Cyber Security Supply Chain Risk Management Plans

Transcription

1 ERO Enterprise-Endrsed Implementatin Guidance. Endrsement fr this implementatin guidance is based n the language f draft 2 f the CIP Reliability Standard dated April Any changes t the standard prir t the final ballt will require a reevaluatin f the implementatin guidance fr cntinued endrsement. Cyber Security Supply Chain Risk Management Plans Implementatin Guidance fr CIP NERC Reprt Title Reprt Date I

2 Table f Cntents Intrductin... iii Requirement R1...1 General Cnsideratins fr R1...1 Implementatin Guidance fr R1...2 Requirement R2...8 General Cnsideratins fr R2...8 Requirement R3...9 General Cnsideratins fr R3...9 Implementatin Guidance fr R3...9 References ii

3 Intrductin On July 21, 2016, the Federal Energy Regulatry Cmmissin (FERC) issued Order N. 829 directing the Nrth American Electric Reliability Crpratin (NERC) t develp a new r mdified Reliability Standard that addresses cyber security supply chain risk management fr industrial cntrl system hardware, sftware, and cmputing and netwrking services assciated with Bulk Electric System (BES) peratins as fllws: [The Cmmissin directs] NERC t develp a frward-lking, bjective-based Reliability Standard t require each affected entity t develp and implement a plan that includes security cntrls fr supply chain management fr industrial cntrl system hardware, sftware, and services assciated with bulk electric system peratins. The new r mdified Reliability Standard shuld address the fllwing security bjectives, [discussed in detail in the Order]: (1) sftware integrity and authenticity; (2) vendr remte access; (3) infrmatin system planning; and (4) vendr risk management and prcurement cntrls. Reliability Standard CIP Cyber Security Supply Chain Risk Management addresses the relevant cyber security supply chain risks in the planning, acquisitin, and deplyment phases f the system life cycle fr high and medium impact BES Cyber Systems 1. This implementatin guidance prvides cnsideratins fr implementing the requirements in CIP and examples f appraches that respnsible entities culd use t meet the requirements. The examples d nt cnstitute the nly apprach t cmplying with CIP Respnsible Entities may chse alternative appraches that better fit their situatin. 1 Respnsible Entities identify high and medium impact BES Cyber Systems accrding t the identificatin and categrizatin prcess required by CIP-002-5, r subsequent versin f that standard. iii

4 Requirement R1 R1. Each Respnsible Entity shall develp ne r mre dcumented supply chain cyber security risk management plan(s) fr high and medium impact BES Cyber Systems. The plan(s) shall include: 1.1. One r mre prcess(es) used in planning fr the prcurement f BES Cyber Systems t identify and assess cyber security risk(s) t the Bulk Electric System frm vendr prducts r services resulting frm: (i) prcuring and installing vendr equipment and sftware; and (ii) transitins frm ne vendr(s) t anther vendr(s) One r mre prcess(es) used in prcuring BES Cyber Systems that address the fllwing, as applicable: Ntificatin by the vendr f vendr-identified incidents related t the prducts r services prvided t the Respnsible Entity that pse cyber security risk t the Respnsible Entity; Crdinatin f respnses t vendr-identified incidents related t the prducts r services prvided t the Respnsible Entity that pse cyber security risk t the Respnsible Entity; Ntificatin by vendrs when remte r nsite access shuld n lnger be granted t vendr representatives; Disclsure by vendrs f knwn vulnerabilities; Verificatin f sftware integrity and authenticity f all sftware and patches prvided by the vendr fr use in the BES Cyber System; and Crdinatin f cntrls fr (i) vendr-initiated Interactive Remte Access, and (ii) system-t-system remte access with a vendr(s). General Cnsideratins fr R1 The fllwing are sme general cnsideratins fr Respnsible Entities as they implement Requirement R1: First, in develping their supply chain cyber security risk management plan(s), Respnsible entities shuld cnsider hw t leverage the varius cmpnents and phases f their prcesses (e.g. defined requirements, request fr prpsal, bid evaluatin, external vendr assessment tls and data, third party certificatins and audit reprts, etc.) t help them meet the bjective f Requirement R1 and give them flexibility t negtiate cntracts with vendrs t efficiently mitigate risks. Fcusing slely n the negtiatin f specific cntract terms culd have unintended cnsequences, including significant and unexpected cst increases fr the prduct r service r vendrs refusing t enter int cntracts. Additinally, a Respnsible Entity may nt have the ability t btain each f its desired cyber security cntrls in its cntract with each f its vendrs. Factrs such as cmpetitin, limited supply surces, expense, criticality f the prduct r service, and maturity f the vendr r prduct line culd affect the terms and cnditins ultimately negtiated by the parties and included in a cntract. This variatin in cntract terms is anticipated and, in turn, the nte in Requirement R2 prvides that the actual terms and cnditins f the cntract are utside the scpe f Reliability Standard CIP Nte: Implementatin f the plan des nt require the Respnsible Entity t renegtiate r abrgate existing cntracts (including amendments t master agreements and purchase rders). Additinally, the 1

