
X X Subset
Part 2.3
X X X
X X X Superset
Part 4.1
X X X
X X
X X
X X
X X
X X
X X
X X Superset
Part 4.3
X X Equivalent
Part 4.4
X X X
X X X
X X
X X
X X
X X
X Subset
Part 3.1
X X X Subset
Part 3.1
X X X Subset
Part 3.2
X X X Subset
Part 3.3
X X X
X X Subset
Part 3.1
X X
X X
X X X Superset
Part 1.3
X X X
X X X
X X X
X X Equivalent
Part 1.4
X X Subset
Part 2.1
X X Subset
Part 2.2
X X Subset
Part 2.3
X X X Subset
Part 2.1
X X Superset
Part 1.1
X X Subset
Part 2.1
X X
X X Subset
Part 1.2
X X Subset
Part 2.1
X X
X X
X X Subset
Part 2.3
X X Equivalent
Part 4.2
X X
X X Subset
Part 1.5
X X
X X Subset
Part 1.4

X X Subset
Part 4.1
X Subset
Part 1.1
X Subset
Part 1.5
X X X Equivalent
Part 1.1
X X X Subset
Part 2.1
X X X Subset
Part 2.3
X X X
X X X
X X X Subset
Part 2.1
X X X
X X X Subset
Part 2.1
X X X
X X X
X X Subset
Part 2.1
X X X
X X
X Subset
Part 2.4
X Subset CIP-013-2, Requirement R2
X X
X X
X X
X X
X X
X X
X X
X X
X X
X Subset
Part 3.2
X Subset
Part 3.3
X
X X X Subset
Part 1.3
X X X Superset CIP-008-6, Requirement R4
X X X
X X Superset
Part 1.1
X X Superset
Part 1.4
X X Subset
Part 2.2
X X Equivalent
Part 1.3
X X
X X Subset
Part 2.1
X X
X X Equivalent
Part 3.1
X Superset
Part 1.2
X X Superset
Part 3.1
X X Superset
Part 3.2
X X
X X Superset
Part 3.4
X
X
Requirement Text
Prior to a change that deviates from the existing baseline configuration associated with baseline items in
Parts 1.1.1, 1.1.2, and 1.1.5, and when the method to do so is available to the Responsible Entity from the
software source:
1.6.1. Verify the identity of the software source; and
1.6.2. Verify the integrity of the software obtained from the software source.
Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15
calendar months for one or more documented cyber security policies that collectively address the
following topics:
1.1. For its high impact and medium impact BES Cyber Systems, if any:
1.1.1. Personnel and training (CIP-004);
1.1.2. Electronic Security Perimeters (CIP-005) including Interactive Remote Access;
1.1.3. Physical security of BES Cyber Systems (CIP-006);
1.1.4. System security management (CIP-007);
1.1.5. Incident reporting and response planning (CIP-008);
1.1.6. Recovery plans for BES Cyber Systems (CIP-009);
1.1.7. Configuration change management and vulnerability assessments (CIP-010);
1.1.8. Information protection (CIP-011); and
1.1.9. Declaring and responding to CIP Exceptional Circumstances.
1.2. For its assets identified in CIP-002 containing low impact BES Cyber Systems, if any:
1.2.1. Cyber security awareness;
1.2.2. Physical security controls;
1.2.3. Electronic access controls;
1.2.4. Cyber Security Incident response;
1.2.5. Transient Cyber Assets and Removable Media malicious code risk mitigation; and
Procedure(s) for protecting and securely handling BES Cyber System Information, including storage,
transit, and use.
Method(s) to identify information that meets the definition of BES Cyber System Information.
Process to authorize based on need, as determined by the Responsible Entity, except for CIP Exceptional
Circumstances:
4.1.1. Electronic access;
4.1.2. Unescorted physical access into a Physical Security Perimeter; and
4.1.3. Access to designated storage locations, whether physical or electronic, for BES Cyber System
Information.
Prior to the release for reuse of applicable Cyber Assets that contain BES Cyber System Information
(except for reuse within other systems identified in the “Applicable Systems” column), the Responsible
Entity shall take action to prevent the unauthorized retrieval of BES Cyber System Information from the
Cyber Asset data storage media.
Prior to the disposal of applicable Cyber Assets that contain BES Cyber System Information, the
Responsible Entity shall take action to prevent the unauthorized retrieval of BES Cyber System
Information from the Cyber Asset or destroy the data storage media.
All External Routable Connectivity must be through an identified Electronic Access Point (EAP).
Each Responsible Entity, for its high impact and medium impact BES Cyber Systems and associated
Protected Cyber Assets, shall implement, except under CIP Exceptional Circumstances, one or more
documented plan(s) for Transient Cyber Assets and Removable Media that include the sections in
Attachment 1.
For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System.
The Responsible Entity shall implement, except under CIP Exceptional Circumstances, one or more
documented plan(s) to mitigate the risks posed by unauthorized disclosure and unauthorized modification
of Real-time Assessment and Real-time monitoring data while being transmitted between any applicable
Control Centers. The Responsible Entity is not required to include oral communications in its plan. The
plan shall include:
1.1. Identification of security protection used to mitigate the risks posed by unauthorized disclosure and
unauthorized modification of Real-time Assessment and Real-time monitoring data while being
transmitted between Control Centers;
1.2. Identification of where the Responsible Entity applied security protection for transmitting Real-time
Assessment and Real-time monitoring data between Control Centers; and
1.3. If the Control Centers are owned or operated by different Responsible Entities, identification of the
responsibilities of each Responsible Entity for applying security protection to the transmission of Real-time
Assessment and Real-time monitoring data between those Control Centers.
All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined
ESP.
Log events at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset level
(per Cyber Asset capability) for identification of, and after-the-fact investigations of, Cyber Security
Incidents that includes, as a minimum, each of the following types of events:
4.1.1. Detected successful login attempts;
4.1.2. Detected failed access attempts and failed login attempts;
4.1.3. Detected malicious code.
following topics:
Develop a baseline configuration, individually or by group, which shall include the following items:
1.1.1. Operating system(s) (including version) or firmware where no independent operating system exists;
1.1.2. Any commercially available or open-source application software (including version) intentionally
installed;
1.1.3. Any custom software installed;
1.1.4. Any logical network accessible ports; and
1.1.5. Any security patches applied.
following topics:
1.1.2. Any commercially available or open-source application software (including version) intentionally
installed;
Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber
Systems shall implement one or more documented cyber security plan(s) for its low impact BES Cyber
Systems that include the sections in Attachment 1.
Require inbound and outbound access permissions, including the reason for granting access, and deny
all other access by default.
Where technically feasible, enable only logical network accessible ports that have been determined to be
needed by the Responsible Entity, including port ranges or services where needed to handle dynamic
ports. If a device has no provision for disabling or restricting logical ports on the device then those ports
that are open are deemed needed.
Attachment 1.
Identify and inventory all known enabled default or other generic account types, either by system, by
groups of systems, by location, or by system type(s).
Identify and inventory all known enabled default or other generic account types, either by system, by
groups of systems, by location, or by system type(s).
Change known default passwords, per Cyber Asset capability
Where technically feasible, either:

• Limit the number of unsuccessful authentication attempts; or
• Generate alerts after a threshold of unsuccessful authentication attempts.
For electronic access, verify at least once every 15 calendar months that all user accounts, user account
groups, or user role categories, and their specific, associated privileges are correct and are those that the
Responsible Entity determines are necessary.
For password-only authentication for interactive user access, either technically or procedurally enforce the
following password parameters:
5.5.1. Password length that is, at least, the lesser of eight characters or the maximum length supported by
the Cyber Asset; and
5.5.2. Minimum password complexity that is the lesser of three or more different types of characters (e.g.,
uppercase alphabetic, lowercase alphabetic, numeric, non- alphanumeric) or the maximum complexity
supported by the Cyber Asset.
Identify individuals who have authorized access to shared accounts.
Circumstances:
Information.
A process to initiate removal of an individual’s ability for unescorted physical access and Interactive
Remote Access upon a termination action, and complete the removals within 24 hours of the termination
action (Removal of the ability for access may be different than deletion, disabling, revocation, or removal
of all access rights).
For reassignments or transfers, revoke the individual’s authorized electronic access to individual accounts
and authorized unescorted physical access that the Responsible Entity determines are not necessary by
the end of the next calendar day following the date that the Responsible Entity determines that the
individual no longer requires retention of that access.
For termination actions, revoke the individual’s access to the designated storage locations for BES Cyber
System Information, whether physical or electronic (unless already revoked according to Requirement
R5.1), by the end of the next calendar day following the effective date of the termination action.
For termination actions, revoke the individual’s non-shared user accounts (unless already revoked
according to Parts 5.1 or 5.3) within 30 calendar days of the effective date of the termination action.
Require multi-factor authentication for all Interactive Remote Access sessions.
Have a method(s) to enforce authentication of interactive user access, where technically feasible.
Circumstances:
Information.
For electronic access, verify at least once every 15 calendar months that all user accounts, user account
groups, or user role categories, and their specific, associated privileges are correct and are those that the
Responsible Entity determines are necessary.
Require inbound and outbound access permissions, including the reason for granting access, and deny
all other access by default.
A patch management process for tracking, evaluating, and installing cyber security patches for applicable
Cyber Assets. The tracking portion shall include the identification of a source or sources that the
Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are
updateable and for which a patching source exists.
Attachment 1.
For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, take
one of the following actions:
• Apply the applicable patches; or
• Create a dated mitigation plan; or
• Revise an existing mitigation plan.
Mitigation plans shall include the Responsible Entity’s planned actions to mitigate the vulnerabilities
addressed by each security patch and a timeframe to complete these mitigations.
Where technically feasible, retain applicable event logs identified in Part 4.1 for at least the last 90
consecutive calendar days except under CIP Exceptional Circumstances.
Review a summarization or sampling of logged events as determined by the Responsible Entity at
intervals no greater than 15 calendar days to identify undetected Cyber Security Incidents.
Deploy method(s) to deter, detect, or prevent malicious code.
Mitigate the threat of detected malicious code.
For those methods identified in Part 3.1 that use signatures or patterns, have a process for the update of
the signatures or patterns. The process must address testing and installing the signatures or patterns.
Attachment 1.

following topics:
One or more processes for the backup and storage of information required to recover BES Cyber System
functionality.
One or more processes to verify the successful completion of the backup processes in Part 1.3 and to
address any backup failures.
Test each of the recovery plans referenced in Requirement R1 at least once every 15 calendar months:
• By recovering from an actual incident;
• With a paper drill or tabletop exercise; or
• With an operational exercise.
Test a representative sample of information used to recover BES Cyber System functionality at least once
every 15 calendar months to ensure that the information is useable and is compatible with current
configurations.
An actual recovery that incorporates the information used to recover BES Cyber System functionality
substitutes for this test.
Test each of the recovery plans referenced in Requirement R1 at least once every 36 calendar months
through an operational exercise of the recovery plans in an environment representative of the production
environment.
An actual recovery response may substitute for an operational exercise.
All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined
ESP.
For all Interactive Remote Access, utilize an Intermediate System such that the Cyber Asset initiating
Interactive Remote Access does not directly access an applicable Cyber Asset.
For all Interactive Remote Access, utilize an Intermediate System such that the Cyber Asset initiating
Interactive Remote Access does not directly access an applicable Cyber Asset.
Attachment 1.
Generate alerts for security events that the Responsible Entity determines necessitates an alert, that
includes, as a minimum, each of the following types of events (per Cyber Asset or BES Cyber System
capability):
4.2.1. Detected malicious code from Part 4.1; and
4.2.2. Detected failure of Part 4.1 event logging.
Have one or more methods for detecting known or suspected malicious communications for both inbound
and outbound communications.
Where technically feasible, perform authentication when establishing Dial- up Connectivity with applicable
Cyber Assets.
Attachment 1.
Where technically feasible, enable only logical network accessible ports that have been determined to be
needed by the Responsible Entity, including port ranges or services where needed to handle dynamic
ports. If a device has no provision for disabling or restricting logical ports on the device then those ports
that are open are deemed needed.
Have one or more methods for detecting known or suspected malicious communications for both inbound
and outbound communications.
Security awareness that, at least once each calendar quarter, reinforces cyber security practices (which
may include associated physical security practices) for the Responsible Entity’s personnel who have
authorized electronic or authorized unescorted physical access to BES Cyber Systems.
Training content on:
2.1.1. Cyber security policies;
2.1.2. Physical access controls;
2.1.4. The visitor control program;
2.1.5. Handling of BES Cyber System Information and its storage;
2.1.6. Identification of a Cyber Security Incident and initial notifications in accordance with the entity’s
incident response plan;
2.1.7. Recovery plans for BES Cyber Systems;
2.1.8. Response to Cyber Security Incidents; and
2.1.9. Cyber security risks associated with a BES Cyber System’s electronic interconnectivity and
interoperability with other Cyber Assets, including Transient Cyber Assets, and with Removable Media.
Require completion of the training specified in Part 2.1 at least once every 15 calendar months.


