Skip to main content
Texas Regional Entity
Texas Regional Entity Portal External Link
Go Search
Skip Navigation Links
Compliance
Enforcement
Registration
Standards and Rules
About Us
Skip Navigation Links
Standards and Rules
National Reliability Standards
Actively Monitored NERC Standards
Critical Infrastructure Protection Standards FAQs
Regional Reliability Standards
Regional Reliability Standards Development
National Reliability Standards Development
Skip Navigation LinksHomeStandards and RulesNational Reliability StandardsCritical Infrastructure Protection Standards FAQs
New: Technical Feasibility Exception Request Form on Portal - Read More

Critical Infrastructure Protection Standards FAQs

One of the main responsibilities of Texas Regional Entity (Texas RE) is to enforce North American Electric Reliability Corporation (NERC) Reliability Standards. However, Texas RE also provides information to the registered entities about the implementation of these standards. With the continual development of Critical Infrastructure Protection (CIP) standards, registered entities need up-to-date information.

On January 18, 2008, the Federal Energy Regulatory Commission (FERC) issued Order No. 706 approving eight CIP Reliability Standards (CIP-002-1 through CIP-009-1). The CIP standards require certain users, owners, and operators of the bulk-power system to comply with specific requirements to safeguard critical cyber assets.

Also in this section find information about Technical Feasibility Exceptions (TFEs). If you have any questions, concerns, or suggestions, please contact cybersec@texasre.org.


When do the CIP standards go into effect?
CIP Standards 002-009 became enforceable on June 1, 2006. The Electric Reliability Council of Texas (ERCOT) independent system operator (ISO) is the only entity for which the standards are currently enforceable, according to Table 1 of the NERC Implementation Plan for Cyber Security Standards CIP-002-1 through CIP-009-1 (available on the NERC Web site). Table 3 of the NERC Implementation Plan applies to the majority of our registered entities. CIP Standards 002-009 become enforceable for Table 3 at the “Compliant” date of the NERC Implementation Plan: December 31, 2009.

For information specific to your NERC registration, please refer to the NERC Implementation Plan. Go to the Reliability Standards External Link section of the NERC site. Click Critical Infrastructure Protection (CIP); under CIP-002-1, Critical Cyber Asset Identification, find the Implementation Plan.


What determines which table a registered entity falls under in the NERC Implementation Plan for Cyber Security Standards CIP-002-1 through CIP-009-1?
The entity’s registration date with NERC and for what function(s) the entity registered with NERC (GO, GOP, TO, TP, DP, etc.) determine table affiliation.

What is a Technical Feasibility Exception?
With the issuance of Order No. 706, FERC noted generally that there is legacy equipment on the bulk power system that may not meet the CIP requirements on day one, and although equipment replacement will often be appropriate to comply with the CIP standards, such as in instances where equipment is near the end of its useful life, the possibility of being required to replace equipment before the end of its useful life is a valid concern. As a result, FERC proposed to allow, in the near term, exceptions from compliance based on the concept of “technical feasibility” (referred to as Technical Feasibility Exceptions, or TFEs) in a limited set of circumstances. FERC observed that exceptions may be recognized, not only for technical feasibility reasons, but also for operational and safety considerations.

What is the NERC process for TFEs?
Please refer to the NERC Compliance Process Bulletin #2009-007, Amended Interim Approach to Technical Feasibility Exceptions External Link.

For more information about proposed Appendix 4D to the NERC Rules of Procedure - Technical Feasibility Exception, please visit the NERC Web site External Link.

What are the specific requirements in CIP-002 through CIP-009 to which a TFE may apply?
The following are the applicable requirements:

  • CIP-005-1/R2.4
  • CIP-005-1/R2.6
  • CIP-005-1/R3.1
  • CIP-005-1/R3.2
  • CIP-007-1/R2.3
  • CIP-007-1/R4
  • CIP-007-1/R5.3.1
  • CIP-007-1/R5.3.2
  • CIP-007-1/R5.3.3
  • CIP-007-1/R6
  • CIP-007-1/R6.3 

What are the qualifying considerations for a TFE?
The following are some, but not all, of the considerations that may qualify an entity as eligible for a TFE:

  • Strict compliance with an applicable requirement
    • is not technically feasible;
    • is not operationally feasible;
    • is precluded by technical limitations; or
    • could adversely affect the reliability of the BES.
  • While technically and operationally feasible, strict compliance cannot be achieved by the compliance due date to such factors as
    • scarce technical resources;
    • limited availability of required equipment or components; or
    • need to construct, install, or modify equipment during planned outages
  • Strict compliance cannot be acheived without
    • safety risks or issues that outweigh the reliability benefits;
    • conflict with or causing the entity to be non-compliant with a separate statutory or regulatory requirement that cannot be waived;
    • incurred costs exceed the benefits of compliance

What does my organization need to know when submitting a TFE request to Texas RE?
A TFE request must be submitted for each applicable requirement pertaining to a covered asset. The submitting entity may group multiple, similar covered assets into one submission, for example:

  • same asset type in multiple locations;
  • same basis for TFE request;
  • same compensating and/or mitigating measures; and/or
  • similar proposed expiration dates for the TFE.

The TFE Request Form Part A is submitted on the the Texas Regional Entity Portal External Link. Refer to Portal Training for instructions. Texas RE will contact the entity regarding secure submission of the TFE Request Form Part B and mitigation plan if Texas RE accepts TFE Request Form Part A as a valid TFE request.


What guidance is available on deciding whether a registered entity has critical assets?
CIP Standard CIP-002-1 calls for registered entities to develop and implement a “risk-based assessment methodology” for determining critical assets.

The Critical Infrastructure Protection Committee (CIPC) External Link has drafted a guide to facilitate this process. It can be found in the CIPC agenda of the June 8, 2008, meeting in Toronto.

Please visit the Electricity Sector Information Sharing and Analysis Center External Link, maintained by NERC, for security guidelines.


What happens if a plant becomes a critical asset? What happens if a plant is no longer a critical asset?
Per CIP Standard 002-1, an entity may identify an asset as critical based on risk-based assessment. If an asset is reclassified as critical, the registered entity must self-report this change to Texas RE.

If an entity’s facility is removed from the critical asset list, the entity must self-report the change to Texas RE.

Find CIP Standard 002-1 on the NERC Reliability Standards External Link page of the NERC site.

Visit the Self-Reporting page on this site for more information on submitting a self-report.


What kind of compliance reporting is expected, and when will an entity have to complete it?
Under the NERC Implementation Plan for Standards CIP-002-1 through CIP-009-1, an entity’s compliance reporting schedule is determined by which table (Tables 1-4) the entity falls under.

For information specific to your NERC registration, please refer to the NERC Implementation Plan. Go to the Reliability Standards External Link section of the NERC site. Click Critical Infrastructure Protection (CIP); under CIP-002-1, Critical Cyber Asset Identification, find the Implementation Plan.


How does an entity report cyber security incidents to the ES-ISAC (Electricity Sector Information Sharing and Analysis Center)?
Registered entities must register with the Critical Infrastructure Protection Information System (CIPIS) to report incidents directly to the ES-ISAC. Register at https://www.nerc.net/MyAccount/ External Link.


I need more information about NERC Alerts. How do I find out more?
Visit About NERC Alerts External Link on the NERC site.

Organizations are required to ensure that the following contacts have been identified and are receiving NERC Alerts:


  • Generation Engineering Contact
  • Physical Security Officer Contact
  • System Operator Contact
  • System Protection Contact
  • Chief Security Officer Contact
  • Cyber Security Control System Contact
  • Cyber Security Corporate IT Contact
  • Transmission Engineering Contact
  • Transmission Planning Contact

How do I update my organization’s NERC Alert contacts?
For NERC registered entities, NERC Alert contacts are set up and updated through the Texas Regional Entity Portal External Link. Texas RE recommends that your organization set up a NERC Alerts distribution list. In the portal, one contact record would be created under the name of the person responsible for maintaining the distribution list. All the NERC Alert roles are assigned to that one contact record.

Your organization’s Master Account Administrator can set up this contact record on the portal. If you do not know who the MAA is, please contact information@texasre.org.

© 2009 Texas Regional Entity. All rights reserved.
Site Map | Terms of Use | Privacy | Contact Us