Personnel Screening Requirements Under NERC CIP
Question: What are the personnel screening requirements under NERC CIP?
Response & Analysis:
The North American Electric Reliability Corporation (“NERC”) is an international, not-for-profit organization whose mission is to ensure the reliability of the bulk electric system in North America. NERC’s critical infrastructure protection (“CIP”) plan is a set of requirements designed to secure the assets required for operating North America’s bulk electric system. The NERC CIP plan consists of nine standards and 45 requirements covering the security of electronic perimeters and the protection of critical cyber assets as well as personnel and training, security management and disaster recovery planning. The NERC CIP standards apply to entities that “materially impact” the reliability of the bulk power system, including owners, operators and users of any portion of the system.
NERC Standard CIP-004-03a specifically refers to “Cyber Security – Personnel & Training” and requires that personnel having authorized cyber or unescorted physical access to critical cyber assets have, among other things, an appropriate level of risk assessment. Pursuant to Standard CIP-004-03a, Section B. R3. – “Personnel Risk Assessment,” the responsible entity shall have a documented personnel risk assessment program in accordance with federal, state, provincial and local laws and subject to existing collective bargaining unit agreements and that such assessment shall be conducted prior to personnel being granted access except in specified emergency situations.
In addition, the personnel risk assessment shall be updated at least every seven years after the initial assessment or “for cause,”1 and the results of personnel risk assessments shall be documented. The responsible entity may conduct more detailed reviews, however, that include checks on employment history, education verification and professional certifications where warranted and depending upon the criticality of the position.
1 Pursuant to the “Frequently Asked Questions for Cyber Security Standards CIP-002-1 thru CIP-009-1,” “for cause” means any situation that comes to management’s attention that would void the right to access, either on or off the job. Examples include gross misconduct or a felony conviction, but it can also include disciplinary action that impugns the reliability of the employee.
All Rights Reserved © 2017 Truescreen, Inc.
This document and/or presentation is provided as a service to our customers. Its contents are designed solely for informational purposes, and should not be inferred or understood as legal advice or binding case law, nor shared with any third parties. Persons in need of legal assistance should seek the advice of competent legal counsel. Although care has been taken in preparation of these materials, we cannot guarantee the accuracy, currency or completeness of the information contained within it. Anyone using this information does so at his or her own risk.