As the NERC Critical Infrastructure Protection (CIP) standards continue to mature, maintaining compliance with updates and revisions to the standards, like CIP-003-9, is essential to the integrity of the systems that these standards are designed to protect. Implementing strong controls to mitigate identified risks is crucial for the upcoming changes to CIP-003-9 vendor electronic remote access security controls, which become enforceable April 1, 2026. Registered entities should be proactively preparing for changes to the standard through internal reviews and discussions, external consultations, and continuously maturing implemented controls. To maintain a secure and compliant CIP program with the new updates, organizations should consider the important questions and considerations outlined in this article.
Summary of Changes to CIP-003-9
Requirement 1, Part 1.2.6
“1.2.6. Vendor electronic remote access security controls;”
Requirement 2, Attachment 1, Section 6
“For assets containing low impact BES Cyber System(s) identified pursuant to CIP‐002, that allow vendor electronic remote access, the Responsible Entity shall implement a process to mitigate risks associated with vendor electronic remote access, where such access has been established under Section 3.1. These processes shall include:
6.1 One or more method(s) for determining vendor electronic remote access;
6.2 One or more method(s) for disabling vendor electronic remote access; and
6.3 One or more method(s) for detecting known or suspected inbound and outbound malicious communications for vendor electronic remote access.”
Preparing for the Changes
Below are things to consider and questions to ask to help implement robust controls and guide your preparation for when CIP-003-9 becomes enforceable.
CIP-003-9 R1 Policy review and updates
- Have you reviewed, and, if necessary, updated your cybersecurity policies to include vendor electronic remote access security controls for low impact BES Cyber Systems BCS?
- Has your CIP Senior Manager reviewed the low impact policies and approved them once every 15 months?
- Have you reviewed the implementation plan for CIP-003-9?
Understanding the existence of vendor electronic remote access
- Have you implemented processes to identify vendor electronic remote access for low impact BES Cyber Systems?
- Have you evaluated communications from vendors and the systems used by vendors with assets containing low impact BES Cyber Systems?
- Have you considered that vendor electronic remote access is not limited to people but also to systems as well?
Determining vendor electronic remote access
- How will you evaluate if vendor electronic remote access is allowed for each asset?
- Have you identified any dependencies from CIP-003-9 R2 Attachment 1 Section 3 for determining vendor electronic remote access?
- Are the methods implemented to determine allowed vendor electronic remote access appropriate for all assets, if you have more than one?
- Have you documented the methodology for identifying vendor electronic remote access and what Cyber Assets are impacted?
Disabling vendor electronic remote access
- Have you determined the method(s) for disabling vendor electronic remote access?
- Are the methods implemented to determine allowed vendor electronic remote access appropriate for all assets, if you have more than one?
- Are you implementing electronic or procedural controls to disable vendor electronic remote access?
- Does your process explain when vendor electronic remote access would be disabled?
Detecting known or suspected inbound and outbound malicious communications for vendor electronic remote access
- How is detection of malicious communications associated with vendor electronic remote access occurring? What is the method?
- Have you established method(s) to detect known or suspected malicious from vendor systems and not just remote access from vendor staff?
BES Cyber Security Information
- Do you understand what information is being collected or stored in the system?
- Has this information been reviewed against your CIP-011 program for BES Cyber Security Information (BCSI)?
- Note: While individual pieces of information may not be deemed BCSI by themselves, as stated in the definition of BCSI, a collection of information, including context, would pose a security threat to the BES Cyber Systems and would need to be viewed as BCSI.
- Are you protecting and securely handling any identified BCSI and the provisioning of access that is directed at the BCSI? Designating a storage location or repository for BCSI may not be necessary, as the focus is on protecting the information and the provisioned access to it.
Process documentation
- Are all processes related to vendor electronic remote access security controls documented?
- Have you reviewed all procedures, including determining, disabling, and detecting vendor electronic remote access?
Training and Awareness
- Have relevant personnel been trained on the new requirements under CIP-003-9?
- Have relevant personnel been trained on the process to disable vendor electronic remote access?
Vendor Communication
- Have these changes been communicated to the vendors, and have they acknowledged their responsibilities, if applicable?
- Are vendors aware of the new security controls and their role in maintaining compliance? This could involve updating contracts or service level agreements to reflect the new requirements.
Compliance and Controls
- How are you planning to demonstrate and verify compliance with these new requirements?
- Have you evaluated and identified any preventive, detective, or corrective controls?
- Are there any triggers that would necessitate a review of the Section 6 methods (i.e., vendor change, new electronic access, modification to BES Cyber System)?
The updates made to CIP-003-9 are a response to the increasing demand for robust controls on vendor electronic remote access to BES Cyber Systems. Organizations will strengthen their overall security posture by incorporating these controls into their CIP programs.
Have implementation or compliance questions? Contact HEROs at [email protected].
– Michael Spangenberg, Senior Risk Assessment and Mitigation Engineer CIP, MRO and Ryan McNamara, Senior Risk Assessment and Mitigation Engineer CIP, MRO