Ladies and Gentlemen:
Texas Regional Entity would like to clarify what we understand may be confusion regarding the required implementation of the recently approved CIP standards (CIP-002-1 through CIP-009-1). Only CIP-001 is already effective and all applicable registered entities must already be Audibly Compliant with CIP-001-1.
The implementation schedule for NERC Reliability Standards CIP-002-1 through CIP-009-1 is located at: ftp://www.nerc.com/pub/sys/all_updl/standards/rs/Revised_Implementation_Plan_CIP-002-009.pdf 
. Please note that Table 4 in the implementation schedule lists the required implementation dates for entities that were registered in 2007 or later. [In the ERCOT Region, only ERCOT ISO is required to comply with these CIP standards earlier than the dates listed in Table 4.] Please review this implementation schedule in detail, because one of the requirements (CIP-003-1, R2) has different required dates for compliance.
A registered entity’s compliance obligation dates are based upon the entity’s registration date with the NERC Compliance Registry. Except for CIP-003-1, R2 (which has earlier compliance dates), all registered entities except for ERCOT are required to begin the work to become compliant by their registration date, and they must be:
- Substantially Compliant with CIP-002-1 through CIP-009-1 by 12 months from registration,
- Compliant with CIP-002-1 through CIP-009-1 by 24 months from registration, and
- Audibly Compliant with CIP-002-1 through CIP-009-1 by 36 months from registration.
We understand that ERCOT ISO may have announced requirements for market participants to comply with certain requirements in CIP-004-1, prior to the effective date for the registered entity, in order for the entity’s personnel to access information from ERCOT systems through a digital certificate. ERCOT ISO market requirements will not cause a company that is otherwise not required to be compliant with a NERC Reliability Standard to be required to become compliant on an earlier date. (So an ERCOT or Protocol requirement will not subject an entity to NERC penalties for failure to comply with a standard on the earlier date.)
Please contact Tony Shiekhi if you have questions about your company's required implementation dates for these CIP standards. We will also be addressing this subject at tomorrow’s NERC Compliance Workshop.
Definitions
Begin Work means a Responsible Entity has developed and approved a plan to address the requirements of a standard, has begun to identify and plan for necessary resources, and has begun implementing the requirements. Substantially Compliant means an entity is well along in its implementation to becoming compliant with a requirement, but is not yet fully compliant. Compliant means the entity meets the full intent of the requirements and is beginning to maintain required “data,” “documents,” “documentation,” “logs,” and “records.” Auditably Compliant means the entity meets the full intent of the requirement and can demonstrate compliance to an auditor, including 12-calendar-months of auditable “data,” “documents,” “documentation,” “logs,” and “records.”
FERC Approval of Implementation Schedule
FERC approved the referenced NERC implementation schedule for the CIP-002-1 through CIP-009-1 standards in its January 18, 2008 Order 706, "Mandatory Reliability Standards for Critical Infrastructure Protection":
"86. The Commission adopts its CIP NOPR proposal and approves NERC’s implementation plan and time frames for responsible entities to achieve auditable compliance. Responsible entities require a reasonable period of time to purchase and install new cyber software and equipment and develop new programs and procedures to achieve compliance. Commenters indicate that the implementation plan provides that reasonable period of time. Further, we agree with commenters that there is an urgent need to move forward without any delays. Accordingly, we approve NERC’s implementation plan."
We look forward to seeing most of you tomorrow at our NERC Compliance Workshop.