Each Responsible Entity shall develop one or more documented supply chain cyber security risk
management plan(s) for high and medium impact BES Cyber Systems and their associated Electronic
Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS). The
plan(s) shall include:
1.1. One or more process(es) used in planning for the procurement of BES Cyber Systems and their
associated EACMS and PACS to identify and assess cyber security risk(s) to the Bulk Electric System
from vendor products or services resulting from: (i) procuring and installing vendor equipment and
software; and
(ii) transitions from one vendor(s) to another vendor(s).
1.2. One or more process(es) used in procuring BES Cyber Systems, and their associated EACMS and
PACS, that address the following, as applicable:
1.2.1. Notification by the vendor of vendor-identified incidents related to the products or services provided
to the Responsible Entity that pose cyber security risk to the Responsible Entity;
1.2.2. Coordination of responses to vendor-identified incidents related to the products or services
provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;
1.2.3. Notification by vendors when remote or onsite access should no longer be granted to vendor
representatives;
1.2.4. Disclosure by vendors of known vulnerabilities related to the products or services provided to the
Responsible Entity;
1.2.5. Verification of software integrity and authenticity of all software and patches provided by the vendor
for use in the BES Cyber System and their associated EACMS and PACS; and
1.2.6. Coordination of controls for vendor-initiated remote access.
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s)
specified in Requirement R1.
Have one or more methods for determining active vendor remote access sessions (including Interactive
Remote Access and system-to-system remote access).
Where technically feasible, at least once every 36 calendar months:
3.2.1 Perform an active vulnerability assessment in a test environment, or perform an active vulnerability
assessment in a production environment where the test is performed in a manner that minimizes adverse
effects, that models the baseline configuration of the BES Cyber System in a production environment; and
3.2.2 Document the results of the testing and, if a test environment was used, the differences between the
test environment and the production environment, including a description of the measures used to
account for any differences in operation between the test and production environments.
Prior to adding a new applicable Cyber Asset to a production environment, perform an active vulnerability
assessment of the new Cyber Asset, except for CIP Exceptional Circumstances and like replacements of
the same type of Cyber Asset with a baseline configuration that models an existing baseline configuration
of the previous or other existing Cyber Asset.
The roles and responsibilities of Cyber Security Incident response groups or individuals.
Each Responsible Entity shall notify the Electricity Information Sharing and Analysis Center (E-ISAC) and,
if subject to the
jurisdiction of the United States, the United States National Cybersecurity and Communications
Integration Center
(NCCIC),1 or their successors, of a Reportable Cyber Security Incident and a Cyber Security Incident that
was an attempt to
compromise, as determined by applying the criteria from Requirement R1, Part 1.2.1, a system identified
in the “Applicable
Systems” column, unless prohibited by law, in accordance with each of the applicable requirement parts
in CIP-008-6 Table
R4 – Notifications and Reporting for Cyber Security Incidents.
following topics:
One or more processes to identify, classify, and respond to Cyber Security Incidents.
Incident handling procedures for Cyber Security Incidents.
Use the Cyber Security Incident response plan(s) under Requirement R1 when responding to a
Reportable Cyber Security Incident, responding to a Cyber Security Incident that attempted to
compromise a system identified in the “Applicable Systems” column for this Part, or performing an
exercise of a Reportable Cyber Security Incident. Document deviations from the plan(s) taken during the
response to the incident or exercise.
Test each Cyber Security Incident response plan(s) at least once every 15 calendar months:
• By responding to an actual Reportable Cyber Security Incident;
• With a paper drill or tabletop exercise of a Reportable Cyber Security Incident; or
• With an operational exercise of a Reportable Cyber Security Incident.
No later than 90 calendar days after completion of a Cyber Security Incident response plan(s) test or
actual Reportable Cyber Security Incident response:
3.1.1. Document any lessons learned or document the absence of any lessons learned;
3.1.2. Update the Cyber Security Incident response plan based on any documented lessons learned
associated with the plan; and
3.1.3. Notify each person or group with a defined role in the Cyber Security Incident response plan of the
updates to the Cyber Security Incident response plan based on any documented lessons learned.
One or more processes:

1.2.1 That include criteria to evaluate and define attempts to compromise;
1.2.2 To determine if an identified Cyber Security Incident is:
• A Reportable Cyber Security Incident; or
• An attempt to compromise, as determined by applying the criteria from Part 1.2.1, one or more systems
identified in the “Applicable Systems” column for this Part; and
1.2.3 To provide notification per Requirement R4.
following topics:
At least once every 15 calendar months, conduct a paper or active vulnerability assessment.

3.2.1 Perform an active vulnerability assessment in a test environment, or perform an active vulnerability
assessment in a production environment where the test is performed in a manner that minimizes adverse
effects, that models the baseline configuration of the BES Cyber System in a production environment; and
3.2.2 Document the results of the testing and, if a test environment was used, the differences between the
test environment and the production environment, including a description of the measures used to
account for any differences in operation between the test and production environments.
Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action
plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of
completing the action plan and the execution status of any remediation or mitigation action items.
The following CIS Safeguards are NOT mapped to NERC-CIP
1.1
1.2
1.3
1.4
1.5
2.1
2.3
2.4
2.5
2.6
2.7
3.4
3.6
4.3
4.4
4.6
4.9
4.11
4.12
5.3
5.4
5.6
6.3
6.5
6.6
7.2
7.5
7.6
8.1
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.12
9.1
9.2
9.3
9.4
9.5
9.6
10.3
10.6
10.7
11.2
11.3
11.4
12.3
12.5
12.6
12.8
13.2
13.4
13.7
13.8
13.11
14.2
14.3
14.5
14.7
14.8
15.1
15.3
15.5
15.7
16.1
16.2
16.3
16.6
16.7
16.8
16.9
16.10
16.11
16.12
16.14
17.3
17.6
17.8
18.2
18.4
18.5
The following CIS Safeguards are NOT mapped to NERC-CIP
Establish and Maintain Detailed Enterprise Asset Inventory
Address Unauthorized Assets
Utilize an Active Discovery Tool
Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
Use a Passive Asset Discovery Tool
Establish and Maintain a Software Inventory
Address Unauthorized Software
Utilize Automated Software Inventory Tools
Allowlist Authorized Software
Allowlist Authorized Libraries
Allowlist Authorized Scripts
Enforce Data Retention
Encrypt Data on End-User Devices
Configure Automatic Session Locking on Enterprise Assets
Implement and Manage a Firewall on Servers
Securely Manage Enterprise Assets and Software
Configure Trusted DNS Servers on Enterprise Assets

Enforce Remote Wipe Capability on Portable End-User Devices
Separate Enterprise Workspaces on Mobile End-User Devices

Disable Dormant Accounts
Restrict Administrator Privileges to Dedicated Administrator Accounts

Centralize Account Management
Require MFA for Externally-Exposed Applications
Require MFA for Administrative Access
Establish and Maintain an Inventory of Authentication and Authorization Systems
Establish and Maintain a Remediation Process
Perform Automated Vulnerability Scans of Internal Enterprise Assets
Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
Establish and Maintain an Audit Log Management Process

Ensure Adequate Audit Log Storage
Standardize Time Synchronization
Collect Detailed Audit Logs

Collect DNS Query Audit Logs
Collect URL Request Audit Logs
Collect Command-Line Audit Logs

Centralize Audit Logs
Collect Service Provider Logs
Ensure Use of Only Fully Supported Browsers and Email Clients

Use DNS Filtering Services
Maintain and Enforce Network-Based URL Filters
Restrict Unnecessary or Unauthorized Browser and Email Client Extensions
Implement DMARC
Block Unnecessary File Types
Disable Autorun and Autoplay for Removable Media
Centrally Manage Anti-Malware Software
Use Behavior-Based Anti-Malware Software
Perform Automated Backups

Protect Recovery Data
Establish and Maintain an Isolated Instance of Recovery Data
Securely Manage Network Infrastructure

Centralize Network Authentication, Authorization, and Auditing (AAA)
Use of Secure Network Management and Communication Protocols
Establish and Maintain Dedicated Computing Resources for All Administrative Work
Deploy a Host-Based Intrusion Detection Solution
Perform Traffic Filtering Between Network Segments
Deploy a Host-Based Intrusion Prevention Solution
Deploy a Network Intrusion Prevention Solution

Tune Security Event Alerting Thresholds
Train Workforce Members to Recognize Social Engineering Attacks
Train Workforce Members on Authentication Best Practices
Train Workforce Members on Causes of Unintentional Data Exposure
Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
Establish and Maintain an Inventory of Service Providers
Classify Service Providers
Assess Service Providers

Securely Decommission Service Providers
Establish and Maintain a Secure Application Development Process
Establish and Maintain a Process to Accept and Address Software Vulnerabilities
Perform Root Cause Analysis on Security Vulnerabilities
Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
Use Standard Hardening Configuration Templates for Application Infrastructure

Separate Production and Non-Production Systems
Train Developers in Application Security Concepts and Secure Coding
Apply Secure Design Principles in Application Architectures
Leverage Vetted Modules or Services for Application Security Components

Implement Code-Level Security Checks
Conduct Threat Modeling

Establish and Maintain an Enterprise Process for Reporting Incidents
Define Mechanisms for Communicating During Incident Response
Perform Periodic External Penetration Tests
Validate Security Measures
Perform Periodic Internal Penetration Tests

