Hero compliance nerc

NERC CIP Compliance

NERC and Third-Party Risk Management

The North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) standard establishes new cybersecurity requirements for electric power and utility companies to ensure, preserve, and prolong the reliability of the bulk electric system (BES). NERC is authorized to penalize registered entities up to $1 million per day per outstanding violation.

Third-party risk management plays a pivotal role in ensuring supply chain security through the regular assessment of supply chain partners’ internal security controls and the ongoing monitoring of vendor risks in real time. Taken together, this inside-out, outside-in view provides more complete visibility in supply chain risks.

Align Your TPRM Program with 13 Industry Standards

Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.

Read Now
Featured resource compliance handbook industry standards

Meeting NERC TPRM Requirements

Here's how Prevalent can help you address NERC third-party risk management best practices:

Requirement How We Help

CIP-013 Cyber Security Criteria

1.2.1 Notification/Recognition of Cyber Security Incidents

Vendors need to be able to identify when an incident occurred to ensure that the vendor can notify the entity in the case of such an incident.

Prevalent enables responsible entities to regularly assess their vendors’ incident response plans, requiring upload of plans to the platform for validation. With this level of review, entities have visibility into how a supply chain partner would respond to a breach or cyber incident.

Monitoring and scoring tools along cannot provide this level of internal controls or process visibility, however these tools can complement assessments to trigger on public disclosure of an incident.

1.2.2 Coordination of Responses to Cyber Security Incidents

Vendors should coordinate with the entity their responses to incidents related to the products or services provided to the entity that pose cyber security risk to the entity.

Prevalent provides a central platform for the review of evidence supporting incident response and communications plans, with the flexibility to built custom workflow, tasks and escalation paths to enable rapid response.

1.2.3 Notification when Remote or Onsite Access is No Longer Needed or Should No Longer be Available to Vendor Representatives

Vendors should respond accordingly to personnel changes. A vendor should be able to tell the entity when a personnel change occurs that could impact whether or not remote access should still be available to vendor representatives.

The Prevalent platform includes a custom survey creation wizard that enables organizations to create and issue a customizable survey for off-boarding asking specific questions of the vendor and internal team regarding system access, data destruction, and final payments, with built-in workflows to ensure that the separation process is seamless.

1.2.4 Vulnerability Identification Vendors are to notify an entity when a vulnerability related to a product or service is identified.

In order to meet this obligation, a vendor needs to know when a vulnerability exists in their environment.

The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. Built-in continuous monitoring capabilities complement assessments by performing external vulnerability scanning for web facing service interfaces, with results integrated into a single risk register.

1.2.5. Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System

The Prevalent platform includes more than 50 built-in industry standard questionnaires (such as those for CIP, NIST, ISO and others), many of which ask specific questions around patching cadence and software integrity checks for internal systems. Answers to these questions are escalated into risks if proper patching thresholds are not met, informing responsible entities of potential risks.

1.2.6 Coordination of Controls for Vendor-Initiated Interactive Remote Access and System-to-System Remote Access with a Vendor

Vendors must coordinate with entities to control vendor-initiated interactive remote access and ensure system-to-system remote access with a vendor is appropriately managed.

The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices.

Asset, Change, and Configuration Management

Asset, Change, & Configuration Management Inventory of Authorized & Unauthorized Devices

  • Physical devices and systems within the organization are inventoried
  • Software platforms and applications within the organization are inventoried
  • Organizational communication and data flows are mapped
  • External information systems are catalogued

The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices.

Change Control and Configuration Management Considerations

  • Uses a recognized framework for its information technology processes (e.g., ITIL)
  • Includes security in its system development life cycle
  • Has a mature change-control process
  • Maintains separate development and production environments
  • Maintains separate environments for different customers
  • Has mechanism for software integrity (e.g., PKI with encryption, digital signature)
  • Product allows for hardening to minimize attack surface
  • Processes to identify, discover, inventory, classify, and manage information assets (hardware and software
  • Processes to detect unauthorized changes to software and configuration parameters
  • Able to identify whether hardware, software, or components are U.S. and/or internationally sourced

The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices.

Governance

Establish and Implement Security Awareness Program

  • Documented and implemented security policy and procedures
  • All users are informed and trained on cybersecurity policies and procedures
  • Third-party stakeholders understand roles and responsibilities and are accountable to same requirements
  • Senior executives understand roles and responsibilities
  • Physical and information security personnel understand roles and responsibilities
  • Ability to provide ongoing support for software and hardware
  • Personnel background checks
  • Ability to retain data for events such as litigation holds, cyber security incidents
  • Presence of trained, knowledgeable, and sufficient cyber security resources
  • Supplier has certifications for manufacturing process (e.g., ISO)

The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices.

Logging and Monitoring Considerations

  • Maintains a program to perform continuous logging, monitoring, and analysis of its systems to identify events of significance
  • Has sufficient segregation of duties to ensure logging and monitoring are effective to detect anomalies

The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices.

Information Protection Considerations

  • Uses appropriate controls to manage data at rest (vendor or entity data)
  • Ability to provide additional hardware for failures • Encrypts credentials in transit, internal and externally
  • Encrypts credentials at rest
  • Uses strongest standard encryption algorithms (e.g., AES or SHA-2)
  • Supplier physical access controls to hardware, software, and manufacturing centers
  • Physical devices and systems within the organization are inventoried
  • Supplier location of data centers (U.S./Canada-based vs international)

The Prevalent platform offers evidence and process validation that such policies exist, requiring the supply chain partner to provide such evidence. The platform also quantifies vendor risks, offers prescriptive remediation guidance, tracks tasks and automates workflows to drive adherence to policy and best practices.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo