Get documents about "NERC LSE Standards Classification
Document Sample
3ba2745b-19a1-4d59-9111-49abaa4009f3.xls
NERC LSE Standards - Classification
Responsible Entity
C B A D
QSE
ERC w/L TO
Standard Req. Text of Requirement OT AAR or DP Stakeholder Comments JRO Consensus Comments for Requirements Compliance Evidence Comments
ISO , DP
QSE
BAL-005-0 R1. All generation, transmission, and load /EIL Brazos, CenterPoint, and Sharyland Utilities: General introductory statement - not a specific requirement
operating within an Interconnection must The term All is used. There is no "all" that relates to Transmission Owners because TOs do not see
be included within the metered everything. It also states within the metering boundaries, which is only ERCOT. This can only apply to
boundaries of a Balancing Authority ERCOT as the BA.
Area.
College Station: Responsibility should be shifted to ERCOT ISO. The term "all" is used. There is no "all"
that relates to Transmission Owners because TOs do not see everything. It also states within the metering
boundaries which is only ERCOT. This can only apply to ERCOT as the BA.
X
Georgetown: A DP should be assigned this.
AEP:ERCOT would be in a better position to ensure this information was included within the metered
boundaries of the Balancing Authority Area.
CPS: Responsibility for compliance with this standard resides with ERCOT, as the BA. CPS Energy
generally agrees with Brazos, CNP, SU, AEP & College Station. (BA, GOP, TOP, LSE).
BAL-005-0 R1.3. Each Load-Serving Entity with load Brazos, College Station, Oncor, CenterPoint, and Sharyland Utilities: Entity A shall ensure that its load in ERCOT is included within the metered boundries of Entity A must ensure and be able to demonstrate (via ensure loads are in BA
operating in an Interconnection shall ERCOT receives information and is already responsible for these requirements as BA and TOP. TOs have the ERCOT ISO Balancing Authority area. map or otherwise) that its lines/meters are within the Area
ensure that those loads are included ownership of the meters for the loads within specific areas of the State. The TOs submit the meter data to ERCOT BA Area.
within the metered boundaries of a ERCOT. All meter installations are approved by ERCOT to ensure that they are within the meter
Balancing Authority Area. boundaries. Tell by which substation or transmission line you've
Georgetown: A DP should be assigned this. connected to and whether that substation/transmission
AEP: ERCOT would be in a better position to ensure this information was included within the metered line is within ERCOT or not. Electrical map. List of
boundaries of the Balancing Authority Area. TOs support ERCOT by providing the meter data. substations attached to grid.
ERCOT ISO: The TOs and DPs shall perform the LSE requirements for BAL-005-0 R1.3.
X X The TOs and DPs shall verify the load is in the ERCOT Interconnection or other Balancing Authority Area ERCOT has lists of substation, ALDR, modeling, etc.
upon installation of electric service. ESIID somewhere in that data tells you which
**possibly explain the way to prove compliance as a one line that maps the meter to a transmission level substation. What does TO have to show compliance?
bus** IDR report from ERCOT monthly that shows the
CPS: see BAL-005 R1. If ERCOT needs additional detail from from an entity performing the "LSE" ESIIDs are accepted. One line diagram and
function (for example, a TO w/JRO with ERCOT), then that entity must make such documentation available interconnection agreement has been accepted for
to show the meter EZ-ID's are located within ERCOT's boundary. ERCOT can also refer to the SSWG Base GOP on audits (NextEra).
Cases and the annual ALDRs.
ERCOT ISO: ERCOT ISO is not the appropriate entity to be registered as the LSE for this standard
requirement. The requirements apply to Generators as GOP, Transmission as TOP, and Load. With respect
to the LSE obligation, the entity that installs the meter is best informed with respect to the load location
relative to the ERCOT BA area.
Accordingly, the owners of the meters, presumably the DPs or TOs, should be registered as the LSE for
this standard/requirement. This should not be difficult for TOs since they are obligated to provide this
information under R1.1 – if the TO can meet R1, then the TO can meet R1.3.
Furthermore, the requirement refers to “a” BA area, not the ERCOT BA area. ERCOT is in no position to
understand which BA area the load may fall within.
The issue was raised during discussions that ERCOT has ESI IDs and can, therefore, meet this requirement.
However, ERCOT ISO does not have mappings to individual meters, and with respect to ESI ID information,
ESI IDs are established by TDSP per Protocol Section 15. Therefore, those entities are best situated to
understand the location of loads relative to BA areas.
CIP-001-1 R1. Each Reliability Coordinator, Balancing Lume: The QSE with LaaR and/or EIL will have procedures for the recognition of and for making their 1. Each Entity A and Entity B must have procedures for the recognition of and for making Do Laar and EILS have EI IDs? Besides Entity A and have procedures
Authority, Transmission Operator, operating personnel aware of sabotage events on its QSE facilities and a document from the LaaR or EIL their operating personnel aware of sabotage events at the Entity A or Entity B facilities. Entity B documentation, Entity B with Laar or EILS >
Generator Operator, and Load-Serving stating that they have an appropriate internal procedure addressing sabotage events for the electrical 2. Any Entity B that represents a LaaR or EILS resource with an electric service 25 MW needs documentation (form, procedure,
Entity shall have procedures for the interruption equipment at their facility. identifier (ES-ID)that has peak curtailable load of greater than 25 MW at the LaaR or statement) that LaaR or EILS could provide to Entity
recognition of and for making their EILS facility; must confirm that such LaaR or EILS resource has documented that such B to show that Laar or EILS has a procedure.
operating personnel aware of sabotage Brazos, College Station, Oncor, CenterPoint, and Sharyland Utilities Laar or EILS resource (a) will notify Entity B in case of a sabotage event, and (b) has
events on its facilities and multi site APPLIES TO ERCOT: Conduct procedures in Security Plan developed under governance of ERCOT ROS. procedures to make its personnel aware of the requirement and process for reporting
sabotage affecting larger portions of the Maintain and make available to appropriate entities the System Security Response Group ("SSRG") sabotage events.
Interconnection. distribution list. Implement ERCOT Shift Supervisor procedure 1.3.3 for Hot line Conference Call
Instructions to trigger SSRG calls.
APPLIES TO TOs: Follow procedures in Security Plan developed under governance of ERCOT Reliability
X X and Operation Subcommittee (“ROS”). Provide information to ERCOT ISO to maintain System Security
Response Group (“SSRG”) distribution list. TOs must have their own written set of recognition and
awareness procedures to compliment the Security Plan and the SSRG calls.
CPS: (RC, BA, TOP, GOP, LSE) CPS Energy agrees with B, CS, O, CNP, SU. Each entity must
responsible for meeting this standard. In addition, ERCOT, as RC, BA and TOP, must be responsible for
multi-service area sabatoge events, and document how it coordinates with each GOP & LSE(JRO w/TO,
GO, or other as needed to verify no gaps). Each LSE JRO entity must have procedures to satify CIP-001
requirements for their facilities (Recognition, Awareness, communication, reporting, & FBI
communicaations & procedures). Tim Soles - "sabotage events on Entity A or Entity B", should say
"AT" not "ON". In 2., use "LAAR or EILS facility" instead of "Its facility".