5 Requirement R1 fllwing issues are beynd the scpe f Requirement R2: (1) the actual terms and cnditins f a prcurement cntract; and (2) vendr perfrmance and adherence t a cntract. The fcus f Requirement R1 is n the steps the Respnsibility Entity takes t cnsider cyber security risks frm vendr prducts r services during BES Cyber System planning and prcurement. In the event the vendr is unwilling t engage in the negtiatin prcess fr cyber security cntrls, the Respnsible Entity culd explre ther surces f supply r mitigating cntrls t reduce the risk t the BES cyber systems, as the Respnsible Entity s circumstances allw. In develping and implementing its supply chain cyber security risk management plan, a Respnsible Entity may cnsider identifying and priritizing security cntrls based n the cyber security risks presented by the vendr and the criticality f the prduct r service t reliable peratins. Fr instance, Respnsible Entities may establish a baseline set f cntrls fr given prducts r services that a vendr must meet prir t transacting with that vendr fr thse prducts and services (i.e., must-have cntrls ). As risks differ between prducts and services, the baseline security cntrls r must haves may differ fr the varius prducts and services the Respnsible Entities prcures fr its BES Cyber Systems. This risk-based apprach culd help create efficiencies in the Respnsible Entity s prcurement prcesses while meeting the security bjectives f Requirement R1. The bjective f addressing the verificatin f sftware integrity and authenticity during the prcurement phase f BES Cyber System(s) (Part 1.2.5) is t identify the capability f the vendr(s) t ensure that the sftware installed n BES Cyber System(s) is trustwrthy. Part is nt an peratinal requirement fr Respnsible Entities t perfrm the verificatin; instead, Part is aimed at identifying during the prcurement phase the vendr s capability t prvide sftware integrity and authenticity assurance and establish vendr perfrmance based n the vendr s capability in rder t implement CIP-010-3, Requirement R1, Part 1.6. Implementatin Guidance fr R1 Respnsible entities use varius prcesses as they plan t prcure BES Cyber Systems. Belw are sme examples f appraches t cmply with this requirement: R1. Each Respnsible Entity shall develp ne r mre dcumented supply chain cyber security risk management plan(s) fr high and medium impact BES Cyber Systems. The plan(s) shall include: The Respnsible Entity culd establish ne r mre dcuments explaining the prcess by which the Respnsible Entity will address supply chain cyber security risk management fr high and medium impact BES Cyber Systems. T achieve the flexibility needed fr supply chain cyber security risk management, Respnsible Entities can use a risk-based apprach. One element f, r apprach t, a risk-based cyber security risk management plan is system-based, fcusing n specific cntrls fr high and medium impact BES Cyber Systems t address the risks presented in prcuring thse systems r services fr thse systems. A risk-based apprach culd als be vendr-based, fcusing n the risks psed by varius vendrs f its BES Cyber Systems. Entities may cmbine bth f these appraches int their plans. This flexibility is imprtant t accunt fr the varying needs and characteristics f respnsible entities and the diversity f BES Cyber System envirnments, technlgies, and risk (FERC Order N. 829 P 44) One r mre prcess(es) used in planning fr the prcurement f BES Cyber Systems t identify and assess cyber security risk(s) t the Bulk Electric System frm vendr prducts r services resulting frm: (i) prcuring and installing vendr equipment and sftware; and (ii) transitins frm ne vendr(s) t anther vendr(s). 2

