North American Electric Reliability Corporation (NERC)

NERC overview

The North American Electric Reliability Corporation (NERC) is a nonprofit regulatory authority whose mission is to ensure the reliability of the North American bulk power system. NERC is subject to oversight by the US Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. In 2006, FERC granted the Electric Reliability Organization (ERO) designation to NERC in accordance with the Energy Policy Act of 2005 (US Public Law 109-58). NERC develops and enforces reliability standards known as NERC Critical Infrastructure Protection (CIP) standards.

If you are a bulk power system owner, operator, or user, you must comply with NERC CIP standards. You are also required to register with NERC. Cloud service providers and third-party vendors are not subject to NERC CIP standards; however, the CIP standards include goals that should be considered when registered entities use vendors in the operation of the Bulk Electric System (BES).

As stated by NERC in the current set of CIP standards and NERC’s Glossary of Terms, BES Cyber Assets perform real-time functions of monitoring or controlling the BES, and would affect the reliable operation of the BES within 15 minutes of being impaired. To properly accommodate BES Cyber Assets and Protected Cyber Assets in cloud computing, existing definitions in NERC CIP standards would need to be revised. However, there are many workloads that deal with CIP sensitive data and do not fall under the 15-minute rule, including the broad category of BES Cyber System Information (BCSI).

Azure and NERC CIP standards

If you are operating a Bulk Electric System (BES), you are wholly responsible for ensuring your own compliance with NERC CIP standards. Neither Azure nor Azure Government constitutes a BES or BES Cyber Asset; however, both Azure and Azure Government are suitable for registered entities deploying certain workloads subject to NERC CIP standards, including BCSI workloads.

If you are a registered entity interested in deploying data and workloads subject to NERC CIP compliance obligations in Azure or Azure Government, you should review the following documents:

  • NERC CIP Standards and Cloud Computing is a white paper that discusses compliance considerations for NERC CIP requirements based on established third-party audits that are applicable to cloud service providers such as FedRAMP. It covers background screening for cloud operations personnel, and answers common question about logical isolation and multi-tenancy that may be of interest to you. It also addresses security considerations for on-premises vs. cloud deployments.
  • Cloud Implementation Guide for NERC Audits is a guidance document that provides control mapping between the current set of NERC CIP standards requirements and NIST SP 800-53 control set that forms the basis for FedRAMP. It is written as a technical how-to guidance to help you address NERC CIP compliance requirements for your Azure assets. The document contains pre-filled Reliability Standard Audit Worksheets (RSAWs) narratives that help explain how Azure controls address NERC CIP requirements. It also contains guidance to help you use Azure services to implement controls that you own.

Note

Information in this article, including all referenced guidance documents, is directly applicable to Azure only. For example, you should review this information if you are planning to deploy BCSI in Azure services or design an Azure application and deploy it on Azure or Azure Government. If you are interested in deploying BCSI in Office 365 (Microsoft 365), contact your Microsoft account team for assistance.

Additional resources for NERC CIP compliance

The NERC ERO Enterprise released a Compliance Monitoring and Enforcement Program (CMEP) practice guide to provide guidance to ERO Enterprise CMEP staff when assessing a registered entity’s process to authorize access to designated BCSI storage locations and any access controls the registered entity implemented. Moreover, NERC reviewed Azure control implementation details and FedRAMP audit evidence related to NERC CIP-004-6 and CIP-011-2 standards that are applicable to BCSI.

Based on the ERO issued practice guide and reviewed FedRAMP controls to ensure registered entities encrypt their data, no additional guidance or clarification is needed for registered entities to deploy BCSI and associated workloads in the cloud. However, if you are a registered entity subject to NERC CIP compliance obligations, you are ultimately responsible for compliance with NERC CIP standards according to your own facts and circumstances. You should review the Cloud Implementation Guide for NERC Audits for help with documenting your processes and evidence used to authorize electronic access to BCSI storage locations, including encryption key management used for BCSI encryption in Azure and Azure Government.

Applicability

  • Azure
  • Azure Government

Attestation documents

Microsoft relies on Azure and Azure Government FedRAMP audits to furnish assurances to NERC registered entities that cloud controls relevant to NERC CIP standards requirements are operating effectively. Azure and Azure Government maintain FedRAMP High provisional authorizations to operate (P-ATO) issued by the Joint Authorization Board (JAB) in addition to more than 100 Moderate and High ATOs issued by individual federal agencies for the in-scope services. And while FedRAMP High in the Azure public cloud will meet the needs of many customers, Azure Government provides additional customer assurances through controls that limit potential access to systems processing customer data to screened US persons.

Select FedRAMP documentation, including System Security Plan (SSP), continuous monitoring reports, Plan of Action and Milestones (POA&M), and so on, is available under a non-disclosure agreement and pending access authorization from the Service Trust Portal Audit Reports - FedRAMP Reports section. Contact your Microsoft account representative for assistance.