Clarify that must also have procedure that they make their personnel aware. Can be clear that QSE is not
going to be overseeing LaaR or EILS sabotage communication training. unclear as to whether it applies to:
BP Energy: With respect to QSEs with LAAR/EILS, CIP-001-1 R.1 is
(1) QSEs and their facilities and systems; or (2) LAAR/EILS and their facilities and systems; or (3) the
facilities and systems of both QSEs and LAAR/EILS. This lack of clarity could lead to confusion as to
which party has which reliability responsibilities. QSEs should only be expected to pass on
communications regarding sabotage events that are received from a LAAR or EILS entity. With respect to
the obligations between QSEs and the LAAR/EILS they serve, the Joint Registration Organization (“JRO”)
agreement should make clear that a QSE is only required to train its (i.e., the QSE’s) staff to communicate
to the ERCOT ISO any sabotage events identified by LAAR or EILS and to communicate back any
applicable the ERCOT ISO directives to LAARs and EILS. QSEs should not be responsible for training the
employees of LAAR or EILS entities to recognize and identify sabotage events. Such an obligation would
unduly burden QSEs by requiring them to indentify and train such individuals in another company with
whom they otherwise have no, or minimal, contact and may not have the legal right to conduct such
activities. Furthermore, QSEs do not necessarily have the authority or ability to dictate procedures
regarding safety to LAAR/EILS. The TRE should provide guidance on what it deems to be sufficient
evidence to prove compliance with the requirement.
Formosa: It is my understanding that any physical security reporting will be for the QSE office where the
planning and communications takes place, not at the Resource site with EILS/LAAR/Gen. This would be
all office equipment and cyber security, but cyber security regulations (CIP2 to 9) are not on this NERC
compliance check list for QSE Responsibility. Is this to come later? Physical and cyber security are very
much intertwined. Most likely any threat will be cyber. Not that I want more work, but how do you separate
the two and only have physical security?
Oxy: The JRO Agreement (the "Agreement") should state specifically that "facilities" and "sabotage" refer
to the QSE's operations center. In addition, the Agreement should explain that the language "multi site
sabotage affecting larger portions of the Interconnection" is not applicable to QSEs. Suggested language:
Pursuant to this JRO Agreement, QSE w/LaaR assumes the LSE duties in CIP-001, R1 on the basis that the
terms "facilities," "sabotage," and "operating personnel" refer to the operations location of the QSE itself
and not to the LaaR location(s). Also, the multi site sabotage language in the last sentence of R1 is not part
of the LSE duties assumed by the QSE w/LaaR.
Georgetown: As the TOP is already responsible for this, they should be registered with responsibilities of
collecting information from TO's and notifications. The TO should also be registered with responsibilities
to report to the TOP.
CIP-001-1 R2. Each Reliability Coordinator, Balancing Lume: The QSE with LaaR and/or EIL will have procedures for notifying ERCOT if a sabotage event is 1. Each Entity A and Entity B must have procedures for communicating to ERCOT ISO Besides Entity A and Entity B documentation, Entity B have procedure
Authority, Transmission Operator, discovered at the QSE facilities or if the LaaR or EIL notifies the QSE that a sabotage event occurred at the the information concerning sabotage events at their facilities . 2. Any Entity B that with Laar or EILS > 25 MW needs documentation
Generator Operator, and Load-Serving electrical interruption equipment at the load’s facility. The QSE will have a document from the LaaR or EIL represents a LaaR or EILS resource with an electric service identifier (ES-ID)that has (form, procedure, statement) that LaaR or EILS could
Entity shall have procedures for the stating that they have an appropriate internal procedure addressing proper communication surrounding peak curtailable load of greater than 25 MW at the LaaR or EILS facility must confirm provide to Entity B to show that Laar or EILS has a
communication of information sabotage events of the electrical interruption equipment at their facility. that such LaaR or EILS resource has documented that such Laar or EILS resource will procedure.
concerning sabotage events to notify Entity B in case of a sabotage event.
appropriate parties in the Brazos, Oncor, College Station, CenterPoint, and Sharyland Utilities:
Interconnection. APPLIES TO ERCOT: Conduct procedures in Security Plan developed under governance of ERCOT ROS.
Maintain and make available to appropriate entities the System Security Response Group ("SSRG")
X X distribution list. Implement ERCOT Shift Supervisor procedure 1.3.3 for Hot line Conference Call
Instructions to trigger SSRG calls. APPLIES TO TOs: Follow procedures in Security Plan developed under
governance of ERCOT Reliability and Operation Subcommittee (“ROS”). Provide information to ERCOT
ISO to maintain System Security Response Group (“SSRG”) distribution list. TOs must have their own
written set of recognition and awareness procedures to compliment the Security Plan and the SSRG calls.
CPS: See CIP-001 R1 response
BP Energy: The JRO should clarify that QSEs with LAAR/EILS are only responsible for conveying \
information regarding sabotage events to the ERCOT ISO (and not to other parties) if the LAAR/EILS
informs its QSE of such events. Furthermore, QSEs should not be responsible for information that is not
communicated to them. Similarly, QSEs should not be held responsible for the accuracy or validity of the
information provided to them by LAAR/EILS. Additionally, the JRO should make clear that QSEs are not
responsible for ensuring that LAAR/EILS adopt their own reporting procedures. While QSEs facilitate
communication between the ERCOT ISO and LAAR/EILS, that fact should not relieve the LAAR/EILS from
their obligation to take appropriate actions in response to sabotage events. Furthermore, CIP-001-1 R.2
does not clearly define the “appropriate parties” to whom information regarding sabotage events must be
reported. Given the function of QSEs in the ERCOT ISO, QSEs should only be required to notify the
ERCOT ISO of such sabotage events.
Oxy: The Agreement should state specifically that the "procedures" referred to in CIP-001, R2 means a
procedure(s), call list(s), or contract requirement maintained by the LaaR that requires the LaaR to notify
the associated QSE of unavailability due to a potential sabotage event. Suggested language: Pursuant to this
JRO Agreement QSE w/Laar, assumes the LSE duties in CIP-002, R2 on the basis that the "procedures" for
communications referred to in R2 means a procedure(s), call list(s), or contract that requires the LaaR to
notify the associated QSE of unavailability of the resource due to a potential sabotage event and that the
"appropriate parties in the Interconnections" means that the QSE will notify ERCOT after being notified by
the LaaR of the potential sabotage event. Any non-performance by the LaaR resource would not be imputed
to the QSE as a violation of R2.
Georgetown: As the TOP is already responsible for this, they should be registered with responsibilities
of collecting information from TO's and notifications. The TO should also be registered with
responsibilities to report to the TOP.
Formosa: In order for the appropriate Interconnection parties to be notified of a sabotage events, the
EILS/LAAR/Generation Resource needs to include their TSP, QSE and/or sub QSE in the reporting contact
list. Therefore, the QSE and sub-QSE will need to get the Resource to update their security reporting
SOP's with new emergency notification contacts for the QSE and/or sub-QSE and TSP. Does the QSE have
that authority?
CIP-001-1 R3. Each Reliability Coordinator, Balancing Lume: The QSE with LaaR and/or EIL will have sabotage response guidelines, including personnel to 1. Each Entity A and Entity B must provide its operating personnel with sabotage Entity B shall an appropriate procedure from the LaaR provide personnel with
Authority, Transmission Operator, contact, for reporting disturbances due to sabotage events. The QSE will have a document from the LaaR or response guidelines, including personnel to contact (must contact ERCOT ISO), for or EILS or have a document or contractual agreement response guidelines
Generator Operator, and Load-Serving EIL stating that they have an appropriate internal procedure addressing proper communication surrounding reporting disturbances due to sabotage events. 2. Any Entity B that represents any LaaR from or with the LaaR or EILS stating that the LaaR or
Entity shall provide its operating sabotage events of the electrical interruption equipment at their facility. or EILS that have a curtailable peak load of greater than 25 MW at a facility must have EILS has an appropriate internal procedure regarding
personnel with sabotage response Brazos, College Station, Oncor CenterPoint, Sharyland Utilities: documentation showing that such LaaR or EILS has sabotage reporting guidelines to sabotage response guidelines including addressing
guidelines, including personnel to APPLIES TO ERCOT: Governing policy for sabotage reporting shall be Corporate Standard (“CS”) 7.8.1. notify the Entity B of disturbances due to sabotage events at the LaaR or EILS facility. proper communication surrounding sabotage events of
contact, for reporting disturbances due to APPLIES TO TOs: TOs shall have their own written set of response guidelines and reporting procedures. the electrical interruption equipment at its facility.
sabotage events. Oxy: The Agreement should state specifically that the terms "sabotage" and "operating personnel" refer to
the QSE location and not the LaaR location. Suggested language: Pursuant to this JRO Agreement,QSE
w/LaaR assumes the LSE duties in CIP-001, R3 on the basis that the "sabotage" and "operating
personnel" referred to in R3 means sabotage to facilities and operating personnel of the QSE
X X operations location and not the LaaR location(s).
