North American Electric Reliability Corporation (NERC)

NERC overview

The North American Electric Reliability Corporation (NERC) is a nonprofit regulatory authority whose mission is to ensure the reliability of the North American bulk power system. NERC is subject to oversight by the US Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. In 2006, FERC granted the Electric Reliability Organization (ERO) designation to NERC in accordance with the Energy Policy Act of 2005 (US Public Law 109-58). NERC develops and enforces reliability standards known as NERC Critical Infrastructure Protection (CIP) standards.

If you're a bulk power system owner, operator, or user, you must comply with NERC CIP standards. You're also required to register with NERC. Cloud service providers and third-party vendors aren't subject to NERC CIP standards; however, the CIP standards include goals that should be considered when registered entities use vendors in the operation of the Bulk Electric System (BES).

As stated by NERC in the current set of CIP standards and NERC’s Glossary of Terms, BES Cyber Assets perform real-time functions of monitoring or controlling the BES, and would affect the reliable operation of the BES within 15 minutes of being impaired. To properly accommodate BES Cyber Assets and Protected Cyber Assets in a cloud environment, existing definitions in NERC CIP standards would need to be revised. However, there are many workloads that deal with CIP sensitive data and don't fall under the 15-minute rule, including the broad category of BES Cyber System Information (BCSI).

Azure and NERC CIP standards

If you're operating a Bulk Electric System (BES), you're wholly responsible for ensuring your own compliance with NERC CIP standards. Neither Azure nor Azure Government constitutes a BES or BES Cyber Asset; however, both Azure and Azure Government are suitable for registered entities deploying certain workloads subject to compliance with NERC CIP standards, including BCSI workloads.

If you're a registered entity interested in deploying data and workloads subject to NERC CIP compliance obligations in Azure or Azure Government, you should review the following documents:

  • NERC CIP standards and cloud computing discusses compliance considerations for NERC CIP requirements based on established third-party audits that are applicable to cloud service providers such as FedRAMP. It covers background screening for cloud operations personnel, and answers common question about logical isolation and multi-tenancy that may be of interest to you. It also addresses security considerations for on-premises vs. cloud deployments.
  • Cloud implementation guide for NERC audits is a guidance document that provides control mapping between the current set of NERC CIP standards requirements and the National Institute of Standards and Technology (NIST) SP 800-53 control set that forms the basis for FedRAMP. It is written as a technical how-to guidance to help you address NERC CIP compliance requirements for your Azure assets. The document contains pre-filled Reliability Standard Audit Worksheets (RSAWs) narratives that help explain how Azure controls address NERC CIP requirements. It also contains guidance to help you use Azure services to implement controls that you own. You can download the Cloud implementation guide for NERC audits under a non-disclosure agreement (NDA) from the Service Trust Portal (STP). You must sign in to access this document on the STP. For more information, see Get started with the Microsoft Service Trust Portal.

Note

Information in this article, including all referenced guidance documents, is directly applicable to Azure only. For example, you should review this information if you're planning to deploy BCSI in Azure services or design an Azure application and deploy it on Azure or Azure Government. If you're interested in deploying BCSI in Office 365 (Microsoft 365), contact your Microsoft account team for assistance.

BCSI guidance

The NERC ERO Enterprise released a Compliance Monitoring and Enforcement Program (CMEP) practice guide to provide guidance to ERO Enterprise CMEP staff when assessing a registered entity’s process to authorize access to designated BCSI storage locations and any access controls the registered entity implemented. Moreover, NERC reviewed the Azure control implementation details and FedRAMP audit evidence related to NERC CIP-004-6 and CIP-011-2 standards that are applicable to BCSI.

Based on the ERO issued practice guide and reviewed FedRAMP controls to ensure registered entities encrypt their data, no additional guidance or clarification is needed for registered entities to deploy BCSI and associated workloads in the cloud. However, if you're a registered entity subject to NERC CIP compliance obligations, you're ultimately responsible for compliance with NERC CIP standards according to your own facts and circumstances. You should review the Cloud implementation guide for NERC audits for help with documenting your processes and evidence used to authorize electronic access to BCSI storage locations, including encryption key management used for BCSI encryption in Azure and Azure Government.

