A problem with CIP compliance and supply chain (including cloud) is one of responsibility. This occurs in CIP-011, CIP-013 and will be in CIP-012 too. Think of it this way? If i ask you to keep a sensitive document for me and ask you to protect it and not disseminate it, will you show me all your internal processes which you and your staff use to ensure these protections? And then, say my document is found out there in the world and is even replicated, and i find you made a mistake, what is my recourse? It's too late at that point because it's out there (much like offshore tax account information) but I guess I can sue. So in reality, once the document leaves my hands i must assume "a best effort."

How can FERC and NERC hold entity's accountable for data and electronic information that is shared with other entity's or regulators? Especially when that data crosses a wire owned by a major carrier whom also maintains, accesses and manages the systems and keys? It's not possible. Only a "best effort is possible." The CIP standards already have multiple compensating controls which provide that "best effort," and in the case of Solarwinds supply chain there is nothing that an entity could have done - because the software supply chain (Solarwinds) was given what it perceived as "defacto" patches. If you cannot trust your developer, then you cannot trust anyone. So CIP does nothing here but require industry to perform administration overhead without addressing the security issue at the base.