Georgetown: As the TOP is already responsible for this, they should be registered with responsibilities of
collecting information from TO's and notifications. The TO should also be registered with responsibilities
to report to the TOP.
Farmosa: Same as R1 above, for the QSE office, physical and cyber security are greatly intertwined.
CPS: See CIP-001 R1 response
Texas RE - February 27, 2009 Page 1 of 14 From FERC Approved Standards - Last Updated by NERC September 13, 2008
3ba2745b-19a1-4d59-9111-49abaa4009f3.xls
QSE
ERC w/L TO
Standard Req. Text of Requirement OT AAR or DP Stakeholder Comments JRO Consensus Comments for Requirements Compliance Evidence Comments
ISO , DP
QSE
/EIL BP Energy: Any response guideline applicable to QSEs should only apply to a QSE’s facilities. Typically,
such facilities would be comprised of a QSE’s communication systems (i.e., computer and telephone
systems).
QSEs that serve LAAR/EILS should not be required to provide the personnel of the LAAR/EILS “sabotage
response guidelines, including personnel to contact, for reporting disturbances due to sabotage events.” In
the event that LAAR/EILS observe a sabotage event, the personnel of the LAAR/EILS should be encouraged
to directly contact the appropriate authorities. Waiting for a QSE to act as an intermediary between a
LAAR/EILS and appropriate law enforcement authorities will delay the time in which such information is
reported and acted upon.
As noted in response to CIP-001-1 R.2, the QSE’s role should be to notify the ERCOT ISO of any sabotage
event conveyed to the QSE by its LAAR/EILS. While LAAR/EILS need to contact the QSE (and such
contact is provided for in CIP-001-1 R.2), they also should have their own procedures to contact the
appropriate authorities in the event they observe a sabotage event. LAAR/EILS should not view a
communication with the QSE as the sole necessary communication during a suspected sabotage event.
TRE and/or the JRO should provide Responsible Entities time to implement the necessary procedures to
adopt this requirement. Throughout this implementation process, Responsible Entities should be permitted
to work with the TRE to fine-tune the implementation of the necessary standards and procedures. During
the implementation of these new standards and requirements, TRE should provide feedback regarding what
constitutes compliance with the standards and requirements (i.e., what type of documentation needs to be
provided and what type of procedure constitutes compliance).
CIP-001-1 R4. Each Reliability Coordinator, Balancing Lume: The QSE with LaaR and/or EIL shall establish communications contacts, as applicable, with local 1. Each Entity A and Entity B shall establish communications contact with local Federal Entity B shall an appropriate procedure from the LaaR
Authority, Transmission Operator, Federal Bureau of Investigation (FBI) officials and develop reporting procedures as appropriate to their Bureau of Investigation (FBI) and develop reporting procedures as appropriate to their or EILS or have a document or contractual agreement
Generator Operator, and Load-Serving circumstances if a sabotage event is discovered at the QSE facilities or if the LaaR or EIL notifies the QSE circumstances. 2. Any Entity B that represents LaaR or EILS that have a curtailable peak from or with the LaaR or EILS stating that the LaaR or
Entity shall establish communications that a sabotage event occurred at the electrical interruption equipment at the load’s facility. load of greater than 25 MW at a facility must require that Laar or EILS to establish EILS has established these contacts and procedures.
contacts, as applicable, with local communication contacts with local FBI and develop reporting procedures as appropriate
Federal Bureau of Investigation (FBI) or Brazos, College Station, Oncor, CenterPoint, and Sharyland Utilities: to their circumstances. 3. Entity B shall have a document from the LaaR or EILS stating
Royal Canadian Mounted Police APPLIES TO ERCOT: Governing policy for sabotage reporting shall be Corporate Standard (“CS”) 7.8.1. that the Laar or EILS have established the applicable communication contact and have
(RCMP) officials and develop reporting APPLIES TO TOs: TOs shall have their own written set of response guidelines and reporting procedures. developed reporting procedures as appropriate to thier circumstances.
procedures as appropriate to their X X
circumstances. Oxy: No comments. Suggested Language: Pursuant to this JRO Agreement, the QSE w/LaaR assumes
the LSE duties in CIP-001, R4.
CPS: See CIP-001 R1 response
BP Energy: The JRO should make clear that CIP-001-1 R.4 only applies to the facilities a QSE uses in its
day-to-day business and should not obligate a QSE to take actions on behalf of others. The TRE should
encourage all applicable entities, including LAAR/EILS if appropriate, to establish contacts with applicable
law enforcement to enable the expedient reporting of sabotage information. It will be helpful if TRE would
further explain who in the FBI would be the appropriate contact for such communications. Additionally, it
would be helpful to know what the requirement means by the term “establish communications contacts.”
CIP-002-1 R1. Critical Asset Identification Method — Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Each Entity A shall identify and document a risk-based assessment methodology to use to
The Responsible Entity shall identify and Already apply to TOs. identify its Critical Assets.
document a risk-based assessment
methodology to use to identify its LCRA: Performed as Trasmission Owner (TO)
Critical Assets. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid..
CIP-002-1 R1.1. The Responsible Entity shall maintain Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Each Entity A shall maintain documentation describing its risk-based assessment
documentation describing its risk-based Already apply to TOs. methodology that includes procedures and evaluation criteria.
assessment methodology that includes
procedures and evaluation criteria. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid..
CIP-002-1 R1.2. The risk-based assessment shall consider Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A's risk-based assesment shall consider the following assets:
the following assets: Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid..
CIP-002-1 R1.2.1 Control centers and backup control Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A's control centers and backup control centers performing the functions of the
. centers performing the functions of the Already apply to TOs. entities listed in the Applicability section of this standard.
entities listed in the Applicability section
of this standard. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid..
CIP-002-1 R1.2.2 Transmission substations that support the Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. reliable operation of the Bulk Electric Already apply to TOs.
System.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid..
CIP-002-1 R1.2.3 Generation resources that support the Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. reliable operation of the Bulk Electric Already apply to TOs.
System.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid..
CIP-002-1 R1.2.4 Systems and facilities critical to system Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. restoration, including blackstart Already apply to TOs.
generators and substations in the
electrical path of transmission lines used LCRA: Performed as Trasmission Owner (TO)
for initial system restoration. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid..
CIP-002-1 R1.2.5 Systems and facilities critical to Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. automatic load shedding under a common Already apply to TOs.
control system capable of shedding 300
MW or more. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid..
CIP-002-1 R1.2.6 Special Protection Systems that support Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. the reliable operation of the Bulk Already apply to TOs.
Electric System.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid..
CIP-002-1 R1.2.7 Any additional assets that support the Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. reliable operation of the Bulk Electric Already apply to TOs.
System that the Responsible Entity
deems appropriate to include in its LCRA: Performed as Trasmission Owner (TO)
assessment. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid..
CIP-002-1 R2. Critical Asset Identification — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall develop a list of Already apply to TOs.
its identified Critical Assets determined
through an annual application of the risk- LCRA: Performed as Trasmission Owner (TO)
based assessment methodology required
in R1. The Responsible Entity shall X CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
review this list at least annually, and up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
update it as necessary. TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid.
