The North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) standard (CIP-013-1) establishes new cybersecurity requirements for electric power and utility companies to ensure, preserve, and prolong the reliability of the bulk electric system (BES). Enforceable starting on July 1, 2020, responsible entities have 18 months to comply in order to avoid penalties. NERC is authorized to penalize registered entities up to $1 million per day per outstanding violation.
Third-party risk management plays a pivotal role in ensuring supply chain security through the regular assessment of supply chain partners’ internal security controls and the ongoing monitoring of vendor risks in real time. Taken together, this inside-out, outside-in view provides more complete visibility in supply chain risks.
This blog reviews the requirements in CIP-013-1 and maps capabilities available in the Prevalent Third-Party Risk Management platform to these requirements.
This blog focuses on the core requirements for CIP-013-1 compliance, specifically in the areas of cybersecurity notifications; asset, change and configuration management; and governance. Each of these areas is easily assessed using capabilities available in the Prevalent platform.
At a minimum, entities assess whether their vendor(s) can meet basic security criteria:
1.2.1 Notification/Recognition of Cyber Security Incidents
Vendors need to be able to identify when an incident occurred to ensure that the vendor can notify the entity in the case of such an incident. Prevalent enables responsible entities to regularly assess their vendors’ incident response plans, requiring upload of plans to the platform for validation. With this level of review, entities have visibility into how a supply chain partner would respond to a breach or cyber incident. Monitoring and scoring tools along cannot provide this level of internal controls or process visibility, however these tools can complement assessments to trigger on public disclosure of an incident.
1.2.2 Coordination of Responses to Cyber Security Incidents
Vendors should coordinate with the entity their responses to incidents related to the products or services provided to the entity that pose cyber security risk to the entity. Prevalent provides a central platform for the review of evidence supporting incident response and communications plans, with the flexibility to build custom workflow, tasks and escalation paths to enable rapid response.
1.2.3 Notification when Remote or Onsite Access is No Longer Needed or Should No Longer be Available to Vendor Representatives
Vendors should respond accordingly to personnel changes. A vendor should be able to tell the entity when a personnel change occurs that could impact whether or not remote access should still be available to vendor representatives. The Prevalent platform includes a custom survey creation wizard that enables organizations to create and issue a customizable survey for off-boarding asking specific questions of the vendor and internal team regarding system access, data destruction, and final payments, with built-in workflows to ensure that the separation process is seamless.
1.2.4 Vulnerability Identification Vendors are to notify an entity when a vulnerability related to a product or service is identified
In order to meet this obligation, a vendor needs to know when a vulnerability exists in their environment. The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. Built-in continuous monitoring capabilities complement assessments by performing external vulnerability scanning for web facing service interfaces, with results integrated into a single risk register.
1.2.5. Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System
The Prevalent platform includes more than 50 built-in industry standard questionnaires (such as those for CIP, NIST, ISO and others), many of which ask specific questions around patching cadence and software integrity checks for internal systems. Answers to these questions are escalated into risks if proper patching thresholds are not met, informing responsible entities of potential risks.
1.2.6 Coordination of Controls for Vendor-Initiated Interactive Remote Access and System-to-System Remote Access with a Vendor
Vendors must coordinate with entities to control vendor-initiated interactive remote access and ensure system-to-system remote access with a vendor is appropriately managed. The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence.
As an entity performs a risk assessment and considers risk exposure of products or services to be procured in its environment, additional cyber security controls may be necessary to protect the entity’s operating environment. An entity may consider obtaining and evaluating additional information regarding the vendor’s capabilities with respect to the following security areas.
The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices.
As an entity performs a risk assessment and considers risk exposure of products or services to be procured in its environment, additional cyber security controls may be necessary to protect the entity’s operating environment. An entity may consider obtaining and evaluating additional information regarding the vendor’s capabilities with respect to the following security areas.
The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices.
The Prevalent Third-Party Risk Management (TPRM) Platform helps with NERC CIP compliance by enabling electric utilities to centralize the assessment of their supply chain partners’ internal controls, providing a repository of supporting evidence and documentation that can be used to audit and validate the presence of the proper supply chain security measure. With built-in continuous cyber security and business monitoring that can inform the issuing of secondary assessments based on triggered criteria, the Prevalent platform provides a more complete solution for supply chain risk management than what is offered by scoring-only tools.
As well, the Prevalent assessment platform supports questionnaires, risk registers and reporting against multiple industry standard frameworks, including the NIST CSF, PCI DSS 3.2, HIPAA, and SOC 2, using the Prevalent Compliance Framework. Organizations need only ask a single set of questions and then map the results back to any number of these regulations, which simplifies and accelerates compliance reporting.
For more on how Prevalent can help address the compliance requirements of multiple regulations, download our white paper: The Third-Party Risk Management Compliance Handbook.
Leverage these best practices to address NIS2 third-party risk management requirements.
12/03/2024
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024