Registered entities storing or processing BCSI on Azure or Azure Government should review pre-filled RSAW narratives for NERC CIP-004-6 and CIP-011-2 standards that are documented in the Cloud implementation guide for NERC audits.

Applicability

  • Azure
  • Azure Government

Attestation documents

Microsoft relies on Azure and Azure Government FedRAMP audits to furnish assurances to NERC registered entities that cloud controls relevant to NERC CIP standards requirements are operating effectively. Azure and Azure Government maintain FedRAMP High provisional authorizations to operate (P-ATO) issued by the Joint Authorization Board (JAB) in addition to more than 250 Moderate and High ATOs issued by individual federal agencies for the in-scope services. And while FedRAMP High in the Azure public cloud will meet the needs of many customers, Azure Government provides extra customer assurances through controls that limit potential access to systems processing customer data to screened US persons.

You can request Azure and Azure Government FedRAMP documentation directly from the FedRAMP Marketplace by submitting a package access request form. You must have a .gov or .mil email address to access a FedRAMP security package directly from FedRAMP.

Azure Commercial System Security Plan (SSP) is available from the Service Trust Portal (STP) Audit Reports - FedRAMP Reports section. You must sign in to access audit reports on the STP. For more information, see Get started with the Microsoft Service Trust Portal.

Select Azure Government FedRAMP documentation, including System Security Plan (SSP), continuous monitoring reports, Plan of Action and Milestones (POA&M), and so on, are available under NDA and pending access authorization from the Service Trust Portal Audit Reports - FedRAMP Reports section. Contact your Microsoft account representative for assistance.

Frequently asked questions

Who is responsible for compliance with NERC CIP standards?
If you're a bulk power system owner, operator, or user, you must comply with NERC CIP standards. You're also required to register with NERC. Cloud service providers and third-party vendors aren't subject to NERC CIP standards; however, the CIP standards include goals that should be considered when registered entities use vendors in the operation of the Bulk Electric System (BES). If you're operating a BES, you're wholly responsible for ensuring your own compliance with NERC CIP standards. Neither Azure nor Azure Government constitutes a BES or BES Cyber Asset.

How do NERC registered entities receive compliance assurances that cloud controls are operating effectively?
If you're a registered entity subject to NERC CIP compliance obligations, you're expected to rely on existing Azure and Azure Government FedRAMP authorizations as assurance that cloud controls owned by Microsoft and pertinent to NERC CIP requirements have been assessed and authorized by FedRAMP. It would be infeasible for a cloud service provider (CSP) to submit to a NERC audit and furnish control evidence each time a registered entity underwent a NERC audit. Rather, a CSP's existing FedRAMP authorization provides assurances that NIST-based control evidence produced by the CSP and mapped to NERC CIP requirements has already been examined by an accredited FedRAMP auditor. You and your NERC CIP auditor are expected to rely on FedRAMP authorizations rather than conduct your own individual audits of Azure or Azure Government.

What workloads can Registered Entities deploy on Azure and Azure Government?
BES Cyber Assets perform real-time functions of monitoring or controlling the BES – if impaired they would, within 15 minutes, affect the reliable operation of the BES. To properly accommodate BES Cyber Assets and Protected Cyber Assets in a cloud environment, existing definitions in NERC CIP standards would need to be revised. However, there are many workloads that deal with CIP sensitive data and don't fall under the 15-minute rule, including the broad category of BES Cyber System Information (BCSI).

The NERC ERO Enterprise released a Compliance Monitoring and Enforcement Program (CMEP) practice guide to provide guidance to ERO Enterprise CMEP staff when assessing a registered entity’s process to authorize access to designated BCSI storage locations and any access controls the registered entity implemented. Moreover, NERC reviewed Azure control implementation details and FedRAMP audit evidence related to NERC CIP-004-6 and CIP-011-2 standards that are applicable to BCSI.