In addtion ERCOT (as RC, BA, and TOP) must show overall ERCOT wide Critical Asset list & that it is
updated annually.
CIP-002-1 R3. Critical Cyber Asset Identification — Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Using the list of Critical Assets Already apply to TOs.
developed pursuant to Requirement R2,
the Responsible Entity shall develop a LCRA: Performed as Trasmission Owner (TO)
list of associated Critical Cyber Assets
essential to the operation of the Critical CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
Asset. Examples at control centers and up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
backup control centers include systems TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid.
and facilities at master and remote sites In addition, ERCOT (as RC, BA, and TOP) must show its CCA list & process.
that provide monitoring and control, X
automatic generation control, real-time
power system modeling, and real-time
interutility data exchange. The
Responsible Entity shall review this list
at least annually, and update it as
necessary. For the purpose of Standard
CIP-002, Critical Cyber Assets are
further qualified to be those having at
least one of the following
characteristics:
CIP-002-1 R3.1. The Cyber Asset uses a routable protocol Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
to communicate outside the Electronic Already apply to TOs.
Security Perimeter; or,
LCRA: Performed as Trasmission Owner (TO)
X CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid.
In addition, ERCOT (as RC, BA, and TOP) must show its CCA list & process.
Texas RE - February 27, 2009 Page 2 of 14 From FERC Approved Standards - Last Updated by NERC September 13, 2008
3ba2745b-19a1-4d59-9111-49abaa4009f3.xls
QSE
ERC w/L TO
Standard Req. Text of Requirement OT AAR or DP Stakeholder Comments JRO Consensus Comments for Requirements Compliance Evidence Comments
ISO , DP
QSE
CIP-002-1 R3.2. The Cyber Asset uses a routable protocol /EIL Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
within a control center; or, Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid.
In addition, ERCOT (as RC, BA, and TOP) must show its CCA list & process.
CIP-002-1 R3.3. The Cyber Asset is dial-up accessible. Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid.
In addition, ERCOT (as RC, BA, and TOP) must show its CCA list & process.
CIP-002-1 R4. Annual Approval — A senior manager or Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
delegate(s) shall approve annually the list Already apply to TOs.
of Critical Assets and the list of Critical
Cyber Assets. Based on Requirements LCRA: Performed as Trasmission Owner (TO)
R1, R2, and R3 the Responsible Entity
may determine that it has no Critical CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. The TO & GO (LSE function rolls
Assets or Critical Cyber Assets. The up to TO/GO) must have risk-based methodology to identify its CA. In addition, ERCOT (as RC, BA, and
X
Responsible Entity shall keep a signed TOP) must have documented process & coordination with each TO & GO to prove no gaps in ERCOT grid.
and dated record of the senior manager In general, the LSE function rolls up to TO/GO. ERCOT (as RC, BA, and TOP) must also show annual lists
or delegate(s)’s approval of the list of of CA & CCA w/ annual senior mgr approval.
Critical Assets and the list of Critical
Cyber Assets (even if such lists are null.)
CIP–003–1 R1. Cyber Security Policy — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall document and Already apply to TOs.
implement a cyber security policy that
represents management’s commitment LCRA: Performed as Trasmission Owner (TO)
and ability to secure its Critical Cyber X
Assets. The Responsible Entity shall, at CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
minimum, ensure the following: responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R1.1. The cyber security policy addresses the Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
requirements in Standards CIP-002 Already apply to TOs.
through CIP-009, including provision for
emergency situations. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R1.2. The cyber security policy is readily Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
available to all personnel who have Already apply to TOs.
access to, or are responsible for, Critical
Cyber Assets. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R1.3. Annual review and approval of the cyber Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
security policy by the senior manager Already apply to TOs.
assigned pursuant to R2.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R2. Leadership — The Responsible Entity Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
shall assign a senior manager with overall Already apply to TOs.
responsibility for leading and managing
the entity’s implementation of, and LCRA: Performed as Trasmission Owner (TO)
adherence to, Standards CIP-002 through X
CIP-009 CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R2.1. The senior manager shall be identified by Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
name, title, business phone, business Already apply to TOs.
address, and date of designation.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R2.2. Changes to the senior manager must be Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
documented within thirty calendar days Already apply to TOs.
of the effective date.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R2.3. The senior manager or delegate(s), shall Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
authorize and document any exception Already apply to TOs.
from the requirements of the cyber
security policy. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R3. Exceptions — Instances where the Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible ERCOT ISOannot conform Already apply to TOs.
to its cyber security policy must be
documented as exceptions and authorized LCRA: Performed as Trasmission Owner (TO)
by the senior manager or delegate(s). X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R3.1. Exceptions to the Responsible Entity’s Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
cyber security policy must be Already apply to TOs.
documented within thirty days of being
approved by the senior manager or LCRA: Performed as Trasmission Owner (TO)
delegate(s). X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R3.2. Documented exceptions to the cyber Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
security policy must include an Already apply to TOs.
explanation as to why the exception is
necessary and any compensating LCRA: Performed as Trasmission Owner (TO)
measures, or a statement accepting risk. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R3.3. Authorized exceptions to the cyber Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
security policy must be reviewed and Already apply to TOs.
approved annually by the senior manager
or delegate(s) to ensure the exceptions LCRA: Performed as Trasmission Owner (TO)
are still required and valid. Such review X
and approval shall be documented. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R4. Information Protection — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall implement and Already apply to TOs.
document a program to identify, classify,
and protect information associated with LCRA: Performed as Trasmission Owner (TO)
Critical Cyber Assets. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R4.1. The Critical Cyber Asset information to Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
be protected shall include, at a minimum Already apply to TOs.
and regardless of media type, operational
procedures, lists as required in Standard LCRA: Performed as Trasmission Owner (TO)
CIP- 002, network topology or similar
diagrams, floor plans of computing X CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
centers that contain Critical Cyber responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Assets, equipment layouts of Critical Like above, ERCOT needs to show its compliance.
Cyber Assets, disaster recovery plans,
incident response plans, and security
configuration information.
CIP–003–1 R4.2. The Responsible Entity shall classify Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
information to be protected under this Already apply to TOs.
program based on the sensitivity of the
Critical Cyber Asset information. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R4.3. The Responsible Entity shall, at least Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
annually, assess adherence to its Critical Already apply to TOs.
Cyber Asset information protection
program, document the assessment LCRA: Performed as Trasmission Owner (TO)
results, and implement an action plan to X
remediate deficiencies identified during CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
the assessment. responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R5. Access Control — The Responsible Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Entity shall document and implement a Already apply to TOs.
program for managing access to
protected Critical Cyber Asset LCRA: Performed as Trasmission Owner (TO)
information. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
Texas RE - February 27, 2009 Page 3 of 14 From FERC Approved Standards - Last Updated by NERC September 13, 2008
3ba2745b-19a1-4d59-9111-49abaa4009f3.xls
QSE
ERC w/L TO
Standard Req. Text of Requirement OT AAR or DP Stakeholder Comments JRO Consensus Comments for Requirements Compliance Evidence Comments
ISO , DP
QSE
CIP–003–1 R5.1. The Responsible Entity shall maintain a /EIL Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
list of designated personnel who are Already apply to TOs.
responsible for authorizing logical or
physical access to protected information. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R5.1.1 Personnel shall be identified by name, Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. title, business phone and the Already apply to TOs.
information for which they are
responsible for authorizing access. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R5.1.2 The list of personnel responsible for Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. authorizing access to protected Already apply to TOs.
information shall be verified at least
annually. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R5.2. The Responsible Entity shall review at Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
least annually the access privileges to Already apply to TOs.
protected information to confirm that
access privileges are correct and that LCRA: Performed as Trasmission Owner (TO)
they correspond with the Responsible X
Entity’s needs and appropriate personnel CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
roles and responsibilities. responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R5.3. The Responsible Entity shall assess and Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
document at least annually the processes Already apply to TOs.
for controlling access privileges to
protected information. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP–003–1 R6. Change Control and Configuration Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Management — The Responsible Entity Already apply to TOs.
shall establish and document a process of
change control and configuration LCRA: Performed as Trasmission Owner (TO)
management for adding, modifying,
replacing, or removing Critical Cyber CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-002
Asset hardware or software, and responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
implement supporting configuration X Like above, ERCOT needs to show its compliance.
management activities to identify,
control and document all entity or
vendorrelated changes to hardware and
software components of Critical Cyber
Assets pursuant to the
change control process.