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to s
process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT dev
servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise a
owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile
devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to t
infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets tha
regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Re
update the inventory of all enterprise assets bi-annually, or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remo
asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discove
execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterpris
inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to upda
enterprise’s asset inventory at least weekly, or more frequently.
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inve
document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include
Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review
update the software inventory bi-annually, or more frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented excep
Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documenta
installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be ac
Reassess bi-annually,
Use technical controlsorto more frequently.
ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are
load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually,
frequently.
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as
specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annuall
frequently.
Retain data according to the enterprise’s data management process. Data retention must include both minimum and
timelines.
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLoc
FileVault®, Linux® dm-crypt.
Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose op
systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minute
Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, o
system firewall, or a third-party firewall agent.
Securely manage enterprise assets and software. Example implementations include managing configuration through
controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Se
(SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telne
Network) and HTTP, unless operationally essential.
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use en
controlled DNS servers and/or reputable externally accessible DNS servers.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as
stolen devices, or when an individual no longer supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implemen
include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data
personal applications and data.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computin
such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Centralize account management through a directory or identity service.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MF
directory service or SSO provider is a satisfactory implementation of this Safeguard.
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on
through a third-party provider.
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those ho
or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.
Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or mo
reviews.
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct
authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability
tool. Perform scans on a monthly, or more frequent, basis.
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a m
address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation a
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management p
Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, usernam
timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic inves
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™
remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Collect service provider logs, where supported. Example implementations include collecting authentication and auth
events, data creation and disposal events, and user management events.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest
browsers and email clients provided through the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious o
unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or throu
of block lists. Enforce filters for all enterprise assets.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, ex
and add-on applications.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, s
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Disable autorun and autoplay auto-execute functionality for removable media.
Centrally manage anti-malware software.
Use behavior-based anti-malware software.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the s
the data.recovery data with equivalent controls to the original data. Reference encryption or data separation, based o
Protect
requirements.
Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling b
destinations through offline, cloud, or off-site systems or services.
Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code
use of secure network protocols, such as SSH and HTTPS.
Centralize network AAA.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) En
greater).
Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative
tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary
and not be allowed internet access.
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Perform traffic filtering between network segments, where appropriate.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Exam
implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a N
Intrusion Prevention System (NIPS) or equivalent CSP service.
Tune security event alerting thresholds monthly, or more frequently.
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Train workforce members on authentication best practices. Example topics include MFA, password composition, and
management.
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-deliver
sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
Train workforce to understand how to verify and report out-of-date software patches or any failures in automated pro
tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterpr
activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely conf
home network infrastructure.
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include
classification(s), and designate an enterprise contact for each service provider. Review and update the inventory an
Classify service providers. Classification consideration may include one or more characteristics, such as data sensit
volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classif
Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope m
based on classification(s), and may include review of standardized assessment reports, such as Service Organizatio
(SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other ap
rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts.
Securely decommission service providers. Example considerations include user and service account deactivation, te
of data flows, and secure disposal of enterprise data within service provider systems.
Establish and maintain a secure application development process. In the process, address such items as: secure ap
design standards, secure coding practices, developer training, vulnerability management, security of third-party code
application security testing procedures. Review and update documentation annually, or when significant enterprise c
Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a me
external entities to report. The process is to include such items as: a vulnerability handling policy that identifies repo
process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and
testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for mea
timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or w
significant enterprise changes occur that could impact this Safeguard.
Third-party application developers need to consider this an externally-facing policy that helps to set expectations for
stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the tas
evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just
individual vulnerabilities as they arise.
Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing t
which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for
code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk manageme
helps ensure the most severe bugs are fixed first. Review and update the system and process annually.
Use standard, industry-recommended hardening configuration templates for application infrastructure components.
includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (Pa
components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening.
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code for their specific developmen
environment and responsibilities. Training can include general security principles and application security standard p
Conduct training at least annually and design in a way to promote security within the development team, and build a
security among the developers.
Apply secure design principles in application architectures. Secure design principles include the concept of least priv
enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user inpu
Examples include ensuring that explicit error checking is performed and documented for all input, including for size,
and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surfac
turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing de
accounts.
Leverage vetted modules or services for application security components, such as identity management, encryption
auditing and logging. Using platform features in critical security functions will reduce developers’ workload and minim
likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identifica
authentication, and authorization and make those mechanisms available to applications. Use only standardized, cur
accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create a
secure audit logs.
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are bein
Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design fla
design, before code is created. It is conducted through specially trained individuals who evaluate the application des
gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and
infrastructure in a structured way to understand its weaknesses.
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes rep
timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the
publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could im
Safeguard.
Determine which primary and secondary mechanisms will be used to communicate and report during a security incid
Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can
during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safe
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons le
follow-up action.
Perform periodic external penetration tests based on program requirements, no less than annually. External penetra
must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing req
specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to det
techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may
or opaque box.
The following NERC-CIP Requirements are not mapped to the CIS Controls
CIP-002-5.1a, Requirement R1
CIP-004-6, Requirement R2 Part 2.2



quirements are not mapped to the CIS Controls
Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts
1.1 through 1.3:
i.Control Centers and backup Control Centers; ii.Transmission stations and substations; iii.Generation resources;
iv. Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initia
switching requirements;
v. Special Protection Systems that support the reliable operation of the Bulk Electric System; and
vi. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.
The Responsible Entity shall:

2.1 Review the identifications in Requirement R1 and its parts (and update them if there are changes identified) at
least once every 15 calendar months, even if it has no identified items in Requirement R1, and
2.2 Have its CIP Senior Manager or delegate approve the identifications required by Requirement R1 at least once
every 15 calendar months, even if it has no identified items in Requirement R1.
Each Responsible Entity shall identify a CIP Senior Manager by name and document any change within 30
calendar days of the change.
The Responsible Entity shall implement a documented process to delegate authority, unless no delegation
are used. Where allowed by the CIP Standards, the CIP Senior Manager may delegate authority for specif
actions to a delegate or delegates. These delegations shall be documented, including the name or title of
the delegate, the specific actions delegated, and the date of the delegation; approved by the CIP Senior
Manager; and updated within 30 days of any change to the delegation. Delegation changes do not need to
be reinstated with a change to the delegator.
Require completion of the training specified in Part 2.1 prior to granting authorized electronic access and
authorized unescorted physical access to applicable Cyber Assets, except during CIP Exceptional
Circumstances.
Process to confirm identity.
Process to perform a seven year criminal history records check as part of each personnel risk assessment
that includes:
3.2.1. current residence, regardless of duration; and
3.2.2. other locations where, during the seven years immediately prior to the date of the criminal history
records check, the subject has resided for six consecutive months or more. An example of evidence may
include, but is not limited to, documentation of the Responsible Entity’s process to perform a seven year
criminal history records check.
If it is not possible to perform a full seven year criminal history records check, conduct as much of the seve
year criminal history records check as possible and document the reason the full seven year criminal histo
records check could not be performed.
Criteria or process to evaluate criminal history records checks for authorizing access.
Criteria or process for verifying that personnel risk assessments performed for contractors or service
vendors are conducted according to Parts 3.1 through 3.3.
Process to ensure that individuals with authorized electronic or authorized unescorted physical access hav
had a personnel risk assessment completed according to Parts 3.1 to 3.4 within the last seven years.
Verify at least once each calendar quarter that individuals with active electronic access or unescorted
physical access have authorization records.
Verify at least once every 15 calendar months that access to the designated storage locations for BES
Cyber System Information, whether physical or electronic, are correct and are those that the Responsible
Entity determines are necessary for performing assigned work functions.
For termination actions, change passwords for shared account(s) known to the user within 30 calendar day
of the termination action. For reassignments or transfers, change passwords for shared account(s) known
to the user within 30 calendar days following the date that the Responsible Entity determines that the
individual no longer requires retention of that access.
If the Responsible Entity determines and documents that extenuating operating circumstances require a
longer time period, change the password(s) within 10 calendar days following the end of the operating
circumstances.
Have one or more method(s) to disable active vendor remote access (including Interactive Remote Access
and system-to-system remote access).
Have one or more method(s) to determine authenticated vendor- initiated remote connections.
Have one or more method(s) to terminate authenticated vendor- initiated remote connections and control
the ability to reconnect.
Define operational or procedural controls to restrict physical access.
Utilize at least one physical access control to allow unescorted physical access into each applicable
Physical Security Perimeter to only those individuals who have authorized unescorted physical access.
Where technically feasible, utilize two or more different physical access controls (this does not require two
completely independent physical access control systems) to collectively allow unescorted physical access
into Physical Security Perimeters to only those individuals who have authorized unescorted physical
access.
Monitor for unauthorized access through a physical access point into a Physical Security Perimeter.
Issue an alarm or alert in response to detected unauthorized access through a physical access point into a
Physical Security Perimeter to the personnel identified in the BES Cyber Security Incident response plan
within 15 minutes of detection.
Monitor each Physical Access Control System for unauthorized physical access to a Physical Access
Control System.
Issue an alarm or alert in response to detected unauthorized physical access to a Physical Access Control
System to the personnel identified in the BES Cyber Security Incident response plan within 15 minutes of
the detection.
Log (through automated means or by personnel who control entry) entry of each individual with authorized
unescorted physical access into each Physical Security Perimeter, with information to identify the individua
and date and time of entry.
Retain physical access logs of entry of individuals with authorized unescorted physical access into each
Physical Security Perimeter for at least ninety calendar days.
Restrict physical access to cabling and other nonprogrammable communication components used for
connection between applicable Cyber Assets within the same Electronic Security Perimeter in those
instances when such cabling and components are located outside of a Physical Security Perimeter.
Where physical access restrictions to such cabling and components are not implemented, the Responsible
Entity shall document and implement one or more of the following:
• encryption of data that transits such cabling and components; or
• monitoring the status of the communication link composed of such cabling and components and issuing
an alarm or alert in response to detected communication failures to the personnel identified in the BES
Cyber Security Incident response plan within 15 minutes of detection; or
• an equally effective logical protection.
Require continuous escorted access of visitors (individuals who are provided access but are not authorized
for unescorted physical access) within each Physical Security Perimeter, except during CIP Exceptional
Circumstances.
Require manual or automated logging of visitor entry into and exit from the Physical Security Perimeter tha
includes date and time of the initial entry and last exit, the visitor’s name, and the name of an individual
point of contact responsible for the visitor, except during CIP Exceptional Circumstances.
Retain visitor logs for at least ninety calendar days.
Maintenance and testing of each Physical Access Control System and locally mounted hardware or device
at the Physical Security Perimeter at least once every 24 calendar months to ensure they function properly
Protect against the use of unnecessary physical input/output ports used for network connectivity, console
commands, or Removable Media.
At least once every 35 calendar days, evaluate security patches for applicability that have been released
since the last evaluation from the source or sources identified in Part 2.1.
For each mitigation plan created or revised in Part 2.3, implement the plan within the timeframe specified in
the plan, unless a revision to the plan or an extension to the timeframe specified in Part 2.3 is approved by
the CIP Senior Manager or delegate.
Where technically feasible, for password-only authentication for interactive user access, either technically o
procedurally enforce password changes or an obligation to change the password at least once every 15
calendar months.
Retain records related to Reportable Cyber Security Incidents and Cyber Security Incidents that attempted
to compromise a system identified in the “Applicable Systems” column for this Part as per the Cyber
Security Incident response plan(s) under Requirement R1.
No later than 60 calendar days after a change to the roles or responsibilities, Cyber Security Incident
response groups or individuals, or technology that the Responsible Entity determines would impact the
ability to execute the plan:
3.2.1. Update the Cyber Security Incident response plan(s); and
3.2.2. Notify each person or group with a defined role in the Cyber Security Incident response plan of the
updates.
Conditions for activation of the recovery plan(s).

Roles and responsibilities of responders.
One or more processes to preserve data, per Cyber Asset capability, for determining the cause of a Cyber
Security Incident that triggers activation of the recovery plan(s). Data preservation should not impede or
restrict recovery.
No later than 90 calendar days after completion of a recovery plan test or actual recovery:
3.1.1. Document any lessons learned associated with a recovery plan test or actual recovery or document
the absence of any lessons learned;
3.1.2. Update the recovery plan based on any documented lessons learned associated with the plan; and
3.1.3. Notify each person or group with a defined role in the recovery plan of the updates to the recovery
plan based on any documented lessons learned.
No later than 60 calendar days after a change to the roles or responsibilities, responders, or technology tha
the Responsible Entity determines would impact the ability to execute the recovery plan:
3.2.1. Update the recovery plan; and
3.2.2. Notify each person or group with a defined role in the recovery plan of the updates.
Authorize and document changes that deviate from the existing baseline configuration.
For a change that deviates from the existing baseline configuration, update the baseline configuration as
necessary within 30 calendar days of completing the change.
For a change that deviates from the existing baseline configuration:

1.4.1. Prior to the change, determine required cyber security controls in CIP-005 and CIP-007 that could be
impacted by the change;
1.4.2. Following the change, verify that required cyber security controls determined in 1.4.1 are not
adversely affected; and
1.4.3. Document the results of the verification.
Where technically feasible, for each change that deviates from the existing baseline configuration:
1.5.1. Prior to implementing any change in the production environment, test the changes in a test
environment or test the changes in a production environment where the test is performed in a manner that
minimizes adverse effects, that models the baseline configuration to ensure that required cyber security
controls in CIP-005 and CIP-007 are not adversely affected; and
1.5.2. Document the results of the testing and, if a test environment was used, the differences between the
test environment and the production environment, including a description of the measures used to account
for any differences in operation between the test and production environments.
Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in
Requirement R1, Part 1.1). Document and investigate detected unauthorized changes.
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply
chain cyber security risk management plan(s) specified in Requirement R1 at least once every 15 calenda
months.
Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its
Transmission stations and Transmission substations (existing and planned to be in service within 24
months) that meet the criteria specified in Applicability Section 4.1.1. The initial and subsequent risk
assessments shall consist of a transmission analysis or transmission analyses designed to identify the
Transmission station(s) and Transmission substation(s) that if rendered inoperable or damaged could resu
in instability, uncontrolled separation, or Cascading within an Interconnection.
Each Transmission Owner shall have an unaffiliated third party verify the risk assessment performed unde
Requirement R1. The verification may occur concurrent with or after the risk assessment performed under
Requirement R1.
For a primary control center(s) identified by the Transmission Owner according to Requirement R1, Part 1.
that a) operationally controls an identified Transmission station or Transmission substation verified
according to Requirement R2, and b) is not under the operational control of the Transmission Owner: the
Transmission Owner shall, within seven calendar days following completion of Requirement R2, notify the
Transmission Operator that has operational control of the primary control center of such identification and
the date of completion of Requirement R2.
Each Transmission Owner that identified a Transmission station, Transmission substation, or a primary
control center in Requirement R1 and verified according to Requirement R2, and each Transmission
Operator notified by a Transmission Owner according to Requirement R3, shall conduct an evaluation of
the potential threats and vulnerabilities of a physical attack to each of their respective Transmission
station(s), Transmission substation(s), and primary control center(s) identified in Requirement R1 and
verified according to Requirement R2. The evaluation shall consider the following:
Each Transmission Owner that identified a Transmission station, Transmission substation, or primary
Operator notified by a Transmission Owner according to Requirement R3, shall develop and implement a
documented physical security plan(s) that covers their respective Transmission station(s), Transmission
substation(s), and primary control center(s). The physical security plan(s) shall be developed within 120
calendar days following the completion of Requirement R2 and executed according to the timeline specifie
in the physical security plan(s). The physical security plan(s) shall include the following attributes:
Each Transmission Owner that identified a Transmission station, Transmission substation, or primary
Operator notified by a Transmission Owner according to Requirement R3, shall have an unaffiliated third
party review the evaluation performed under Requirement R4 and the security plan(s) developed under
Requirement R5. The review may occur concurrently with or after completion of the evaluation performed
under Requirement R4 and the security plan development under Requirement R5.
The following is a complete list of the NERC-CIP Requirements used in this mapping, assembled from the following
CIP-002-5.1a Cyber Security — BES Cyber System Categorization
CIP-003-008 Cyber Security — Security Management Controls
CIP-004-6 Cyber Security - Personnel & Training
CIP-005-07 Cyber Security — Electronic Security Perimeter(s)
CIP-006-06 Cyber Security - Physical Security of BES Cyber Systems
CIP-007-6 Cyber Security - System Security Management
CIP-008-6 Cyber Security — Incident Reporting and Response Planning
CIP-009-6 Cyber Security - Recovery Plans for BES Cyber Systems
CIP-010-4 Cyber Security — Configuration Change Management and Vulnerability Assessments
CIP-011-2 Cyber Security - Information Protection
CIP-012-1 Cyber Security – Communications between Control Centers
CIP-013-2 Cyber Security - Supply Chain Risk Management
CIP-014-2 Physical Security
Requirement Number



