Based on the ERO issued practice guide and reviewed FedRAMP controls to ensure registered entities encrypt their data, no additional guidance or clarification is needed for registered entities to deploy BCSI and associated workloads in the cloud. However, if you're a registered entity subject to NERC CIP compliance obligations, you're ultimately responsible for compliance with NERC CIP standards according to your own facts and circumstances. You should review the Cloud implementation guide for NERC audits for help with documenting your processes and evidence used to authorize electronic access to BCSI storage locations, including encryption key management used for BCSI encryption in Azure and Azure Government.

How can Microsoft assist registered entities subject to CIP-013-1 Cyber Security - Supply Chain Risk Management?
NERC CIP-013-1 specifies that “each responsible entity shall develop one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems.” A BES Cyber System is composed of one or more BES Cyber Assets. If you're planning to deploy a high or medium impact BES Cyber System on Azure, you will need to demonstrate compliance with CIP-013-1. If you're an Azure or Azure Government customer, Microsoft can provide you with proper supply chain risk management assurances for your cloud-based assets:

  • NIST SP 800-161 is a comprehensive guidance for supply chain risk management practices. Azure and Azure Government maintain FedRAMP High authorizations to operate that are based on the NIST SP 800-53 control baseline. The System and Services Acquisition (SA) control family that is assessed during a FedRAMP audit provides detailed coverage for supply chain risk assessment, including the SA-12 control that is focused specifically on supply chain protection.
  • The current Azure and Azure Government NIST SP 800-53 implementations of SA-12 are in alignment with the NIST SP 800-161 recommendations, as assessed during Azure and Azure Government FedRAMP audits. Microsoft supply chain best practices are built into the procurement process to prevent and mitigate Information and Communication Technology (ICT) supply chain risks, such as insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the ICT supply chain. For more information, see Azure NIST SP 800-161 documentation.
  • Compliance with CIP-013-1 isn't required for BCSI deployment in the cloud.

Note

If you're enquiring about supply chain risk assessment for your on-premises deployed Windows servers and desktops, you should contact your Microsoft account representative for assistance with Windows supply chain risk management assurances. While CIP-013-1 inquiries and corresponding questionnaires are important, they're typically not related to Azure cloud services unless you're deploying high or medium impact BES Cyber Systems on Azure.

Can Microsoft furnish a Common Criteria certificate that I need to comply with NERC CIP-013-1 Cyber Security – Supply Chain Risk Management?
Yes, but not for Azure or any other Microsoft cloud service. Your request for Common Criteria certificate is likely not related to cloud services but is instead focused on your on-premises desktops and servers that normally run a Windows operating system. Common Criteria Certification isn't applicable to cloud services – it is intended to evaluate security functions in IT software and hardware products, for example, boxed software products such as Windows desktop or server operating systems. For more information, see Windows Common Criteria Certifications or contact your Microsoft account team for assistance with Windows supply chain risk management assurances.

Does Microsoft have a supply chain assurance program?
Yes. For more information about Microsoft supply chain assurances, see:

What is BES Cyber System Information (BCSI)?
The following definition is provided by NERC: BCSI is information about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System. BES Cyber System Information doesn't include individual pieces of information that by themselves don't pose a threat or couldn't be used to allow unauthorized access to BES Cyber Systems, such as, but not limited to, device names, individual IP addresses without context, ESP names, or policy statements. Examples of BES Cyber System Information may include, but aren't limited to: security procedures or security information about BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or Monitoring Systems that isn't publicly available and could be used to allow unauthorized access or unauthorized distribution; collections of network addresses; and network topology of the BES Cyber System.

Can I store or process BCSI on Azure or Azure Government?
Yes. For more information, see BCSI guidance. If you're a registered entity subject to NERC CIP compliance obligations, you're ultimately responsible for compliance with NERC CIP standards according to your own facts and circumstances.

Resources