6 Requirement R1 A Respnsible Entity culd dcument in its supply chain cyber security risk management plan ne r mre prcesses that it will use when planning fr the prcurement f BES Cyber Systems t identify and assess cyber security risks t the Bulk Electric System frm vendr prducts r services as specified in the requirement. Examples f prcesses, r utcmes f these prcesses, fr cmplying with Part 1.1 are described belw. A Respnsible Entity culd cmply with Part 1.1 using either the first (team review) apprach, r the secnd (risk assessment prcess) apprach, a cmbinatin f the tw appraches, r anther apprach determined by the Respnsible Entity t cmply with Part 1.1. A Respnsible Entity can develp a prcess t frm a team f subject matter experts frm acrss the rganizatin t participate in the BES Cyber System planning and acquisitin prcess(es). The Respnsible Entity shuld cnsider the relevant subject matter expertise necessary t meet the bjective f Part 1.1 and include the apprpriate representatin f business peratins, security architecture, infrmatin cmmunicatins and technlgy, supply chain, cmpliance, and legal. Examples f factrs that this team culd cnsider in planning fr the prcurement f BES Cyber Systems as specified in Part 1.1 include: Cyber security risk(s) t the BES that culd be intrduced by a vendr in new r planned mdificatins t BES Cyber Systems. Vendr security prcesses and related prcedures, including: system architecture, change cntrl prcesses, remte access requirements, and security ntificatin prcesses. Peridic review prcesses that can be used with critical vendr(s) t review and assess any changes in vendr s security cntrls, prduct lifecycle management, supply chain, and radmap t identify pprtunities fr cntinuus imprvement. Vendr use f third party (e.g., prduct/persnnel certificatin prcesses) r independent review methds t verify prduct and/r service security practices. Third-party security assessments r penetratin testing prvided by the vendrs. Vendr supply chain channels and plans t mitigate ptential risks r disruptins. Knwn system vulnerabilities; knwn threat techniques, tactics, and prcedures; and related mitigatin measures that culd be intrduced by vendr s infrmatin systems, cmpnents, r infrmatin system services. Crprate gvernance and apprval prcesses. Methds t minimize netwrk expsure, e.g., prevent internet accessibility, use f firewalls, and use f secure remte access techniques. Methds t limit and/r cntrl remte access frm vendrs t Respnsible Entity s BES Cyber Systems. Vendr s risk assessments and mitigatin measures fr cyber security during the planning and prcurement prcess. Mitigating cntrls that can be implemented by the Respnsible Entity f the vendr. Examples include hardening the infrmatin system, minimizing the attack surface, ensuring nging supprt fr system cmpnents, identificatin f alternate surces fr critical cmpnents, etc. A Respnsible Entity can develp a risk assessment prcess t identify and assess ptential cyber security risks resulting frm (i) prcuring and installing vendr equipment and sftware and (ii) transitins frm ne vendr(s) t anther vendr(s). This prcess culd cnsider the fllwing: Ptential risks based n the vendr s infrmatin systems, system cmpnents, and/r infrmatin system services / integratrs. Examples f cnsideratins include: 3

7 Requirement R1 Critical systems, cmpnents, r services that impact the peratins r reliability f BES Cyber Systems. Prduct cmpnents that are nt wned and managed by the vendr that may intrduce additinal risks, such as pen surce cde r cmpnents frm third party develpers and manufacturers. Ptential risks based n the vendr s risk management cntrls. Examples f vendr risk management cntrls t cnsider include 2 : Persnnel backgrund and screening practices by vendrs. Training prgrams and assessments f vendr persnnel n cyber security. Frmal vendr security prgrams which include their technical, rganizatinal, and security management practices. Vendr s physical and cyber security access cntrls t prtect the facilities and prduct lifecycle. Vendr s security engineering principles in (i) develping layered prtectins; (ii) establishing sund security plicy, architecture, and cntrls as the fundatin fr design; (iii) incrprating security requirements int the system develpment lifecycle; (iv) delineating physical and lgical security bundaries; (v) ensuring that system develpers are training n hw t build security sftware; (vi) tailring security cntrls t meet rganizatinal and peratinal needs; (vii) perfrming threat mdeling t identify use cases, threat agents, attack vectrs, and attack patterns as well as cmpensating cntrls and design patterns needed t mitigate risk; and (viii) reducing risk t acceptable levels, thus enabling infrmed risk management decisins. (NIST SP SA-8 Security Engineering Principles). System Develpment Life Cycle prgram (SDLC) methdlgy frm design thrugh patch management t understand hw cyber security is incrprated thrughut the vendr s prcesses. Vendr certificatins and their alignment with recgnized industry and regulatry cntrls. Summary f any internal r independent cyber security testing perfrmed n the vendr prducts t ensure secure and reliable peratins. 3 Vendr prduct radmap describing vendr supprt f sftware patches, firmware updates, replacement parts and nging maintenance supprt. Identify prcesses and cntrls fr nging management f Respnsible Entity and vendr s intellectual prperty wnership and respnsibilities, if applicable. Examples include use f encryptin algrithms fr securing sftware cde, data and infrmatin, designs, and prprietary prcesses while at rest r in transit. Based n risk assessment, identify mitigating cntrls that can be implemented by the Respnsible Entity r the vendr. Examples include hardening the infrmatin system, minimizing the attack surface, ensuring nging supprt fr system cmpnents, identificatin f alternate surces fr critical cmpnents, etc. 2 Tls such as the Standardized Infrmatin Gathering (SIG) Questinnaire frm the Shared Assessments Prgram can aid in assessing vendr risk. 3 Fr example, a Respnsible Entity can request that the vendr prvide a Standards fr Attestatin Engagements (SSAE) N. 18 SOC 2 audit reprt. 4