CIP-004-1 R1. Awareness — The Responsible Entity Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
shall establish, maintain, and document a Already apply to TOs.
security awareness program to ensure
personnel having authorized cyber or LCRA: Performed as Trasmission Owner (TO)
authorized unescorted physical access
receive on-going reinforcement in sound CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
security practices. The program shall responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
include security awareness Like above, ERCOT needs to show its compliance.
reinforcement on at least a quarterly X
basis using mechanisms such as: Direct
communications (e.g., emails, memos,
computer based training, etc.); Indirect
communications (e.g., posters, intranet,
brochures, etc.); Management support
and reinforcement (e.g., presentations,
meetings, etc.).
CIP-004-1 R2. Training — The Responsible Entity shall Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
establish, maintain, and document an Already apply to TOs.
annual cyber security training program
for personnel having authorized cyber or LCRA: Performed as Trasmission Owner (TO)
authorized unescorted physical access to X
Critical Cyber Assets, and review the CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
program annually and update as responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
necessary. Like above, ERCOT needs to show its compliance.
CIP-004-1 R2.1. This program will ensure that all Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
personnel having such access to Critical Already apply to TOs.
Cyber Assets, including contractors and
service vendors, are trained within ninety LCRA: Performed as Trasmission Owner (TO)
calendar days of such authorization. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP-004-1 R2.2. Training shall cover the policies, access Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
controls, and procedures as developed Already apply to TOs.
for the Critical Cyber Assets covered by
CIP-004, and include, at a minimum, the LCRA: Performed as Trasmission Owner (TO)
following required items appropriate to X
personnel roles and responsibilities: CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP-004-1 R2.2.1 The proper use of Critical Cyber Assets; Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP-004-1 R2.2.2 Physical and electronic access controls Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. to Critical Cyber Assets; Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP-004-1 R2.2.3 The proper handling of Critical Cyber Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. Asset information; and, Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP-004-1 R2.2.4 Action plans and procedures to recover Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. or re-establish Critical Cyber Assets Already apply to TOs.
and access thereto following a Cyber
Security Incident. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP-004-1 R2.3. The Responsible Entity shall maintain Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
documentation that training is conducted Already apply to TOs.
at least annually, including the date the
training was completed and attendance LCRA: Performed as Trasmission Owner (TO)
records. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP-004-1 R3. Personnel Risk Assessment —The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall have a Already apply to TOs.
documented personnel risk assessment
program, in accordance with federal, LCRA: Performed as Trasmission Owner (TO)
state, provincial, and local laws, and
subject to existing collective bargaining CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
unit agreements, for personnel having responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
authorized cyber or authorized X Like above, ERCOT needs to show its compliance.
unescorted physical access. A personnel
risk assessment shall be conducted
pursuant to that program within thirty
days of such personnel being granted
such access. Such program shall at a
minimum include:
CIP-004-1 R3.1. The Responsible Entity shall ensure that Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
each assessment conducted include, at Already apply to TOs.
least, identity verification (e.g., Social
Security Number verification in the U.S.) LCRA: Performed as Trasmission Owner (TO)
and seven year criminal check. The
Responsible Entity may conduct more X CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
detailed reviews, as permitted by law and responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
subject to existing collective bargaining Like above, ERCOT needs to show its compliance.
unit agreements, depending upon the
criticality of the position.
CIP-004-1 R3.2. The Responsible Entity shall update each Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
personnel risk assessment at least every Already apply to TOs.
seven years after the initial personnel
risk assessment or for cause. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP-004-1 R3.3. The Responsible Entity shall document Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
the results of personnel risk assessments Already apply to TOs.
of its personnel having authorized cyber
or authorized unescorted physical access LCRA: Performed as Trasmission Owner (TO)
to Critical Cyber Assets, and that X
personnel risk assessments of contractor CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
and service vendor personnel with such responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
access are conducted pursuant to Like above, ERCOT needs to show its compliance.
Standard CIP-004.
CIP-004-1 R4. Access — The Responsible Entity shall Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
maintain list(s) of personnel with Already apply to TOs.
authorized cyber or
authorized unescorted physical access to LCRA: Performed as Trasmission Owner (TO)
Critical Cyber Assets, including their X
specific CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
electronic and physical access rights to responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Critical Cyber Assets. Like above, ERCOT needs to show its compliance.
Texas RE - February 27, 2009 Page 4 of 14 From FERC Approved Standards - Last Updated by NERC September 13, 2008
3ba2745b-19a1-4d59-9111-49abaa4009f3.xls
QSE
ERC w/L TO
Standard Req. Text of Requirement OT AAR or DP Stakeholder Comments JRO Consensus Comments for Requirements Compliance Evidence Comments
ISO , DP
QSE
CIP-004-1 R4.1. The Responsible Entity shall review the /EIL Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
list(s) of its personnel who have such Already apply to TOs.
access to Critical Cyber Assets
quarterly, and update the list(s) within LCRA: Performed as Trasmission Owner (TO)
seven calendar days of any change of
personnel with such access to Critical CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
X
Cyber Assets, or any change in the responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
access rights of such personnel. The Like above, ERCOT needs to show its compliance.
Responsible Entity shall ensure access
list(s) for contractors and service
vendors are properly maintained.
CIP-004-1 R4.2. The Responsible Entity shall revoke such Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
access to Critical Cyber Assets within 24 Already apply to TOs.
hours for personnel terminated for cause
and within seven calendar days for LCRA: Performed as Trasmission Owner (TO)
personnel who no longer require such X
access to Critical Cyber Assets. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 & CIP-003
responses above, the LSE responsibility in general rolls up to TO/GO & thus need cyber security policy.
Like above, ERCOT needs to show its compliance.
CIP-005-1 R1. Electronic Security Perimeter — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall ensure that Already apply to TOs.
every Critical Cyber Asset resides within
an Electronic Security Perimeter. The LCRA: Performed as Trasmission Owner (TO)
Responsible Entity shall identify and X
document the Electronic Security CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
Perimeter(s) and all access points to the above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
perimeter(s). compliance.
CIP-005-1 R1.1. Access points to the Electronic Security Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Perimeter(s) shall include any externally Already apply to TOs.
connected communication end point (for
example, dial-up modems) terminating at LCRA: Performed as Trasmission Owner (TO)
any device within the Electronic Security X
Perimeter(s). CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R1.2. For a dial-up accessible Critical Cyber Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Asset that uses a non-routable protocol, Already apply to TOs.
the Responsible Entity shall define an
Electronic Security Perimeter for that LCRA: Performed as Trasmission Owner (TO)
single access point at the dial-up device. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R1.3. Communication links connecting Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
discrete Electronic Security Perimeters Already apply to TOs.
shall not be considered part of the
Electronic Security Perimeter. However, LCRA: Performed as Trasmission Owner (TO)
end points of these communication links X
within the Electronic Security CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
Perimeter(s) shall be considered access above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
points to the Electronic Security compliance.
CIP-005-1 R1.4. Perimeter(s).
Any non-critical Cyber Asset within a Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
defined Electronic Security Perimeter Already apply to TOs.
shall be identified and protected pursuant
X
to the requirements of Standard CIP-005. LCRA: Performed as Trasmission Owner (TO)
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
CIP-005-1 R1.5. Cyber Assets used in the access control Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
and monitoring of the Electronic Already apply to TOs.
