Compliance Manager for NERC CIP
Compliance Manager (CM) platform The CM platform collects and manages compliance evidence through data management, document management, tasks, and procedures for NERC CIP-002 through CIP-009. CM is a comprehensive compliance evidence collection, management and reporting solution that simplifies the work of being NERC CIP compliant while building the real-time evidence that demonstrates NERC CIP compliance.
A Solution Driven by Compliance Outputs The outputs of Compliance Manager are key drivers behind the value of the solution and the benefits to the compliance practice. The solution comes preconfigured with over 30 NERC CIP data-driven evidence reports, oversight and issue management dashboards, and RSAW/Audit package generation.
NERC CIP Data-Driven Evidence Management Managing the complex data relationships behind NERC CIP compliance reporting is the most challenging aspect of NERC CIP compliance. The CM solution transforms traditional data-driven evidence management into a streamlined and efficient real-time compliance program.
The SigmaFlow CM solution solves this challenge with a sophisticated data model that automatically produces the most difficult evidence reports (30+) for NERC CIP Compliance. This data must also be maintained and related properly1 to produce the evidence reports required for Audits. This is particularly challenging when compliance data resides in spreadsheets and point solutions.
CM solves this challenge with a preconfigured NERC CIP data model that: Collects evidentiary compliance data Manages all relationships between data Libraries Produces data-driven evidence reports (over 30) in real-time
1
most NERC CIP evidence reports require relating data from multiple spreadsheets and/or point solutions
CM Evidence Reports
CM Evidence Reports
CIP-002-3 R3 Critical Cyber Assets & Evaluated List CIP-003-3 R2.3 Delegations of Authority CIP-003-3 R3, R3.1, R3.2 Cyber Security Policy Exceptions CIP-003-3 R5.1 Logical/physical Designated Approvers CIP-004-3 R2 People Cyber Security Training Applies to CIP-004-3 R2.1 People Authorization & Training Dates CIP-004-3 R2.3 People with Training Completion Dates CIP-004-3 R3, R3.3 PRA Completion & Access Grant Dates CIP-004-3 R4, 4.1 List of Electronic & Physical Access Rights CIP-004-3 R4.2 Access Rights Revoked : Termination CIP-004-3 Detailed Training History by Person CIP-004-3 Detailed PRA History by Person CIP-005-3 R1 All CCAs and the ESP they Reside in CIP-005-3 R1 All Cyber Assets for each ESP
CIP-005-3 R1 All Cyber Assets for each ESP CIP-005-3 R1 Access Points for each ESP CIP-005-3 R1 Cyber Assets used in access control ESPs CIP-005-3 R1 Access Control Monitoring for each ESP CIP-006-3 R1 All Cyber Assets and the PSP they Reside in CIP-006-3 R3 Electronic access control systems and PSP CIP-007-3 R2 Active Ports for Cyber Assets in an ESP CIP-007-3 R2 Active Services for Cyber Assets in an ESP CIP-007-3 R3 Security Patches for Cyber Assets in an ESP CIP-007-3 R5.2 Individuals with Shared Accounts CIP-007-3 R5.2 Individuals with Shared Accounts CIP-007-3 R5.3 Cyber Asset Password Requirements CIP-Multiple TFEs by CIP Requirement
Managing Documents for Compliance and Audit Readiness Documents in NERC CIP compliance include the policies, procedures, plans, diagrams, screenshots and other file types that are part of the overall evidence requirements of NERC CIP. These documents can be difficult to collect and track properly. There is important metadata that must be collected and managed with each document. It is easy to make mistakes and lose visibility over the attributes and status of each compliance document.
CM solves this challenge with an integrated platform that manages documents and associations, collects document and association metadata, and organizes all content in the NERC CIP hierarchy.
Automated RSAW and Evidence Package Generation RSAW and Audit Package generation are complicated “processes” with many steps and hand-offs. There are numerous places in the traditional approach to producing RSAWs and Audit Packages that introduce errors and force additional oversight and management activity. Compliance Manager eliminates these root causes of resource (time) consumption, errors, and oversight issues by automatically producing RSAW and Audit Packages with the click of a button. With Compliance Manager, as each person performs their work the solution builds the many “pieces” of each compliance package and generates them automatically – on demand.
Task and Procedure Management There are many “tasks” that need to be performed in the compliance practice, tasks like collecting documents, performing reviews, remediating issues, and so on. There are over 70 tasks that directly relate to the production of compliance documentation typically required in a NERC CIP audit. With all of this work - much of which is time-sensitive – keeping things organized, scheduled and on track can be a daunting challenge. CM solves this challenge with task and procedure management that organizes work, schedules it properly, collects necessary compliance data, enforces compliance policies, and provides oversight visibility. Examples of Tasks that CM supports are: CM Tasks Document Collection and Upload Identification of Compliance Documentation Review, and Verification of Compliance Documentation Review and Approval of Policies, Procedures, Plans, etc. Creation of Supporting Documentation Verification of controls Ad-hoc Compliance Activities Audit Readiness Task Groups Remediation Programs
Standardized work processes provide structure, information and collect data. Process work structure ensures that the work of the process is performed in the correct order and that all necessary tasks
are completed. Standardized process structure ensures work is performed the same way every time, regardless of who is actually performing the work. Process information is the guiding text, instructions, and references that operations staff need in order to understand what is expected of them. Process information imparts knowledge into the compliance solution that empowers operations staff to understand each compliance activity they must perform, helping to build a culture of compliance.
Streamlined Solution Deployment With the SigmaFlow streamlined solution deployment approach, CM customers are up and running with full benefit realization in a matter of weeks. This includes pre-populating CM with existing customer data so that the solution is up-to-date upon delivery.
Streamlined Solution Deployment Benefits: 1. Use Solution Deployment to Fast-Track NERC CIP Audit Preparation (upcoming Audit) 2. Leverage Pre-Configured Solution Design to Eliminates Start-up CIP Program Development 3. Immediate Visibility into Gaps and Conformance Issues in Existing Data (Dashboards)
About SigmaFlow SigmaFlow is a leading provider of NERC Compliance and Energy Enterprise Solutions. SigmaFlow places a strong emphasis on embedding domain knowledge in all of the company’s products through process-driven template-based-architecture. The company serves a diverse portfolio of customers in the Utilities and Energy marketplace.