NERC CIP Supply Chain Survey Results: The Pain Points

I recently had the opportunity to research the NERC Supply Chain Working Group survey results on the NERC CIP Supply Chain standards. The survey questions were comprehensive and aimed at understanding the level of uptake in implementing the standards and any issues that may be preventing a party from implementing the standards. I commend the Supply Chain Work Group for sharing the survey results with the public.

This article highlights some of the key findings and, more importantly, the pain points that were identified by survey respondents. Clearly, NERC’s "Doctrine of Auditor Independence" is preventing parties from receiving the guidance that is needed to help parties properly implement solutions for NERC CIP Supply Chain Standards. Several respondents reported uncertainty regarding how to comply with the Supply Chain Standards, due to lack of guidance.

If NERC is unable, or unwilling, to provide jurisdictional entities with the guidance they need then it is incumbent upon NERC to retire the “Doctrine of Auditor Independence” for Cybersecurity standards so that NERC itself can provide the needed guidance or NERC should host an open forum where supply chain solutions can be presented, objectively, for all jurisdictional entities to see what is available to support their needs regarding NERC Supply Chain Standards.  I’ve personally seen the “open forum” approach used by NAESB to effectively inform industry of solutions available to satisfy NAESB standards requirements.

This one survey response shines a spotlight on the issue described above: “The supply chain requirements as written are reasonable.  It's the audit oversight piece that has everyone worried;”.

Survey respondents expressed concern in not knowing “auditor expectations” with regard to methods, processes and evidence needed to satisfy NERC CIP Supply Chain Standards compliance requirements. This is understandable, NERC does not provide the type of guidance survey respondents are requesting, largely because of NERC’s committed adherence to the “Doctrine of Auditor Independence”. There is a virtual ocean of cybersecurity guidance available from numerous sources, which makes it difficult for NERC jurisdictional entities to know which guidance to follow resulting in the concern over audit oversight expectations that has everyone worried. The following “Pain Points” were identified in these survey results:

• SCRM process is labor intensive
• Business benefit of SCRM process is unclear
• SCRM process looks good on paper but accomplishes little in real life
• Vendor cooperation is mixed
• Vendors have expressed concerns over receiving multiple questionnaires in multiple formats
• Vendors refuse to provide some information needed to conduct a SCRM assessment
• Lack of a centralized database of vetted, certified products and vendors to choose from requires each entity to conduct their own risk assessment

NERC could help the industry address these pain points and provide the guidance needed to properly implement supply chain risk management protections that satisfy NERC CIP Supply Chain requirements, but this would require NERC to forego the “Doctrine of Auditor Independence” and provide the guidance industry seeks OR host an open forum where supply chain vendors can present their solutions, objectively, for all jurisdictional entities and NERC auditors to see what is available to implement solutions that satisfy NERC Supply Chain requirements; the open forum approach has been successfully used by NAESB to inform industry of solutions available to satisfy NAESB standards requirements, without compromising its independence as an ANSI standards development organization.