Security Perimeter(s) shall be afforded
the protective measures as a specified in LCRA: Performed as Trasmission Owner (TO)
Standard CIP-003, Standard CIP-004
Requirement R3, Standard CIP-005 X CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
Requirements R2 and R3, Standard CIP- above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
006 Requirements R2 and R3, Standard compliance.
CIP-007, Requirements R1 and R3
through R9, Standard CIP-008, and
Standard CIP-009.
CIP-005-1 R1.6. The Responsible Entity shall maintain Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
documentation of Electronic Security Already apply to TOs.
Perimeter(s), all interconnected Critical
and non-critical Cyber Assets within the LCRA: Performed as Trasmission Owner (TO)
Electronic Security Perimeter(s), all X
electronic access points to the CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
Electronic Security Perimeter(s) and the above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
Cyber Assets deployed for the access compliance.
control and monitoring of these access
CIP-005-1 R2. points.
Electronic Access Controls — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall implement and Already apply to TOs.
document the organizational processes
and technical and procedural mechanisms LCRA: Performed as Trasmission Owner (TO)
for control of electronic access at all X
electronic access points to the CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
Electronic Security Perimeter(s). above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R2.1. These processes and mechanisms shall Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
use an access control model that denies Already apply to TOs.
access by default, such that explicit
access permissions must be specified. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R2.2. At all access points to the Electronic Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Security Perimeter(s), the Responsible Already apply to TOs.
Entity shall enable only ports and
services required for operations and for LCRA: Performed as Trasmission Owner (TO)
monitoring Cyber Assets within the X
Electronic Security Perimeter, and shall CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
document, individually or by specified above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
grouping, the configuration of those compliance.
ports and services.
CIP-005-1 R2.3. The Responsible Entity shall maintain a Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
procedure for securing dial-up access to Already apply to TOs.
the Electronic Security Perimeter(s).
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R2.4. Where external interactive access into Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
the Electronic Security Perimeter has Already apply to TOs.
been enabled, the Responsible Entity
shall implement strong procedural or LCRA: Performed as Trasmission Owner (TO)
technical controls at the access points to X
ensure authenticity of the accessing CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
party, where technically feasible. above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R2.5. The required documentation shall, at Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
least, identify and describe: Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R2.5.1 The processes for access request and Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. authorization. Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R2.5.2 The authentication methods. Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R2.5.3 The review process for authorization Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. rights, in accordance with Standard Already apply to TOs.
CIP-004 Requirement R4.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R2.5.4 The controls used to secure dial-up Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. accessible connections. Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R2.6. Appropriate Use Banner — Where Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
technically feasible, electronic access Already apply to TOs.
control devices shall display an
appropriate use banner on the user screen LCRA: Performed as Trasmission Owner (TO)
upon all interactive access attempts. The X
Responsible Entity shall maintain a CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
document identifying the content of the above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
banner. compliance.
CIP-005-1 R3. Monitoring Electronic Access — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall implement and Already apply to TOs.
document an electronic or manual
process(es) for monitoring and logging LCRA: Performed as Trasmission Owner (TO)
access at access points to the Electronic X
Security Perimeter(s) twenty-four hours CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
a day, seven days a week. above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R3.1. For dial-up accessible Critical Cyber Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Assets that use non-routable protocols, Already apply to TOs.
the Responsible Entity shall implement
and document monitoring process(es) at LCRA: Performed as Trasmission Owner (TO)
each access point to the dial-up device, X
where technically feasible. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
Texas RE - February 27, 2009 Page 5 of 14 From FERC Approved Standards - Last Updated by NERC September 13, 2008
3ba2745b-19a1-4d59-9111-49abaa4009f3.xls
QSE
ERC w/L TO
Standard Req. Text of Requirement OT AAR or DP Stakeholder Comments JRO Consensus Comments for Requirements Compliance Evidence Comments
ISO , DP
QSE
CIP-005-1 R3.2. Where technically feasible, the security /EIL Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
monitoring process(es) shall detect and Already apply to TOs.
alert for attempts at or actual
unauthorized accesses. These alerts shall LCRA: Performed as Trasmission Owner (TO)
provide for appropriate notification to
designated response personnel. Where X CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
alerting is not technically feasible, the above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
Responsible Entity shall review or compliance.
otherwise assess access logs for
attempts at or actual unauthorized
accesses at least every ninety calendar
CIP-005-1 R4. days.
Cyber Vulnerability Assessment — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall perform a cyber Already apply to TOs.
vulnerability assessment of the
electronic access points to the LCRA: Performed as Trasmission Owner (TO)
X
Electronic Security Perimeter(s) at least
annually. The vulnerability assessment CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
shall include, at a minimum, the above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
following: compliance.
CIP-005-1 R4.1. A document identifying the vulnerability Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
assessment process; Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R4.2. A review to verify that only ports and Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
services required for operations at these Already apply to TOs.
access points are enabled;
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R4.3. The discovery of all access points to the Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Electronic Security Perimeter; Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R4.4. A review of controls for default Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
accounts, passwords, and network Already apply to TOs.
management community strings; and,
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R4.5. Documentation of the results of the Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
assessment, the action plan to remediate Already apply to TOs.
or mitigate vulnerabilities identified in
the assessment, and the execution status LCRA: Performed as Trasmission Owner (TO)
of that action plan. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R5. Documentation Review and Maintenance Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
— The Responsible Entity shall review, Already apply to TOs.
update, and maintain all documentation to
support compliance with the X LCRA: Performed as Trasmission Owner (TO)
requirements of Standard CIP-005.
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
CIP-005-1 R5.1. The Responsible Entity shall ensure that Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
all documentation required by Standard Already apply to TOs.
CIP-005 reflect current configurations
and processes and shall review the LCRA: Performed as Trasmission Owner (TO)
documents and procedures referenced in X
Standard CIP-005 at least annually. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-005-1 R5.2. The Responsible Entity shall update the Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
documentation to reflect the Already apply to TOs.
modification of the network or controls X
within ninety calendar days of the LCRA: Performed as Trasmission Owner (TO)
change.
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
CIP-005-1 R5.3. The Responsible Entity shall retain Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
electronic access logs for at least ninety Already apply to TOs.
calendar days. Logs related to reportable
incidents shall be kept in accordance LCRA: Performed as Trasmission Owner (TO)
with the requirements of Standard CIP- X
008. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -004 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R1. Physical Security Plan — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall create and Already apply to TOs.
maintain a physical security plan,
approved by a senior manager or LCRA: Performed as Trasmission Owner (TO)
delegate(s) that shall address, at a X
minimum, the following: CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R1.1. Processes to ensure and document that Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
all Cyber Assets within an Electronic Already apply to TOs.
Security Perimeter also reside within an
identified Physical Security Perimeter. LCRA: Performed as Trasmission Owner (TO)
Where a completely enclosed (“six-
wall”) border cannot be established, the X CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
Responsible Entity shall deploy and above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
document alternative measures to compliance.
control physical access to the Critical
Cyber Assets.
CIP-006-1 R1.2. Processes to identify all access points Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
through each Physical Security Already apply to TOs.
Perimeter and measures to control entry
at those access points. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R1.3. Processes, tools, and procedures to Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
monitor physical access to the Already apply to TOs.
perimeter(s).
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R1.4. Procedures for the appropriate use of Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
physical access controls as described in Already apply to TOs.
Requirement R3 including visitor pass
management, response to loss, and LCRA: Performed as Trasmission Owner (TO)
prohibition of inappropriate use of X
physical access controls. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R1.5. Procedures for reviewing access Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
authorization requests and revocation of Already apply to TOs.
access authorization, in accordance with
CIP-004 Requirement R4. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R1.6. Procedures for escorted access within Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
the physical security perimeter of Already apply to TOs.
personnel not authorized for unescorted
access. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R1.7. Process for updating the physical Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
security plan within ninety calendar days Already apply to TOs.
of any physical security system redesign
or reconfiguration, including, but not LCRA: Performed as Trasmission Owner (TO)
limited to, addition or removal of access X
points through the physical security CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
perimeter, physical access controls, above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
monitoring controls, or logging controls. compliance.
