NERC CIP v7 Standards and Requirements with all
Correct & 100% Verified Answers |Latest Update |
Already Graded A+
CIP-002-5.1 ✔Correct Answer-BES Cyber System Categorization
CIP-002 R1 ✔Correct Answer-Each Responsible Entity shall implement a process that considers
each of the following assets for purposes of parts 1.1 through 1.3: Control Centers and backup
Control Centers, Transmission stations and substations, Generation resources, Systems and facilities
critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching
requirements, Special Protection Systems that support the reliable operation of the Bulk Electric
System; and For Distribution Providers
CIP-002 R1.1 ✔Correct Answer-Identify each of the high impact BES Cyber Systems according to
Attachment 1, Section 1, if any, at each asset;
CIP-002 R1.2 ✔Correct Answer-Identify each of the medium impact BES Cyber Systems according
to Attachment 1, Section 2, if any, at each asset;
CIP-002 R1.3 ✔Correct Answer-Identify each asset that contains a low impact BES Cyber System
according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not
required).
CIP-002 R2.1 ✔Correct Answer-Review the identifications in Requirement R1 and its parts (and
update them if there are changes identified) at least once every 15 calendar months, even if it has no
identified items in Requirement R1,
CIP-002 R2.2 ✔Correct Answer-Have its CIP Senior Manager or delegate approve the identifications
required by Requirement R1 at least once every 15 calendar months, even if it has no identified
items in Requirement R1.
CIP-003-7 ✔Correct Answer-Security Management Controls
CIP-003 R1 ✔Correct Answer-Each Responsible Entity shall review and obtain CIP Senior Manager
approval at least once every 15 calendar months for one or more documented cyber security policies
that collectively address the following topics:
CIP-003 R2 ✔Correct Answer-Each Responsible Entity with at least one asset identified in CIP-002
containing low impact BES Cyber Systems shall implement one or more documented cyber security
plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.
CIP-003 R3 ✔Correct Answer-Each Responsible Entity shall identify a CIP Senior Manager by name
and document any change within 30 calendar days of the change.
CIP-003 R4 ✔Correct Answer-The Responsible Entity shall implement a documented process to
delegate authority, unless no delegations are used. Where allowed by the CIP Standards, the CIP
Senior Manager may delegate authority for specific actions to a delegate or delegates. These
delegations shall be documented, including the name or title of the delegate, the specific actions
,delegated, and the date of the delegation; approved by the CIP Senior Manager; and updated within
30 days of any change to the delegation. Delegation changes do not need to be reinstated with a
change to the delegator.
CIP-003 Attachment 1 Section 2 ✔Correct Answer-Lows Physical Security Controls: Each
Responsible Entity shall control physical access, based on need as determined by the Responsible
Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2)
the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s)
implemented for Section 3.1, if any.
CIP-003 Attachment 1 Section 3 ✔Correct Answer-Lows Electronic Access Controls: For each asset
containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity
shall implement electronic access controls to:
3.1 Permit only necessary inbound and outbound electronic access as determined by the
Responsible Entity for any communications that are:
between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low
impact BES Cyber System(s); using a routable protocol when entering or leaving the asset containing
the low impact BES Cyber System(s); and
not used for time-sensitive protection or control functions between intelligent electronic devices
(e.g., communications using protocol IEC TR- 61850-90-5 R-GOOSE).
3.2 Authenticate all Dial-up Connectivity, if any, that provides access to low impact BES Cyber
System(s), per Cyber Asset capability.
CIP-003 Attachment 1 Section 1 ✔Correct Answer-Lows Cyber Security Awareness: Each
Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices
(which may include associated physical security practices).
CIP-003 Attachment 1 Section 4 ✔Correct Answer-Lows Cyber Security Incident Response: Each
Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or
group of assets, which shall include:
4.1 Identification, classification, and response to Cyber Security Incidents;
4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security
Incident and subsequent notification to the Electricity Sector Information Sharing and Analysis
Center (ES-ISAC), unless prohibited by law;
4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or
individuals;
4.4 Incident handling for Cyber Security Incidents;
4.5 Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by:
(1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of
a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber
Security Incident; and
4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after
completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security
Incident.