8 Requirement R One r mre prcess(es) used in prcuring BES Cyber Systems that address the fllwing, as applicable: A Respnsible Entity culd dcument in its supply chain cyber security risk management plan ne r mre prcesses that it will use when prcuring BES Cyber Systems t address Parts thrugh The fllwing are examples f prcesses, r utcmes f these prcesses, fr cmplying with Part 1.2. Request cyber security terms relevant t applicable Parts thrugh in the prcurement prcess (request fr prpsal (RFP) r cntract negtiatin) fr BES Cyber Systems t ensure that vendrs understand the cyber security expectatins fr implementing prper security cntrls thrughut the design, develpment, testing, manufacturing, delivery, installatin, supprt, and dispsitin f the prduct lifecycle 4. During negtiatins f prcurement cntracts r prcesses with vendrs, the Respnsible Entity can dcument the ratinale, mitigating cntrls, r acceptance f deviatins frm the Respnsible Entity s standard cyber security prcurement language that is applicable t the vendr s system cmpnent, system integratrs, r external service prviders. Examples f ways that a Respnsible Entity culd, thrugh prcess(es) fr prcuring BES Cyber Systems required by Part 1.2, cmply with Parts thrugh are described belw Ntificatin by the vendr f vendr-identified incidents related t the prducts r services prvided t the Respnsible Entity that pse cyber security risk t the Respnsible Entity; In an RFP r during cntract negtiatins, request that the vendr include in the cntract prvisins an bligatin fr the vendr t prvide ntificatin f any identified, threatened, attempted r successful breach f vendr s cmpnents, sftware r systems (e.g., security event ) that have ptential adverse impacts t the availability r reliability f BES Cyber Systems. Security event ntificatins t the Respnsible Entity shuld be sent t designated pint f cntact as determined by the Respnsible Entity and vendr. Examples f infrmatin t request that vendr s include in ntificatins t the Respnsible Entity are(i) mitigating cntrls that the Respnsible Entity can implement, if applicable (ii) availability f patch r crrective cmpnents, if applicable Crdinatin f respnses t vendr-identified incidents related t the prducts r services prvided t the Respnsible Entity that pse cyber security risk t the Respnsible Entity; A Respnsible Entity and vendr can agree n service level agreements fr respnse t cyber security incidents and cmmitment frm vendr t cllabrate with the Respnsible Entity in implement mitigating cntrls and prduct crrectins. In an RFP r during cntract negtiatins, request that the vendr include in cntract prvisins a cmmitment frm the vendr such that, in the event the vendr identifies a vulnerability that has resulted 4 An example set f baseline supply chain cyber security prcurement language fr use by BES wners, peratrs, and vendrs during the prcurement prcess can be btained frm the Cybersecurity Prcurement Language fr Energy Delivery Systems develped by the Energy Sectr Cntrl Systems Wrking Grup (ESCSWG). 5

