SUBNET Solutions Inc - Making Substations More Intelligent
Call: 1.403.270.8885
NERC CIP Solutions
CCE Brochure Download
Continuous Current Evolution (CCE)
White Paper Download
Manage Utility IEDs Remotely...
SUBNET Newsletter
The latest in smart grid technology

CIP-003 Security Management Controls: NERC CIP Standard

Combining professional services with field proven software products, SUBNET helps electrical utilities comply with NERC CIP-003 Security Management Controls standard. For example, SUBNET’s PowerSYSTEM Center application securely stores information relating to cyber security assets. Depending on permissions, only administrators and qualified users can access this information. This is just one of many features of PowerSYSTEM Center – learn more.
Standard CIP-003 requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets. Standard CIP-003 should be read as part of a group of standards numbered Standards CIP-002 through CIP-009. Responsible Entities should interpret and apply Standards CIP-002 through CIP-009 using reasonable business judgment.


Cyber Security Policy — The Responsible Entity shall document and implement a cyber security policy that represents management's commitment and ability to secure its Critical Cyber Assets. The Responsible Entity shall, at minimum, ensure the following:

The cyber security policy addresses the requirements in Standards CIP-002 through CIP-009, including provision for emergency situations.

The cyber security policy is readily available to all personnel who have access to, or are responsible for, Critical Cyber Assets.

Annual review and approval of the cyber security policy by the senior manager assigned pursuant to R2.

Leadership — The Responsible Entity shall assign a senior manager with overall responsibility for leading and managing the entity’s implementation of, and adherence to, Standards CIP-002 through CIP-009.

The senior manager shall be identified by name, title, business phone, business address, and date of designation.

Changes to the senior manager must be documented within thirty calendar days of the effective date.

The senior manager or delegate(s), shall authorize and document any exception from the requirements of the cyber security policy.

Exceptions — Instances where the Responsible Entity cannot conform to its cyber security policy must be documented as exceptions and authorized by the senior manager or delegate(s).

Exceptions to the Responsible Entity’s cyber security policy must be documented within thirty days of being approved by the senior manager or delegate(s).

Documented exceptions to the cyber security policy must include an explanation as to why the exception is necessary and any compensating measures, or a statement accepting risk.

Authorized exceptions to the cyber security policy must be reviewed and approved annually by the senior manager or delegate(s) to ensure the exceptions are still required and valid. Such review and approval shall be documented.

Information Protection — The Responsible Entity shall implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets.

The Critical Cyber Asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists as required in Standard CIP-002, network topology or similar diagrams, floor plans of computing centers that contain Critical Cyber Assets, equipment layouts of Critical Cyber Assets, disaster recovery plans, incident response plans, and security configuration information.

The Responsible Entity shall classify information to be protected under this program based on the sensitivity of the Critical Cyber Asset information.

The Responsible Entity shall, at least annually, assess adherence to its Critical Cyber Asset information protection program, document the assessment results, and implement an action plan to remediate deficiencies identified during the assessment.

Access Control — The Responsible Entity shall document and implement a program formanaging access to protected Critical Cyber Asset information.

The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information.

Personnel shall be identified by name, title, business phone and the information for which they are responsible for authorizing access.

The list of personnel responsible for authorizing access to protected information shall be verified at least annually.

Visit the NERC website for more details regarding Critical Infrastructure Protection Standards.

Learn more about how SUBNET can help you meet NERC CIP standards with PowerSYSTEM Center.

Visit the following links to learn more about NERC CIP standards and how SUBNET can help you to comply.

Home > Skip Navigation LinksSolutions > NERC CIP > CIP-003 Security Management Controls
© 2020 SUBNET Solutions Inc. Terms of Use   Privacy Policy   Contact Us  Resources