CIP-003 Attachment 1 Section 5 ✔Correct Answer-Lows Transient Cyber Asset and Removable
Media Malicious Code Risk Mitigation: Each Responsible Entity shall implement, except under CIP
Exceptional Circumstances, one or more plan(s) to achieve the objective of mitigating the risk of the
introduction of malicious code to low impact BES Cyber Systems through the use of Transient Cyber
Assets or Removable Media. The plan(s) shall include:
, 5.1 For Transient Cyber Asset(s) managed by the Responsible Entity, if any, the use of one or a
combination of the following in an ongoing or on-demand manner (per Transient Cyber Asset
capability):
• Antivirus software, including manual or managed updates of signatures or patterns;
• Application whitelisting; or
• Other method(s) to mitigate the introduction of malicious code.
5.2 For Transient Cyber Asset(s) managed by a party other than the Responsible Entity, if any, the use
of one or a combination of the following prior to connecting the Transient Cyber Asset to a low
impact BES Cyber System (per Transient Cyber Asset capability):
Review of antivirus update level;
Review of antivirus update process used by the party;
Review of application whitelisting used by the party;
Review use of live operating system and software executable only from read-only media;
Review of system hardening used by the party; or
Other method(s) to mitigate the introduction of malicious code.
5.3 For Removable Media, the use of each of the following:
5.3.1 Method(s) to detect malicious code on Removable Media using a Cyber Asset other than a BES
Cyber System; and
5.3.2 Mitigation of the threat of detected malicious code on the Removable Media prior to
connecting Removable Media to a low impact BES Cyber System.
CIP-004-6 ✔Correct Answer-Personnel and Training
CIP-004 R2.2 ✔Correct Answer-Require completion of the training specified in Part 2.1 prior to
granting authorized electronic access and authorized unescorted physical access to applicable Cyber
Assets, except during CIP Exceptional Circumstances.
CIP-004 R2.3 ✔Correct Answer-Require completion of the training specified in Part 2.1 at least
once every 15 calendar months.
CIP-004 R1 ✔Correct Answer-Security Awareness Program: Each Responsible Entity shall
implement one or more documented processes that collectively include each of the applicable
requirement parts in CIP-004-6 Table R1 - Security Awareness Program.
CIP-004 R2 ✔Correct Answer-Cyber Security Training Program: Cyber Security Training Program:
Each Responsible Entity shall implement one or more cyber security training program(s) appropriate
to individual roles, functions, or responsibilities that collectively includes each of the applicable
requirement parts in CIP-004-6 Table R2 - Cyber Security Training Program.
CIP-004 R3 ✔Correct Answer-Personnel Risk Assessment Program: Each Responsible Entity shall
implement one or more documented personnel risk assessment program(s) to attain and retain
authorized electronic or authorized unescorted physical access to BES Cyber Systems that collectively
include each of the applicable requirement parts in CIP-004-6 Table R3 - Personnel Risk Assessment
Program.
CIP-004 R4 ✔Correct Answer-Access Management Program: Each Responsible Entity shall
implement one or more documented access management program(s) that collectively include each
of the applicable requirement parts in CIP-004-6 Table R4 - Access Management Program.
Correct & 100% Verified Answers |Latest Update |
Already Graded A+
CIP-002-5.1 ✔Correct Answer-BES Cyber System Categorization
CIP-002 R1 ✔Correct Answer-Each Responsible Entity shall implement a process that considers
each of the following assets for purposes of parts 1.1 through 1.3: Control Centers and backup
Control Centers, Transmission stations and substations, Generation resources, Systems and facilities
critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching
requirements, Special Protection Systems that support the reliable operation of the Bulk Electric
System; and For Distribution Providers
CIP-002 R1.1 ✔Correct Answer-Identify each of the high impact BES Cyber Systems according to
Attachment 1, Section 1, if any, at each asset;
CIP-002 R1.2 ✔Correct Answer-Identify each of the medium impact BES Cyber Systems according
to Attachment 1, Section 2, if any, at each asset;
CIP-002 R1.3 ✔Correct Answer-Identify each asset that contains a low impact BES Cyber System
according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not
required).