e NERC-CIP Requirements used in this mapping, assembled from the following documents:
S Cyber System Categorization
urity Management Controls
el & Training
onic Security Perimeter(s)
al Security of BES Cyber Systems
Security Management
nt Reporting and Response Planning
y Plans for BES Cyber Systems
uration Change Management and Vulnerability Assessments
ion Protection
nications between Control Centers
Chain Risk Management
Requirement Text
Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts
i.Control Centers and backup Control Centers; ii.Transmission stations and substations; iii.Generation resources;
iv. Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initia
v. Special Protection Systems that support the reliable operation of the Bulk Electric System; and
vi. For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.
The Responsible Entity shall:
2.1 Review the identifications in Requirement R1 and its parts (and update them if there are changes identified) at le
Requirement R1, and
2.2 Have its CIP Senior Manager or delegate approve the identifications required by Requirement R1 at least once e
Requirement R1.
Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar mon
address the following topics:
Each Responsible Entity with at least one asset identified in CIP-002 containing low impact BES Cyber Systems sha
impact BES Cyber Systems that include the sections in Attachment 1.
Each Responsible Entity shall identify a CIP Senior Manager by name and document any change within 30 calendar
The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are use
delegate authority for specific actions to a delegate or delegates. These delegations shall be documented, including
the date of the delegation; approved by the CIP Senior Manager; and updated within 30 days of any change to the d
change to the delegator.
Security awareness that, at least once each calendar quarter, reinforces cyber security practices (which may include
personnel who have authorized electronic or authorized unescorted physical access to BES Cyber Systems.

2.1.6. Identification of a Cyber Security Incident and initial notifications in accordance with the entity’s incident respo
2.1.9. Cyber security risks associated with a BES Cyber System’s electronic interconnectivity and interoperability wit
Removable Media.
Require completion of the training specified in Part 2.1 prior to granting authorized electronic access and authorized
CIP Exceptional Circumstances.
Require completion of the training specified in Part 2.1 at least once every 15 calendar months.
Process to confirm identity.
Process to perform a seven year criminal history records check as part of each personnel risk assessment that inclu
3.2.1. current residence, regardless of duration; and
3.2.2. other locations where, during the seven years immediately prior to the date of the criminal history records che
example of evidence may include, but is not limited to, documentation of the Responsible Entity’s process to perform
If it is not possible to perform a full seven year criminal history records check, conduct as much of the seven year cr
full seven year criminal history records check could not be performed.
Criteria or process to evaluate criminal history records checks for authorizing access.
Criteria or process for verifying that personnel risk assessments performed for contractors or service vendors are co
Process to ensure that individuals with authorized electronic or authorized unescorted physical access have had a p
within the last seven years.
Process to authorize based on need, as determined by the Responsible Entity, except for CIP Exceptional Circumst
4.1.3. Access to designated storage locations, whether physical or electronic, for BES Cyber System Information.
Verify at least once each calendar quarter that individuals with active electronic access or unescorted physical acces
For electronic access, verify at least once every 15 calendar months that all user accounts, user account groups, or
correct and are those that the Responsible Entity determines are necessary.
Verify at least once every 15 calendar months that access to the designated storage locations for BES Cyber System
that the Responsible Entity determines are necessary for performing assigned work functions.
A process to initiate removal of an individual’s ability for unescorted physical access and Interactive Remote Access
of the termination action (Removal of the ability for access may be different than deletion, disabling, revocation, or re
For reassignments or transfers, revoke the individual’s authorized electronic access to individual accounts and autho
determines are not necessary by the end of the next calendar day following the date that the Responsible Entity det
For termination actions, revoke the individual’s access to the designated storage locations for BES Cyber System In
according to Requirement R5.1), by the end of the next calendar day following the effective date of the termination a
For termination actions, revoke the individual’s non-shared user accounts (unless already revoked according to Part
termination action.
For termination actions, change passwords for shared account(s) known to the user within 30 calendar days of the t
for shared account(s) known to the user within 30 calendar days following the date that the Responsible Entity deter
If the Responsible Entity determines and documents that extenuating operating circumstances require a longer time
end of the operating circumstances.
All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP.
Require inbound and outbound access permissions, including the reason for granting access, and deny all other acc
Where technically feasible, perform authentication when establishing Dial- up Connectivity with applicable Cyber Ass
Have one or more methods for detecting known or suspected malicious communications for both inbound and outbo
For all Interactive Remote Access, utilize an Intermediate System such that the Cyber Asset initiating Interactive Re
For all Interactive Remote Access sessions, utilize encryption that terminates at an Intermediate System.
Have one or more methods for determining active vendor remote access sessions (including Interactive Remote Acc
Have one or more method(s) to disable active vendor remote access (including Interactive Remote Access and syst
Have one or more method(s) to determine authenticated vendor- initiated remote connections.
Have one or more method(s) to terminate authenticated vendor- initiated remote connections and control the ability
Define operational or procedural controls to restrict physical access.
Utilize at least one physical access control to allow unescorted physical access into each applicable Physical Securi
physical access.
Where technically feasible, utilize two or more different physical access controls (this does not require two complete
unescorted physical access into Physical Security Perimeters to only those individuals who have authorized unesco
Monitor for unauthorized access through a physical access point into a Physical Security Perimeter.
Issue an alarm or alert in response to detected unauthorized access through a physical access point into a Physical
Security Incident response plan within 15 minutes of detection.
Monitor each Physical Access Control System for unauthorized physical access to a Physical Access Control System
Issue an alarm or alert in response to detected unauthorized physical access to a Physical Access Control System t
plan within 15 minutes of the detection.
Log (through automated means or by personnel who control entry) entry of each individual with authorized unescort
information to identify the individual and date and time of entry.
Retain physical access logs of entry of individuals with authorized unescorted physical access into each Physical Se
Restrict physical access to cabling and other nonprogrammable communication components used for connection be
Perimeter in those instances when such cabling and components are located outside of a Physical Security Perimet
Where physical access restrictions to such cabling and components are not implemented, the Responsible Entity sh
• encryption of data that transits such cabling and components; or
• monitoring the status of the communication link composed of such cabling and components and issuing an alarm o
identified in the BES Cyber Security Incident response plan within 15 minutes of detection; or
• an equally effective logical protection.
Require continuous escorted access of visitors (individuals who are provided access but are not authorized for unes
except during CIP Exceptional Circumstances.
Require manual or automated logging of visitor entry into and exit from the Physical Security Perimeter that includes
the name of an individual point of contact responsible for the visitor, except during CIP Exceptional Circumstances.
Retain visitor logs for at least ninety calendar days.
Maintenance and testing of each Physical Access Control System and locally mounted hardware or devices at the P
ensure they function properly.
Where technically feasible, enable only logical network accessible ports that have been determined to be needed by
needed to handle dynamic ports. If a device has no provision for disabling or restricting logical ports on the device th
Protect against the use of unnecessary physical input/output ports used for network connectivity, console command
A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Ass
sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that
At least once every 35 calendar days, evaluate security patches for applicability that have been released since the la
For applicable patches identified in Part 2.2, within 35 calendar days of the evaluation completion, take one of the fo
• Apply the applicable patches; or
• Create a dated mitigation plan; or
• Revise an existing mitigation plan.
Mitigation plans shall include the
Responsible Entity’s planned actions to mitigate the vulnerabilities addressed by each security patch and a timefram
For each mitigation plan created or revised in Part 2.3, implement the plan within the timeframe specified in the plan
specified in Part 2.3 is approved by the CIP Senior Manager or delegate.
Mitigate the threat of detected malicious code.
For those methods identified in Part 3.1 that use signatures or patterns, have a process for the update of the signatu
signatures or patterns.
Log events at the BES Cyber System level (per BES Cyber System capability) or at the Cyber Asset level (per Cybe
of, Cyber Security Incidents that includes, as a minimum, each of the following types of events:
Generate alerts for security events that the Responsible Entity determines necessitates an alert, that includes, as a
BES Cyber System capability):
4.2.1. Detected malicious code from Part 4.1; and
4.2.2. Detected failure of Part 4.1 event logging.
Where
Reviewtechnically feasible,
a summarization or retain applicable
sampling event
of logged logsas
events identified in Part
determined by 4.1
the for at least theEntity
Responsible last 90 consecutive
at intervals calen
no great
Incidents.
Have a method(s) to enforce authentication of interactive user access, where technically feasible.
Identify and inventory all known enabled default or other generic account types, either by system, by groups of syste
Identify individuals who have authorized access to shared accounts.
Change known default passwords, per Cyber Asset capability
For password-only authentication for interactive user access, either technically or procedurally enforce the following
5.5.1. Password length that is, at least, the lesser of eight characters or the maximum length supported by the Cybe
5.5.2. Minimum password complexity that is the lesser of three or more different types of characters (e.g., uppercase
maximum complexity supported by the Cyber Asset.
Where technically feasible, for password-only authentication for interactive user access, either technically or procedu
password at least once every 15 calendar months.
Where technically feasible, either:
• Limit the number of unsuccessful authentication attempts; or
• Generate alerts after a threshold of unsuccessful authentication attempts.
One or more processes to identify, classify, and respond to Cyber Security Incidents.
One or more processes:

1.2.1 That include criteria to evaluate and define attempts to compromise;
1.2.2 To determine if an identified Cyber Security Incident is:
• A Reportable Cyber Security Incident; or
• An attempt to compromise, as determined by applying the criteria from Part 1.2.1, one or more systems identified i
1.2.3 To provide notification per Requirement R4.
Incident handling procedures for Cyber Security Incidents.
Test each Cyber Security Incident response plan(s) at least once every 15 calendar months:
• By responding to an actual Reportable Cyber Security Incident;
• With a paper drill or tabletop exercise of a Reportable Cyber Security Incident; or
• With an operational exercise of a Reportable Cyber Security Incident.
Use the Cyber Security Incident response plan(s) under Requirement R1 when responding to a Reportable Cyber S
to compromise a system identified in the “Applicable Systems” column for this Part, or performing an exercise of a R
plan(s) taken during the response to the incident or exercise.
Retain records related to Reportable Cyber Security Incidents and Cyber Security Incidents that attempted to compr
Part as per the Cyber Security Incident response plan(s) under Requirement R1.
No later than 90 calendar days after completion of a Cyber Security Incident response plan(s) test or actual Reporta
3.1.1. Document any lessons learned or document the absence of any lessons learned;
3.1.2. Update the Cyber Security Incident response plan based on any documented lessons learned associated with
3.1.3. Notify each person or group with a defined role in the Cyber Security Incident response plan of the updates to
lessons learned.
No later than 60 calendar days after a change to the roles or responsibilities, Cyber Security Incident response grou
would impact the ability to execute the plan:
3.2.1. Update the Cyber Security Incident response plan(s); and
3.2.2. Notify each person or group with a defined role in the Cyber Security Incident response plan of the updates.
Each Responsible Entity shall notify the Electricity Information Sharing and Analysis Center (E-ISAC) and, if subject
jurisdiction of the United States, the United States National Cybersecurity and Communications Integration Center
(NCCIC),1 or their successors, of a Reportable Cyber Security Incident and a Cyber Security Incident that was an a
compromise, as determined by applying the criteria from Requirement R1, Part 1.2.1, a system identified in the “App
Systems” column, unless prohibited by law, in accordance with each of the applicable requirement parts in CIP-008-
R4 – Notifications and Reporting for Cyber Security Incidents.
Conditions for activation of the recovery plan(s).
Roles and responsibilities of responders.
One or more processes for the backup and storage of information required to recover BES Cyber System functional
One or more processes to verify the successful completion of the backup processes in Part 1.3 and to address any
One or more processes to preserve data, per Cyber Asset capability, for determining the cause of a Cyber Security
preservation should not impede or restrict recovery.
Test each of the recovery plans referenced in Requirement R1 at least once every 15 calendar months:
• By recovering from an actual incident;
• With a paper drill or tabletop exercise; or
• With an operational exercise.
Test a representative sample of information used to recover BES Cyber System functionality at least once every 15
compatible with current configurations.
An actual recovery that incorporates the information used to recover BES Cyber System functionality substitutes for
Test each of the recovery plans referenced in Requirement R1 at least once every 36 calendar months through an o
representative of the production environment.
An actual recovery response may substitute for an operational exercise.
No later than 90 calendar days after completion of a recovery plan test or actual recovery:
3.1.1. Document any lessons learned associated with a recovery plan test or actual recovery or document the absen
3.1.2. Update the recovery plan based on any documented lessons learned associated with the plan; and
3.1.3. Notify each person or group with a defined role in the recovery plan of the updates to the recovery plan based
No later than 60 calendar days after a change to the roles or responsibilities, responders, or technology that the Res
recovery plan:
3.2.1. Update the recovery plan; and
3.2.2. Notify each person or group with a defined role in the recovery plan of the updates.
1.1.2. Any commercially available or open-source application software (including version) intentionally installed;
Authorize and document changes that deviate from the existing baseline configuration.
For a change that deviates from the existing baseline configuration, update the baseline configuration as necessary
For a change that deviates from the existing baseline configuration:

1.4.1. Prior to the change, determine required cyber security controls in CIP-005 and CIP-007 that could be impacte
1.4.2. Following the change, verify that required cyber security controls determined in 1.4.1 are not adversely affecte
1.4.3. Document the results of the verification.
Where technically feasible, for each change that deviates from the existing baseline configuration:
1.5.1. Prior to implementing any change in the production environment, test the changes in a test environment or tes
in a manner that minimizes adverse effects, that models the baseline configuration to ensure that required cyber sec
1.5.2. Document the results of the testing and, if a test environment was used, the differences between the test envi
measures used to account for any differences in operation between the test and production environments.
Prior to a change that deviates from the existing baseline configuration associated with baseline items in Parts 1.1.1
Responsible Entity from the software source:
1.6.1. Verify the identity of the software source; and
1.6.2. Verify the integrity of the software obtained from the software source.
Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requiremen
changes.
At least once every 15 calendar months, conduct a paper or active vulnerability assessment.
3.2.1 Perform an active vulnerability assessment in a test environment, or perform an active vulnerability assessmen
that minimizes adverse effects, that models the baseline configuration of the BES Cyber System in a production env
3.2.2 Document the results of the testing and, if a test environment was used, the differences between the test envir
measures used to account for any differences in operation between the test and production environments.
Prior to adding a new applicable Cyber Asset to a production environment, perform an active vulnerability assessme
and like replacements of the same type of Cyber Asset with a baseline configuration that models an existing baselin
Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action plan to reme
the planned date of completing the action plan and the execution status of any remediation or mitigation action items
Each Responsible Entity, for its high impact and medium impact BES Cyber Systems and associated Protected Cyb
Circumstances, one or more documented plan(s) for Transient Cyber Assets and Removable Media that include the
Procedure(s) for protecting and securely handling BES Cyber System Information, including storage, transit, and use
Prior to the release for reuse of applicable Cyber Assets that contain BES Cyber System Information (except for reu
the Responsible Entity shall take action to prevent the unauthorized retrieval of BES Cyber System Information from
Prior to the disposal of applicable Cyber Assets that contain BES Cyber System Information, the Responsible Entity
System Information from the Cyber Asset or destroy the data storage media.
The Responsible Entity shall implement, except under CIP Exceptional Circumstances, one or more documented pla
unauthorized modification of Real-time Assessment and Real-time monitoring data while being transmitted between
to include oral communications in its plan. The plan shall include:
1.1. Identification of security protection used to mitigate the risks posed by unauthorized disclosure and unauthorize
while being transmitted between Control Centers;
1.2. Identification of where the Responsible Entity applied security protection for transmitting Real-time Assessment
1.3. If the Control Centers are owned or operated by different Responsible Entities, identification of the responsibiliti
transmission of Real-time Assessment and Real-time monitoring data between those Control Centers.
Each Responsible Entity shall develop one or more documented supply chain cyber security risk management plan(
associated Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS
1.1. One or more process(es) used in planning for the procurement of BES Cyber Systems and their associated EAC
Electric System from vendor products or services resulting from: (i) procuring and installing vendor equipment and s
(ii) transitions from one vendor(s) to another vendor(s).
1.2. One or more process(es) used in procuring BES Cyber Systems, and their associated EACMS and PACS, that
1.2.1. Notification by the vendor of vendor-identified incidents related to the products or services provided to the Res
1.2.2. Coordination of responses to vendor-identified incidents related to the products or services provided to the Re
1.2.3. Notification by vendors when remote or onsite access should no longer be granted to vendor representatives;
1.2.4. Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible
1.2.5. Verification of software integrity and authenticity of all software and patches provided by the vendor for use in
1.2.6. Coordination of controls for vendor-initiated remote access.
Each Responsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requi
Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain cyber
once every 15 calendar months.
Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmis
in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1. The initial and subsequent
transmission analyses designed to identify the Transmission station(s) and Transmission substation(s) that if render
separation, or Cascading within an Interconnection.
Each Transmission Owner shall have an unaffiliated third party verify the risk assessment performed under Requirem
assessment performed under Requirement R1.
For a primary control center(s) identified by the Transmission Owner according to Requirement R1, Part 1.2 that a) o
Transmission substation verified according to Requirement R2, and b) is not under the operational control of the Tra
calendar days following completion of Requirement R2, notify the Transmission Operator that has operational contro
completion of Requirement R2.
Each Transmission Owner that identified a Transmission station, Transmission substation, or a primary control cente
each Transmission Operator notified by a Transmission Owner according to Requirement R3, shall conduct an evalu
each of their respective Transmission station(s), Transmission substation(s), and primary control center(s) identified
evaluation shall consider the following:
Each Transmission Owner that identified a Transmission station, Transmission substation, or primary control center
each Transmission Operator notified by a Transmission Owner according to Requirement R3, shall develop and imp
respective Transmission station(s), Transmission substation(s), and primary control center(s). The physical security
completion of Requirement R2 and executed according to the timeline specified in the physical security plan(s). The
Each Transmission Owner that identified a Transmission station, Transmission substation, or primary control center
each Transmission Operator notified by a Transmission Owner according to Requirement R3, shall have an unaffilia
and the security plan(s) developed under Requirement R5. The review may occur concurrently with or after complet
plan development under Requirement R5.

CIS Controls v8 Mapping To NERC CIP 2 2023

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIS Controls v8 Mapping To NERC CIP 2 2023

Uploaded by

Copyright:

Available Formats

This document contains mappings of the CIS Critical Securit Controls (CIS Controls) and CIS Safeguards to

Corporation-Critical Infrastructure Protection Standards (NERC-CIP Standards)

CIS Control 6.1 - Establish an Access Granting Process

- This Version of the CIS Controls

1 1.1 Devices Identify

1 1.2 Devices Respond

1 1.3 Devices Detect

1 1.4 Devices Identify

1 1.5 Devices Detect

2 2.1 Applications Identify

2 2.3 Applications Respond

2 2.4 Applications Detect

2 2.5 Applications Protect

2 2.6 Applications Protect

2 2.7 Applications Protect

3 3.1 Data Identify

3 3.2 Data Identify

3 3.3 Data Protect

3 3.4 Data Protect

3 3.5 Data Protect

3 3.5 Data Protect

3 3.6 Devices Protect

3 3.7 Data Identify

3 3.8 Data Identify

3 3.9 Data Protect

3 3.10 Data Protect

3 3.11 Data Protect

3 3.12 Network Protect

3 3.13 Data Protect

3 3.14 Data Detect

4 4.1 Applications Protect

4 4.2 Network Protect

4 4.3 Users Protect

4 4.4 Devices Protect

4 4.5 Devices Protect

4 4.5 Devices Protect

4 4.5 Devices Protect

4 4.6 Network Protect

4 4.7 Users Protect

4 4.7 Users Protect

4 4.8 Devices Protect

4 4.9 Devices Protect

4 4.10 Devices Respond

4 4.11 Devices Protect

4 4.12 Devices Protect

5 5.2 Users Protect

5 5.3 Users Respond

5 5.4 Users Protect

5 5.5 Users Identify

5 5.6 Users Protect

6 6.1 Users Protect

6 6.2 Users Protect

6 6.2 Users Protect

6 6.2 Users Protect

6 6.3 Users Protect

6 6.4 Users Protect

6 6.5 Users Protect

6 6.6 Users Identify

6 6.7 Users Protect

6 6.8 Data Protect

6 6.8 Data Protect

6 6.8 Data Protect

7 7.1 Applications Protect