CIP Solved
NERC CIP is our specialty. We have been part of the CIP universe since it started (way back in 2001, for those who remember the FERC SMD). No other firm has our history with this regulation. Over the years, we have seen all perspectives, sizes and functions.
We’ve been the utility staff, implementing the controls and receiving audits. We’ve been on the standards and interpretations drafting teams. We’ve been on guidance working groups, as well as all relevant NERC and Regional committees. We’ve been on the FERC Technical Committees and provided direct comments on NOPRs and Orders. We’ve even been the Regional CIP auditor performing the audits on the Registered Entities.
We’ve been the instructors and content developers for NERC CIP training programs from well-known institutions such as the SANS Institute and EnergySec. We’ve seen programs from investor owned utilities, municipals, and cooperatives - generation, transmission, control centers or vertically integrated. We know CIP for GO, GOP, TO, TOP, BA and even RC.
You name it. If it’s NERC CIP, we’ve done it.
CIP Compliance 24/7/365
The NERC CIP Standards are a zero-defect, zero-tolerance regulation that requires you to be 100% audit-ready - every day of every year at all times. Waiting until just before your next audit to check your compliance posture is a recipe for disaster (read: violations). Managing your CIP compliance program to the auditor’s expected level of readiness is challenging for most organizations. Everything from regular changes to the CIP Standards, staff turnover, and technology shifts can significantly impact your program. We can help you manage these obstacles and keep your program on track:
Gap assessment - collaborative approach to identifying compliance gaps
Mock audit - performed in the style of your Regional Entity, just like the real thing
Policy, process and procedure review
Facilitated incident response and recovery exercises
Internal control evaluation, design, and testing (ICE, RAI)
Internal Compliance Program (ICP) evaluation
Compliance Oversight Plan (COP) review and creation
Compliance program benchmarking and metrics
Compliance staff augmentation
Compliance “phone a friend” - sometimes you just need to call an expert for a quick answer
RC/BA/TOP and Control Center certification and re-certification preparation
Pre-audit support
Getting your organization ready for a CIP audit is a monumental task for even the most experienced utilities. Assembling and reviewing all of the documentation is a significant effort for all programs, big and small, low impact to high impact. Below are just some of the pre-audit services we offer to help you go into the audit prepared, confident, and ready:
RSAW review, creation, and markup
Evidence sufficiency review, creation, and markup
Gap assessment - collaborative approach to identifying compliance gaps
Mock audit - performed in the style of your Regional Entity, just like the real thing
Self-report review and preparation
Internal control evaluation, design, and testing
Inherent Risk Assessment
Witness/SME preparation and training
Senior Management awareness, preparation, and training
Live Audit Support
Your staff shouldn’t have to spend their evenings and nights in the office for weeks to get through all of the data requests, evidence processing, and possible violation management. Ampyx Cyber can help take away the pain, anxiety, and stress that comes with the actual (live) audit. We have experience with all Regions and we have direct professional channels to most of the CIP auditors. A sampling of the many live-audit support options we have are as follows:
Audit logistics and planning
“War room” management, triage, and support
Data request processing and narratives
Auditor interpretation, translation, and negotiation
Evidence review and presentation
Violation processing, containment, and management
SME and Witness pre/de-brief, etiquette, and coaching
Senior Management awareness and briefing
Post-Audit Support
Take a deep breath and relax for a moment - the audit is finally over. Ampyx Cyber knows that doesn’t mean the work is done. In fact, it’s only just begun (again). Very few organizations come out of the audit with no issues. Even if there are no Possible Non-Compliance issues (PNCs, violations), there may be Areas of Concern or official Recommendations. The Region will likely be looking at these when they come back for the next audit cycle.
While you were preparing for the audit, you probably found some areas that need refinement. During the audit, you probably observed even more things could use some correction. These hot spots become future compliance risks if not resolved. Ampyx Cyber can help you maximize the benefit of the audit and minimize potential future obstacles through the following services:
Lessons learned capture and reporting (“hotwash”)
Violation processing, containment, and remediation
Audit report interpretation
Remediation planning, prioritization, and implementation
Settlement negotiations
Budget comparison, forecasting, and baselining
Project management
Control design and implementation
Executive reporting
CIP Program Development & Improvement
Wherever you are in your compliance journey, whether just registering with NERC and ramping up a new program or improving and polishing an existing one, Ampyx Cyber can assist with the myriad of compliance responsibilities necessary to get - and stay - audit ready.
We are comfortable with all modes of support. We can handle the embedded “staff-augmentation” to get organizations through a challenging spot, as well as the “phone a friend” style to resolve individual issues or manage a point-in-time problem. We can also deliver an entire (packaged) compliance project from idea to implementation, at the process level to the whole program. Some of the many service offerings we have for “routine” CIP compliance are below:
Documentation review and maintenance
RSAW review and maintenance
Evidence review and maintenance
Process/procedure review and development
Control design and testing
Version transition planning and forecasting
BES Cyber System Categorization and high/medium/low impact rating
Facilitated CIP-008/CIP-009 exercises
Cyber Asset inventory and validation
Compliance management software design, procurement, and implementation
Project management
Compliance oversight plan
Compliance program development
Virtual Compliance Office
NERC CIP compliance in a box. It actually exists, and it can be perfect for some organizations.
Ampyx Cyber provides everything you need to be compliant. Each entity is unique, but some of the most common support models range from operational compliance tasks and evidence management to full service compliance program coverage including interfacing with your executive teams and the Regional Entity. Most importantly, you get dedicated Ampyx Cyber resources as your own - for continuity and confidence. We’re fully capable of working within WebCMDS as well as the NERC Align tool and the Secure Evidence Locker (SEL).
Pricing varies based on level of support needed and number/mix of BES Cyber Assets.
Ask an Expert
Got a tough question?
Sometimes you just need to phone a friend. Ask us anything, any time. You don’t need to be an existing or prospective client. No cost, no commitment, no sales follow up, no contact lists - simply put, no strings attached. We will always respect your privacy. We promise.