CIP-006-1 R1.8. Cyber Assets used in the access control Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
and monitoring of the Physical Security Already apply to TOs.
Perimeter(s) shall be afforded the
protective measures specified in LCRA: Performed as Trasmission Owner (TO)
Standard CIP-003, Standard CIP-004
Requirement R3, Standard CIP-005 X CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
Requirements R2 and R3, Standard CIP- above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
006 Requirement R2 and R3, Standard compliance.
CIP-007, Standard CIP-008 and Standard
CIP-009.
CIP-006-1 R1.9. Process for ensuring that the physical Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
security plan is reviewed at least Already apply to TOs.
annually.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R2. Physical Access Controls — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall document and Already apply to TOs.
implement the operational and
procedural controls to manage physical LCRA: Performed as Trasmission Owner (TO)
access at all access points to the X
Physical Security Perimeter(s) twenty- CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
four hours a day, seven days a week. The above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
Responsible Entity shall implement one compliance.
or more of the following physical access
CIP-006-1 R2.1. methods:
Card Key: A means of electronic access Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
where the access rights of the card Already apply to TOs.
holder are predefined in a computer
database. Access rights may differ from LCRA: Performed as Trasmission Owner (TO)
one perimeter to another. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
Texas RE - February 27, 2009 Page 6 of 14 From FERC Approved Standards - Last Updated by NERC September 13, 2008
3ba2745b-19a1-4d59-9111-49abaa4009f3.xls
QSE
ERC w/L TO
Standard Req. Text of Requirement OT AAR or DP Stakeholder Comments JRO Consensus Comments for Requirements Compliance Evidence Comments
ISO , DP
QSE
CIP-006-1 R2.2. Special Locks: These include, but are not /EIL Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
limited to, locks with “restricted key” Already apply to TOs.
systems, magnetic locks that can be
operated remotely, and “man-trap” LCRA: Performed as Trasmission Owner (TO)
systems. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R2.3. Security Personnel: Personnel Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
responsible for controlling physical Already apply to TOs.
access who may reside on-site or at a
monitoring station. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R2.4. Other Authentication Devices: Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Biometric, keypad, token, or other Already apply to TOs.
equivalent devices that control physical
access to the Critical Cyber Assets. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R3. Monitoring Physical Access — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall document and Already apply to TOs.
implement the technical and procedural
controls for monitoring physical access LCRA: Performed as Trasmission Owner (TO)
at all access points to the Physical
Security Perimeter(s) twenty-four hours CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
a day, seven days a week. Unauthorized above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
X
access attempts shall be reviewed compliance.
immediately and handled in accordance
with the procedures specified in
Requirement CIP-008. One or more of
the following monitoring methods shall
be used:
CIP-006-1 R3.1. Alarm Systems: Systems that alarm to Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
indicate a door, gate or window has been Already apply to TOs.
opened without authorization. These
alarms must provide for immediate LCRA: Performed as Trasmission Owner (TO)
notification to personnel responsible for X
response. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R3.2. Human Observation of Access Points: Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Monitoring of physical access points by Already apply to TOs.
authorized personnel as specified in
Requirement R2.3. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R4. Logging Physical Access — Logging Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
shall record sufficient information to Already apply to TOs.
uniquely identify individuals and the time
of access twenty-four hours a day, seven LCRA: Performed as Trasmission Owner (TO)
days a week. The Responsible Entity
shall implement and document the CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
technical and procedural mechanisms for X above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
logging physical entry at all access compliance.
points to the Physical Security
Perimeter(s) using one or more of the
following logging methods or their
equivalent:
CIP-006-1 R4.1. Computerized Logging: Electronic logs Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
produced by the Responsible Entity’s Already apply to TOs.
selected access control and monitoring
method. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R4.2. Video Recording: Electronic capture of Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
video images of sufficient quality to Already apply to TOs.
determine identity.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R4.3. Manual Logging: A log book or sign-in Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
sheet, or other record of physical access Already apply to TOs.
maintained by security or other
personnel authorized to control and X LCRA: Performed as Trasmission Owner (TO)
monitor physical access as specified in
Requirement R2.3. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
CIP-006-1 R5. Access Log Retention — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall retain physical Already apply to TOs.
access logs for at least ninety calendar
days. Logs related to reportable incidents X LCRA: Performed as Trasmission Owner (TO)
shall be kept in accordance with the
requirements of Standard CIP-008. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
CIP-006-1 R6. Maintenance and Testing — The compliance.
Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall implement a Already apply to TOs.
maintenance and testing program to
ensure that all physical security systems LCRA: Performed as Trasmission Owner (TO)
under Requirements R2, R3, and R4 X
function properly. The program must CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
include, at a minimum, the following: above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R6.1. Testing and maintenance of all physical Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
security mechanisms on a cycle no Already apply to TOs.
longer than three years.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R6.2. Retention of testing and maintenance Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
records for the cycle determined by the Already apply to TOs.
Responsible Entity in Requirement R6.1.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-006-1 R6.3. Retention of outage records regarding Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
access controls, logging, and monitoring Already apply to TOs.
for a minimum of one calendar year.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -005 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R1. Test Procedures — The Responsible Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Entity shall ensure that new Cyber Assets Already apply to TOs.
and significant changes to existing Cyber
Assets within the Electronic Security LCRA: Performed as Trasmission Owner (TO)
Perimeter do not adversely affect
existing cyber security controls. For CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
purposes of Standard CIP-007, a above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
significant change shall, at a minimum, X compliance.
include implementation of security
patches, cumulative service packs,
vendor releases, and version upgrades of
operating systems, applications, database
platforms, or other third-party software
or firmware.
CIP-007-1 R1.1. The Responsible Entity shall create, Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
implement, and maintain cyber security Already apply to TOs.
test
procedures in a manner that minimizes LCRA: Performed as Trasmission Owner (TO)
adverse effects on the production system X
or its operation. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R1.2. The Responsible Entity shall document Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
that testing is performed in a manner that Already apply to TOs.
reflects the production environment.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R1.3. The Responsible Entity shall document Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
test results. Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R2. Ports and Services — The Responsible Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Entity shall establish and document a Already apply to TOs.
process to ensure that only those ports
and services required for normal and LCRA: Performed as Trasmission Owner (TO)
emergency operations are enabled. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R2.1. The Responsible Entity shall enable only Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
those ports and services required for Already apply to TOs.
normal and emergency operations.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
Texas RE - February 27, 2009 Page 7 of 14 From FERC Approved Standards - Last Updated by NERC September 13, 2008
3ba2745b-19a1-4d59-9111-49abaa4009f3.xls
QSE
ERC w/L TO
Standard Req. Text of Requirement OT AAR or DP Stakeholder Comments JRO Consensus Comments for Requirements Compliance Evidence Comments
ISO , DP
QSE
CIP-007-1 R2.2. The Responsible Entity shall disable /EIL Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
other ports and services, including those Already apply to TOs.
used for testing purposes, prior to
production use of all Cyber Assets inside LCRA: Performed as Trasmission Owner (TO)
the Electronic Security Perimeter(s). X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R2.3. In the case where unused ports and Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
services cannot be disabled due to Already apply to TOs.
technical limitations, the Responsible
Entity shall document compensating LCRA: Performed as Trasmission Owner (TO)
measure(s) applied to mitigate risk X
exposure or an acceptance of risk. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R3. Security Patch Management — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity, either separately or Already apply to TOs.
as a component of the documented
configuration management process LCRA: Performed as Trasmission Owner (TO)
specified in CIP-003 Requirement R6,
shall establish and document a security X CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
patch management program for tracking, above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
evaluating, testing, and installing compliance.
applicable cyber security software
patches for all Cyber Assets within the
Electronic Security Perimeter(s).
