Are you ready for NERC CIP-013?
Take the CIP-013 Challenge and find out!
What is your plan to address vendor incidents, remote access, vulnerabilities and patch verification? Take the CIP-013 Challenge and find out if you’ll be ready in time.
Power utilities share cybersecurity challenges
Collaboration is the answer!
Introducing the Asset To Vendor Network (A2V)
Check your preparedness
Select the time estimated for each step in the compliance process and find out whether your program will be ready in time for the October 1, 2020 deadline.
- Estimate volume for procurements related to medium and high impact BES Cyber Systems.
- Identify steps your organization will take to “identify and assess cyber security risk.”
- Decide how risk will be assessed (see A2V risk identification and assessment methodology).
NERC CIP-013-1 NATF implementation guidance, NATF supplier criteria, EEI model procurement language
NERC CIP-10-3 , CIP-010-3 NATF Software Integrity & Authenticity
A2V achieves security beyond compliance
Access the latest and greatest in emerging industry requirements
Receive instant industry information and continuous updates
Reduce costs with our sharing model 50% SAVINGS
A2V is a network of power utilities who benefit from:
- Shared costs of vendor risk assessments
- Cyber asset vulnerability patches
- Solutions to reduce duplication
- Compliance requirements
Utility determines the right level of assessment – for the vendor and the product.
A2V offers risk ranking analytics.
Utility submits the list of vendors requiring assessments.
Assessment availability and “Scheduled” or “Not Scheduled” status is appended with respective dates.
The utility selects assessments for purchase, whether it be an existing assessment or requirement to master a new one.
Consent to share assessments is obtained by A2V vendors.
For new assessments, A2V works with vendors to complete.
New assessments (Masters) generate royalties of 75%, 65% and 50% on 1st, 2nd and 3rd+ sells, respectively.
Completed assessments are uploaded into the utility’s instance of the Fortress Platform, the A2V compliance system.
A2V Assessment Products
ASSET TO VENDOR
A2V is aligned to industry guidance for risk identification and assessment methodologies, especially to CIP-013-1.
Why vendor assessments?
NATF points out that “the ERO has endorsed the practice of a Responsible Entity obtaining an independent assessment of the vendor’s production of BES Cyber Systems and/or related services as a means of complying with CIP-013-1.” NATF suggests:
- Asking vendors to provide independent assessments.
- Evaluating the auditor’s qualifications and cyber security framework used to perform the assessment.
- Evaluating the scope and results of the assessment.
- Documenting the process, conclusions and mitigating actions.
ASSET TO VENDOR NETWORK
Founding utility members ensure the continued relevancy of A2V services to users of industrial control systems (ICS)
A2V is committed to helping American Electric Power and other leading utilities