CIP-002 R2.1 ✔Correct Answer-Review the identifications in Requirement R1 and its parts (and
update them if there are changes identified) at least once every 15 calendar months, even if it has no
identified items in Requirement R1,
CIP-002 R2.2 ✔Correct Answer-Have its CIP Senior Manager or delegate approve the identifications
required by Requirement R1 at least once every 15 calendar months, even if it has no identified
items in Requirement R1.
CIP-003-7 ✔Correct Answer-Security Management Controls
CIP-003 R1 ✔Correct Answer-Each Responsible Entity shall review and obtain CIP Senior Manager
approval at least once every 15 calendar months for one or more documented cyber security policies
that collectively address the following topics:
CIP-003 R2 ✔Correct Answer-Each Responsible Entity with at least one asset identified in CIP-002
containing low impact BES Cyber Systems shall implement one or more documented cyber security
plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.
CIP-003 R3 ✔Correct Answer-Each Responsible Entity shall identify a CIP Senior Manager by name
and document any change within 30 calendar days of the change.
CIP-003 R4 ✔Correct Answer-The Responsible Entity shall implement a documented process to
delegate authority, unless no delegations are used. Where allowed by the CIP Standards, the CIP
Senior Manager may delegate authority for specific actions to a delegate or delegates. These
delegations shall be documented, including the name or title of the delegate, the specific actions
,delegated, and the date of the delegation; approved by the CIP Senior Manager; and updated within
30 days of any change to the delegation. Delegation changes do not need to be reinstated with a
change to the delegator.
CIP-003 Attachment 1 Section 2 ✔Correct Answer-Lows Physical Security Controls: Each
Responsible Entity shall control physical access, based on need as determined by the Responsible
Entity, to (1) the asset or the locations of the low impact BES Cyber Systems within the asset, and (2)
the Cyber Asset(s), as specified by the Responsible Entity, that provide electronic access control(s)
implemented for Section 3.1, if any.
CIP-003 Attachment 1 Section 3 ✔Correct Answer-Lows Electronic Access Controls: For each asset
containing low impact BES Cyber System(s) identified pursuant to CIP-002, the Responsible Entity
shall implement electronic access controls to:
3.1 Permit only necessary inbound and outbound electronic access as determined by the
Responsible Entity for any communications that are:
between a low impact BES Cyber System(s) and a Cyber Asset(s) outside the asset containing low
impact BES Cyber System(s); using a routable protocol when entering or leaving the asset containing
the low impact BES Cyber System(s); and
not used for time-sensitive protection or control functions between intelligent electronic devices
(e.g., communications using protocol IEC TR- 61850-90-5 R-GOOSE).
3.2 Authenticate all Dial-up Connectivity, if any, that provides access to low impact BES Cyber
System(s), per Cyber Asset capability.
CIP-003 Attachment 1 Section 1 ✔Correct Answer-Lows Cyber Security Awareness: Each
Responsible Entity shall reinforce, at least once every 15 calendar months, cyber security practices
(which may include associated physical security practices).