9 Requirement R1 in a cyber security incident related t the prducts r services prvided t the Respnsible Entity, the vendr shuld prvide ntificatin t Respnsible Entity. The cntract culd specify that the vendr prvide defined infrmatin regarding the prducts r services at risk and apprpriate precautins available t minimize risks. Until the cyber security incident has been crrected, the vendr culd be requested t perfrm analysis f infrmatin available r btainable, prvide an actin plan, prvide nging status reprts, mitigating cntrls, and final reslutin within reasnable perids as agreed n by vendr and Respnsible Entity Ntificatin by vendrs when remte r nsite access shuld n lnger be granted t vendr representatives; In an RFP r during cntract negtiatins, request that the vendr include in the cntract prvisins an bligatin fr the vendr t prvide ntificatin t the Respnsible Entity when vendr emplyee remte r nsite access shuld n lnger be granted. This des nt require the vendr t share sensitive infrmatin abut vendr emplyees. Circumstances fr n lnger granting access t vendr emplyees include: (i) vendr determines that any f the persns permitted access is n lnger required, (ii) persns permitted access are n lnger qualified t maintain access, r (iii) vendr s emplyment f any f the persns permitted access is terminated fr any reasn. Request vendr cperatin in btaining Respnsible Entity ntificatin within a negtiated perid f time f such determinatin. The vendr and Respnsible Entity shuld define alternative methds that will be implemented in rder t cntinue nging peratins r services as needed. If vendr utilizes third parties (r subcntractrs) t perfrm services t Respnsible Entity, require vendrs t btain Respnsible Entity s prir apprval and require third party s adherence t the requirements and access terminatin rights impsed n the vendr directly Disclsure by vendrs f knwn vulnerabilities; In an RFP r during cntract negtiatins, request that the vendr include in cntract prvisins a cmmitment frm the vendr fr cperatin in btaining access t summary dcumentatin within a negtiated perid f any identified security breaches invlving the prcured prduct r its supply chain that impact the availability r reliability f the Respnsible Entity s BES Cyber System. Dcumentatin shuld include a summary descriptin f the breach, its ptential security impact, its rt cause, and recmmended crrective actins invlving the prcured prduct. In an RFP r during cntract negtiatins, request that the vendr include in cntract prvisins a cmmitment frm the vendr fr cperatin in btaining, within a negtiated time perid after establishing apprpriate cnfidentiality agreement, access t summary dcumentatin f uncrrected security vulnerabilities in the prcured prduct that have nt been publicly disclsed. The summary dcumentatin shuld include a descriptin f each vulnerability and its ptential impact, rt cause, and recmmended cmpensating security cntrls, mitigatins, and/r prcedural wrkarunds. During prcurement, review with the vendr summary dcumentatin f publicly disclsed vulnerabilities in the prduct being prcured and the status f the vendr s dispsitin f thse publicly disclsed vulnerabilities Verificatin f sftware integrity and authenticity f all sftware and patches prvided by the vendr fr use in the BES Cyber System; and 6

10 Requirement R1 During prcurement, request access t vendr dcumentatin detailing the vendr patch management prgram and update prcess fr all system cmpnents being prcured (including third-party hardware, sftware, and firmware). This dcumentatin shuld include the vendr s methd r recmmendatin fr hw the integrity f the patch is validated by Respnsible Entity. Ask vendrs t describe the prcesses they use fr delivering sftware and the methds that can be used t verify the integrity and authenticity f the sftware upn receipt, including systems with preinstalled sftware. In an RFP r during cntract negtiatins, request that the vendr include in cntract prvisins a cmmitment frm the vendr t prvide access t vendr dcumentatin fr the prcured prducts (including third-party hardware, sftware, firmware, and services) regarding the release schedule and availability f updates and patches that shuld be cnsidered r applied. Dcumentatin shuld include instructins fr securely applying, validating and testing the updates and patches. In an RFP r during cntract negtiatins, request that the vendr include in cntract prvisins a cmmitment frm the vendr t prvide apprpriate sftware and firmware updates t remediate newly discvered vulnerabilities r weaknesses within a reasnable perid fr duratin f the prduct life cycle. Cnsideratin regarding service level agreements fr updates and patches t remediate critical vulnerabilities shuld be a shrter perid than ther updates. If updates cannt be made available by the vendr within a reasnable perid, the vendr shuld be required t prvide mitigatins and/r wrkarunds. In an RFP r during cntract negtiatins, request that the vendr include in cntract prvisins a cmmitment frm the vendr t prvide fingerprints r cipher hashes fr all sftware s that the Respnsible Entity can verify the values prir t installatin n the BES Cyber System t verify the integrity f the sftware. In an RFP r during cntract negtiatins, request that the vendr include in cntract prvisins a cmmitment frm the vendr such that when third-party sftware cmpnents are prvided by the vendr, the vendrs prvide apprpriate updates and patches t remediate newly discvered vulnerabilities r weaknesses f the third-party sftware cmpnents Crdinatin f cntrls fr (i) vendr-initiated Interactive Remte Access, and (ii) system-t-system remte access with a vendr(s). During prcurement, request vendrs specify specific IP addresses, prts, and minimum privileges required t perfrm remte access services. Request vendrs use individual user accunts that can be cnfigured t limit access and permissins. In an RFP r during cntract negtiatins, request that the vendr include in cntract prvisins a cmmitment frm the vendr t maintain their IT assets (hardware, sftware and firmware) cnnecting t Respnsible Entity netwrk with current updates t remediate security vulnerabilities r weaknesses identified by the riginal OEM r Respnsible Entity. During prcurement, request vendrs dcument their prcesses fr restricting cnnectins frm unauthrized persnnel. Vendr persnnel are nt authrized t disclse r share accunt credentials, passwrds r established cnnectins. In an RFP r during cntract negtiatins, request that the vendr include in cntract prvisins a cmmitment frm the vendr such that fr vendr system-t-system cnnectins that may limit the Respnsible Entity s capability t authenticate the persnnel cnnecting frm the vendr s systems, the vendr will maintain cmplete and accurate bks, user lgs, access credential data, recrds, and ther infrmatin applicable t cnnectin access activities fr a negtiated time perid. 7