Frequently asked questions

Who is responsible for compliance with NERC CIP standards?
If you are a bulk power system owner, operator, or user, you must comply with NERC CIP standards. You are also required to register with NERC. Cloud service providers and third-party vendors are not subject to NERC CIP standards; however, the CIP standards include goals that should be considered when registered entities use vendors in the operation of the Bulk Electric System (BES). If you are operating a BES, you are wholly responsible for ensuring your own compliance with NERC CIP standards. Neither Azure nor Azure Government constitutes a BES or BES Cyber Asset.

How do NERC registered entities receive compliance assurances that cloud controls are operating effectively?
If you are a registered entity subject to NERC CIP compliance obligations, you are expected to rely on existing Azure and Azure Government FedRAMP authorizations as assurance that cloud controls pertinent to NERC CIP requirements are assessed and authorized by the FedRAMP program. It would be infeasible for a cloud service provider (CSP) to submit to a NERC audit and furnish control evidence each time a registered entity underwent a NERC audit. Rather, a CSP's existing FedRAMP authorization provides assurances that NIST-based control evidence produced by the CSP and mapped to NERC CIP requirements has already been examined by an accredited FedRAMP auditor. You and your NERC CIP auditor are expected to rely on FedRAMP authorizations rather than conduct your own individual audits of Azure or Azure Government.

What workloads can Registered Entities deploy on Azure and Azure Government?
BES Cyber Assets perform real-time functions of monitoring or controlling the BES - if impaired they would, within 15 minutes, affect the reliable operation of the BES. To properly accommodate BES Cyber Assets and Protected Cyber Assets in cloud computing, existing definitions in NERC CIP standards would need to be revised. However, there are many workloads that deal with CIP sensitive data and do not fall under the 15-minute rule, including the broad category of BES Cyber System Information (BCSI).

The NERC ERO Enterprise released a Compliance Monitoring and Enforcement Program (CMEP) practice guide to provide guidance to ERO Enterprise CMEP staff when assessing a registered entity’s process to authorize access to designated BCSI storage locations and any access controls the registered entity implemented. Moreover, NERC reviewed Azure control implementation details and FedRAMP audit evidence related to NERC CIP-004-6 and CIP-011-2 standards that are applicable to BCSI.

Based on the ERO issued practice guide and reviewed FedRAMP controls to ensure registered entities encrypt their data, no additional guidance or clarification is needed for registered entities to deploy BCSI and associated workloads in the cloud. However, if you are a registered entity subject to NERC CIP compliance obligations, you are ultimately responsible for compliance with NERC CIP standards according to your own facts and circumstances. You should review the Cloud Implementation Guide for NERC Audits for help with documenting your processes and evidence used to authorize electronic access to BCSI storage locations, including encryption key management used for BCSI encryption in Azure and Azure Government.

How can Microsoft assist registered entities subject to CIP-013-1 Cyber Security - Supply Chain Risk Management?
NERC CIP-013-1 specifies that “each responsible entity shall develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems.” A BES Cyber System is composed of one or more BES Cyber Assets. If you are planning to deploy a high or medium impact BES Cyber System on Azure, you will need to demonstrate compliance with CIP-013-1. If you are an Azure or Azure Government customer, Microsoft can provide you with proper supply chain risk management assurances.

  • Compliance with CIP-013-1 is not required for BCSI deployment in the cloud.
  • If you are enquiring about supply chain risk assessment for your on-premises deployed Windows servers and desktops, you should contact your Microsoft account representative for assistance with Windows supply chain risk management assurances. While these inquiries and corresponding questionnaires that you need to fill out are important, they are not related to Azure cloud services.

NIST SP 800-161 is a comprehensive guidance for supply chain risk management practices. Azure and Azure Government maintain FedRAMP High authorizations to operate that are based on the NIST SP 800-53 control baseline. The System and Services Acquisition (SA) control family that is assessed during a FedRAMP audit provides detailed coverage for supply chain risk assessment, including the SA-12 control that is focused specifically on supply chain protection.

The current Azure and Azure Government NIST SP 800-53 implementations of SA-12 are in alignment with the NIST SP 800-161 recommendations, as assessed in the course of Azure and Azure Government FedRAMP audits. Microsoft supply chain best practices are built into the procurement process to prevent and mitigate Information and Communication Technology (ICT) supply chain risks, such as insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the ICT supply chain. For more information, see Azure NIST SP 800-161 documentation.

Can Microsoft furnish a Common Criteria certificate that I need to comply with NERC CIP-013-1 Cyber Security - Supply Chain Risk Management?
Yes, but not for Azure or any other Microsoft cloud service. Your request for Common Criteria certificate is likely not related to cloud services but is instead focused on your on-premises desktops and servers that normally run a Windows operating system. Common Criteria Certification is not applicable to cloud services – it is intended to evaluate security functions in IT software and hardware products, for example, boxed software products such as Windows desktop or server operating systems. For more information, see Windows Common Criteria Certifications or contact your Microsoft account team for assistance with Windows supply chain risk management assurances.

Resources