The CIP Evidence Request Tool has many worksheets with many fields that require a lot of information. Specifically, the Cyber Asset worksheet has many fields that need to be completed for each Cyber Asset. One of these fields is “Date of Activation in a Production Environment, if Activated During the Audit Period.” Depending on how you interpret this field, many dates may seem appropriate.

The purpose of this field is to establish a date that the registered entity is responsible for having evidence of compliance with the applicable Reliability Standards for each Cyber Asset.

The description of this column from the Evidence Request Tool User Guide states:

“If this Cyber Asset became active in a production environment during the audit period, enter the date the Cyber Asset became active[…]”

While this description seems straightforward, it is not specific enough to eliminate additional interpretations. The concept of “production environment” is very broad and may mean different things to different registered entities. Cyber Assets may be staged in a production environment but are not a BES Cyber Asset or a Protected Cyber Asset if not yet assisting in those functions.

Given the variability of when Cyber Assets are staged and put into production, the Evidence Request Tool User Guide has been updated to contain the following:

“The date that the Cyber Asset becomes CIP applicable within a production environment[…]”

This change will take effect with version 10 of the Evidence Request Tool. The change in description provides additional clarity for the specific date being requested and better aligns with the intention of the field and its inclusion on the Cyber Asset worksheet. If you are unsure of how to determine this date or have additional questions, please contact [email protected] for assistance.

– Elliot Weishaar, MRO CIP Compliance Engineer