CIP-003 Attachment 1 Section 4 ✔Correct Answer-Lows Cyber Security Incident Response: Each
Responsible Entity shall have one or more Cyber Security Incident response plan(s), either by asset or
group of assets, which shall include:
4.1 Identification, classification, and response to Cyber Security Incidents;
4.2 Determination of whether an identified Cyber Security Incident is a Reportable Cyber Security
Incident and subsequent notification to the Electricity Sector Information Sharing and Analysis
Center (ES-ISAC), unless prohibited by law;
4.3 Identification of the roles and responsibilities for Cyber Security Incident response by groups or
individuals;
4.4 Incident handling for Cyber Security Incidents;
4.5 Testing the Cyber Security Incident response plan(s) at least once every 36 calendar months by:
(1) responding to an actual Reportable Cyber Security Incident; (2) using a drill or tabletop exercise of
a Reportable Cyber Security Incident; or (3) using an operational exercise of a Reportable Cyber
Security Incident; and
4.6 Updating the Cyber Security Incident response plan(s), if needed, within 180 calendar days after
completion of a Cyber Security Incident response plan(s) test or actual Reportable Cyber Security
Incident.
CIP-003 Attachment 1 Section 5 ✔Correct Answer-Lows Transient Cyber Asset and Removable
Media Malicious Code Risk Mitigation: Each Responsible Entity shall implement, except under CIP
Exceptional Circumstances, one or more plan(s) to achieve the objective of mitigating the risk of the
introduction of malicious code to low impact BES Cyber Systems through the use of Transient Cyber
Assets or Removable Media. The plan(s) shall include:
, 5.1 For Transient Cyber Asset(s) managed by the Responsible Entity, if any, the use of one or a
combination of the following in an ongoing or on-demand manner (per Transient Cyber Asset
capability):
• Antivirus software, including manual or managed updates of signatures or patterns;
• Application whitelisting; or
• Other method(s) to mitigate the introduction of malicious code.
5.2 For Transient Cyber Asset(s) managed by a party other than the Responsible Entity, if any, the use
of one or a combination of the following prior to connecting the Transient Cyber Asset to a low
impact BES Cyber System (per Transient Cyber Asset capability):
Review of antivirus update level;
Review of antivirus update process used by the party;
Review of application whitelisting used by the party;
Review use of live operating system and software executable only from read-only media;
Review of system hardening used by the party; or
Other method(s) to mitigate the introduction of malicious code.
5.3 For Removable Media, the use of each of the following:
5.3.1 Method(s) to detect malicious code on Removable Media using a Cyber Asset other than a BES
Cyber System; and
5.3.2 Mitigation of the threat of detected malicious code on the Removable Media prior to
connecting Removable Media to a low impact BES Cyber System.
CIP-004-6 ✔Correct Answer-Personnel and Training
CIP-004 R2.2 ✔Correct Answer-Require completion of the training specified in Part 2.1 prior to
granting authorized electronic access and authorized unescorted physical access to applicable Cyber
Assets, except during CIP Exceptional Circumstances.
CIP-004 R2.3 ✔Correct Answer-Require completion of the training specified in Part 2.1 at least
once every 15 calendar months.
CIP-004 R1 ✔Correct Answer-Security Awareness Program: Each Responsible Entity shall
implement one or more documented processes that collectively include each of the applicable
requirement parts in CIP-004-6 Table R1 - Security Awareness Program.
CIP-004 R2 ✔Correct Answer-Cyber Security Training Program: Cyber Security Training Program:
Each Responsible Entity shall implement one or more cyber security training program(s) appropriate
to individual roles, functions, or responsibilities that collectively includes each of the applicable
requirement parts in CIP-004-6 Table R2 - Cyber Security Training Program.
CIP-004 R3 ✔Correct Answer-Personnel Risk Assessment Program: Each Responsible Entity shall
implement one or more documented personnel risk assessment program(s) to attain and retain
authorized electronic or authorized unescorted physical access to BES Cyber Systems that collectively
include each of the applicable requirement parts in CIP-004-6 Table R3 - Personnel Risk Assessment
Program.
CIP-004 R4 ✔Correct Answer-Access Management Program: Each Responsible Entity shall
implement one or more documented access management program(s) that collectively include each
of the applicable requirement parts in CIP-004-6 Table R4 - Access Management Program.
