The North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) standard establishes new cybersecurity requirements for electric power and utility companies to ensure, preserve, and prolong the reliability of the bulk electric system (BES). NERC is authorized to penalize registered entities up to $1 million per day per outstanding violation.
Third-party risk management plays a pivotal role in ensuring supply chain security through the regular assessment of supply chain partners’ internal security controls and the ongoing monitoring of vendor risks in real time. Taken together, this inside-out, outside-in view provides more complete visibility in supply chain risks.
Align Your TPRM Program with 13 Industry Standards
Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.
Meeting NERC TPRM Requirements
Here's how Prevalent can help you address NERC third-party risk management best practices:
Requirement | How We Help |
---|---|
CIP-013 Cyber Security Criteria |
|
1.2.1 Notification/Recognition of Cyber Security Incidents Vendors need to be able to identify when an incident occurred to ensure that the vendor can notify the entity in the case of such an incident. |
Prevalent enables responsible entities to regularly assess their vendors’ incident response plans, requiring upload of plans to the platform for validation. With this level of review, entities have visibility into how a supply chain partner would respond to a breach or cyber incident. Monitoring and scoring tools along cannot provide this level of internal controls or process visibility, however these tools can complement assessments to trigger on public disclosure of an incident. |
1.2.2 Coordination of Responses to Cyber Security Incidents Vendors should coordinate with the entity their responses to incidents related to the products or services provided to the entity that pose cyber security risk to the entity. |
Prevalent provides a central platform for the review of evidence supporting incident response and communications plans, with the flexibility to built custom workflow, tasks and escalation paths to enable rapid response. |
1.2.3 Notification when Remote or Onsite Access is No Longer Needed or Should No Longer be Available to Vendor Representatives Vendors should respond accordingly to personnel changes. A vendor should be able to tell the entity when a personnel change occurs that could impact whether or not remote access should still be available to vendor representatives. |
The Prevalent platform includes a custom survey creation wizard that enables organizations to create and issue a customizable survey for off-boarding asking specific questions of the vendor and internal team regarding system access, data destruction, and final payments, with built-in workflows to ensure that the separation process is seamless. |
1.2.4 Vulnerability Identification Vendors are to notify an entity when a vulnerability related to a product or service is identified. In order to meet this obligation, a vendor needs to know when a vulnerability exists in their environment. |
The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. Built-in continuous monitoring capabilities complement assessments by performing external vulnerability scanning for web facing service interfaces, with results integrated into a single risk register. |
1.2.5. Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System |
The Prevalent platform includes more than 50 built-in industry standard questionnaires (such as those for CIP, NIST, ISO and others), many of which ask specific questions around patching cadence and software integrity checks for internal systems. Answers to these questions are escalated into risks if proper patching thresholds are not met, informing responsible entities of potential risks. |
1.2.6 Coordination of Controls for Vendor-Initiated Interactive Remote Access and System-to-System Remote Access with a Vendor Vendors must coordinate with entities to control vendor-initiated interactive remote access and ensure system-to-system remote access with a vendor is appropriately managed. |
The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices. |
Asset, Change, and Configuration Management |
|
Asset, Change, & Configuration Management Inventory of Authorized & Unauthorized Devices
|
The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices. |
Change Control and Configuration Management Considerations
|
The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices. |
Governance |
|
Establish and Implement Security Awareness Program
|
The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices. |
Logging and Monitoring Considerations
|
The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices. |
Information Protection Considerations
|
The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices. |
New critical infrastructure protection cybersecurity standards are going into effect on July 1. Are you ready?
Learn how a third-party risk management (TPRM) policy can protect your organization from vendor-related risks.
Reveal TPRM requirements in 13 regulations and gain best practices for simplifying compliance.