The article linked below provides an overview of the new cybersecurity reporting law that was signed by President Biden last week. Yesterday I attended an industry meeting where CISA explained how the new law is expected to work, although many details are still being flushed out. One point was clear, the new reporting requirements go beyond the scope of NERC CIP, CIP-008 is only a subset of what the new law covers for cybersecurity reporting. The new law also requires cyber incident reporting on assets outside of the ESP, i.e. Settlement systems, market systems, etc, within 72 hours.
Thu, Mar 24