11 Requirement R2 R2. Each Respnsible Entity shall implement its supply chain cyber security risk management plan(s) specified in Requirement R1. Nte: Implementatin f the plan des nt require the Respnsible Entity t renegtiate r abrgate existing cntracts (including amendments t master agreements and purchase rders). Additinally, the fllwing issues are beynd the scpe f Requirement R2: (1) the actual terms and cnditins f a prcurement cntract; and (2) vendr perfrmance and adherence t a cntract. General Cnsideratins fr R2 Implementatin f the supply chain cyber security risk management plan(s) des nt require the Respnsible Entity t renegtiate r abrgate existing cntracts (including amendments t master agreements and purchase rders), cnsistent with Order N. 829 (P. 36). Cntracts entering the Respnsible Entity's prcurement prcess (e.g. thrugh Request fr Prpsals) n r after the effective date are within scpe f CIP Cntract effective date, cmmencement date, r ther activatin dates specified in the cntract d nt determine whether the cntract is within scpe f CIP

12 Requirement R3 Requirement R3 R3. Each Respnsible Entity shall review and btain CIP Senir Manager r delegate apprval f its supply chain cyber security risk management plan(s) specified in Requirement R1 at least nce every 15 calendar mnths. General Cnsideratins fr R3 In the Requirement R3 review, respnsible entities shuld cnsider new risks and available mitigatin measures, which culd cme frm a variety f surces that include NERC, DHS, and ther surces. Implementatin Guidance fr R3 Respnsible entities use varius prcesses t address this requirement. Belw are sme examples f appraches t cmply with this requirement: A team f subject matter experts frm acrss the rganizatin representing apprpriate business peratins, security architecture, infrmatin cmmunicatins and technlgy, supply chain, cmpliance, legal, etc. reviews the supply chain cyber security risk management plan at least nce every 15 calendar mnths t reassess fr any changes needed. Surces f infrmatin fr changes include, but are nt limited t: Requirements r guidelines frm regulatry agencies Industry best practices and guidance that imprve supply chain cyber security risk management cntrls (e.g. NERC, DOE, DHS, ICS-CERT, Canadian Cyber Incident Respnse Center (CCIRC), and NIST). Mitigating cntrls t address new and emerging supply chain-related cyber security cncerns and vulnerabilities Internal rganizatinal cntinuus imprvement feedback regarding identified deficiencies, pprtunities fr imprvement, and lessns learned. The CIP Senir Manager, r apprved delegate, reviews any changes t the supply chain cyber security risk management plan at least nce every 15 calendar mnths. Reviews may be mre frequent based n the timing and scpe f changes t the supply chain cyber security risk management plan(s). Upn apprval f changes t the supply chain cyber security risk management plan(s), the CIP Senir Manager r apprved delegate shuld prvide apprpriate cmmunicatins t the affected rganizatins r individuals. Additinally, cmmunicatins r training material may be develped t ensure any rganizatinal areas affected by revisins are infrmed. 9

13 References Utilities Technlgy Cuncil (UTC) Cyber Supply Chain Risk management fr Utilities Radmap fr Implementatin ISO/IEC Infrmatin Security in Supplier Relatinships NIST SP Security and Privacy Cntrls fr Federal Infrmatin Systems and Organizatins System and Services Acquisitin SA-3, SA-8 and SA-22 NIST SP Supply Chain Risk Management Practices fr Federal Infrmatin Systems and Organizatins; Energy Sectr Cntrl Systems Wrking Grup (ESCSWG) - Cybersecurity Prcurement Language fr Energy Delivery Systems 10