CIP-007-1 R3.1. The Responsible Entity shall document Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
the assessment of security patches and Already apply to TOs.
security upgrades for applicability within
thirty calendar days of availability of the LCRA: Performed as Trasmission Owner (TO)
patches or upgrades. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R3.2. The Responsible Entity shall document Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
the implementation of security patches. Already apply to TOs.
In any case where the patch is not
installed, the Responsible Entity shall LCRA: Performed as Trasmission Owner (TO)
document compensating measure(s) X
applied to mitigate risk exposure or an CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
acceptance of risk. above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R4. Malicious Software Prevention — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall use anti-virus Already apply to TOs.
software and other malicious software
(“malware”) prevention tools, where LCRA: Performed as Trasmission Owner (TO)
technically feasible, to detect, prevent, X
deter, and mitigate the introduction, CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
exposure, and propagation of malware on above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
all Cyber Assets within the Electronic compliance.
Security Perimeter(s).
CIP-007-1 R4.1. The Responsible Entity shall document Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
and implement anti-virus and malware Already apply to TOs.
prevention tools. In the case where anti-
virus software and malware prevention LCRA: Performed as Trasmission Owner (TO)
tools are not installed, the Responsible X
Entity shall document compensating CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
measure(s) applied to mitigate risk above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
exposure or an acceptance of risk. compliance.
CIP-007-1 R4.2. The Responsible Entity shall document Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
and implement a process for the update Already apply to TOs.
of anti-virus and malware prevention
“signatures.” The process must address LCRA: Performed as Trasmission Owner (TO)
testing and installing the signatures. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R5. Account Management — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall establish, Already apply to TOs.
implement, and document technical and
procedural controls that enforce access LCRA: Performed as Trasmission Owner (TO)
authentication of, and accountability for, X
all user activity, and that minimize the CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
risk of unauthorized system access. above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R5.1. The Responsible Entity shall ensure that Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
individual and shared system accounts Already apply to TOs.
and authorized access permissions are
consistent with the concept of “need to LCRA: Performed as Trasmission Owner (TO)
know” with respect to work functions X
performed. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R5.1.1 The Responsible Entity shall ensure that Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. user accounts are implemented as Already apply to TOs.
approved by designated personnel. Refer
to Standard CIP-003 Requirement R5. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R5.1.2 The Responsible Entity shall establish Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. methods, processes, and procedures that Already apply to TOs.
generate logs of sufficient detail to
create historical audit trails of individual LCRA: Performed as Trasmission Owner (TO)
user account access activity for a X
minimum of ninety days. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R5.1.3 The Responsible Entity shall review, at Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. least annually, user accounts to verify Already apply to TOs.
access privileges are in accordance with
Standard CIP-003 Requirement R5 and LCRA: Performed as Trasmission Owner (TO)
Standard CIP-004 Requirement R4. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R5.2. The Responsible Entity shall implement Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
a policy to minimize and manage the Already apply to TOs.
scope and acceptable use of
administrator, shared, and other generic LCRA: Performed as Trasmission Owner (TO)
account privileges including factory X
default accounts. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R5.2.1 The policy shall include the removal, Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. disabling, or renaming of such accounts Already apply to TOs.
where possible. For such accounts that
must remain enabled, passwords shall be LCRA: Performed as Trasmission Owner (TO)
changed prior to putting any system into X
service. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R5.2.2 The Responsible Entity shall identify Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. those individuals with access to shared Already apply to TOs.
accounts.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R5.2.3 Where such accounts must be shared, the Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. Responsible Entity shall have a policy Already apply to TOs.
for managing the use of such accounts
that limits access to only those with LCRA: Performed as Trasmission Owner (TO)
authorization, an audit trail of the X
account use (automated or manual), and CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
steps for securing the account in the above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
event of personnel changes (for example, compliance.
change in assignment or termination).
CIP-007-1 R5.3. At a minimum, the Responsible Entity Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
shall require and use passwords, subject Already apply to TOs.
to the following, as technically feasible:
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R5.3.1 Each password shall be a minimum of six Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. characters. Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R5.3.2 Each password shall consist of a Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. combination of alpha, numeric, and Already apply to TOs.
“special” characters.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R5.3.3 Each password shall be changed at least Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
. annually, or more frequently based on Already apply to TOs.
risk.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R6. Security Status Monitoring — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall ensure that all Already apply to TOs.
Cyber Assets within the Electronic
Security Perimeter, as technically LCRA: Performed as Trasmission Owner (TO)
feasible, implement automated tools or X
organizational process controls to CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
monitor system events that are related to above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
cyber security. compliance.
Texas RE - February 27, 2009 Page 8 of 14 From FERC Approved Standards - Last Updated by NERC September 13, 2008
3ba2745b-19a1-4d59-9111-49abaa4009f3.xls
QSE
ERC w/L TO
Standard Req. Text of Requirement OT AAR or DP Stakeholder Comments JRO Consensus Comments for Requirements Compliance Evidence Comments
ISO , DP
QSE
CIP-007-1 R6.1. The Responsible Entity shall implement /EIL Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
and document the organizational Already apply to TOs.
processes and technical and procedural
mechanisms for monitoring for security LCRA: Performed as Trasmission Owner (TO)
events on all Cyber Assets within the X
Electronic Security Perimeter. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R6.2. The security monitoring controls shall Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
issue automated or manual alerts for Already apply to TOs.
detected Cyber Security Incidents.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R6.3. The Responsible Entity shall maintain Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
logs of system events related to cyber Already apply to TOs.
security, where technically feasible, to
support incident response as required in LCRA: Performed as Trasmission Owner (TO)
Standard CIP-008. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R6.4. The Responsible Entity shall retain all Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
logs specified in Requirement R6 for Already apply to TOs.
ninety calendar days.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R6.5. The Responsible Entity shall review logs Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
of system events related to cyber Already apply to TOs.
security and maintain records
documenting review of logs. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R7. Disposal or Redeployment — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall establish formal Already apply to TOs.
methods, processes, and procedures for
disposal or redeployment of Cyber LCRA: Performed as Trasmission Owner (TO)
Assets within the Electronic Security X
Perimeter(s) as identified and CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
documented in Standard CIP-005. above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R7.1. Prior to the disposal of such assets, the Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall destroy or erase Already apply to TOs.
the data storage media to prevent
unauthorized retrieval of sensitive cyber LCRA: Performed as Trasmission Owner (TO)
security or reliability data. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R7.2. Prior to redeployment of such assets, the Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall, at a minimum, Already apply to TOs.
erase the data storage media to prevent
unauthorized retrieval of sensitive cyber LCRA: Performed as Trasmission Owner (TO)
security or reliability data. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R7.3. The Responsible Entity shall maintain Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
records that such assets were disposed of Already apply to TOs.
or redeployed in accordance with
documented procedures. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R8. Cyber Vulnerability Assessment — The Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Responsible Entity shall perform a cyber Already apply to TOs.
vulnerability assessment of all Cyber
Assets within the Electronic Security LCRA: Performed as Trasmission Owner (TO)
Perimeter at least annually. The X
vulnerability assessment shall include, at CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
a minimum, the following: above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R8.1. A document identifying the vulnerability Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
assessment process; Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R8.2. A review to verify that only ports and Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
services required for operation of the Already apply to TOs.
Cyber Assets within the Electronic
Security Perimeter are enabled; LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R8.3. A review of controls for default Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
accounts; and, Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R8.4. Documentation of the results of the Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
assessment, the action plan to remediate Already apply to TOs.
or mitigate vulnerabilities identified in
the assessment, and the execution status LCRA: Performed as Trasmission Owner (TO)
of that action plan. X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
compliance.
CIP-007-1 R9. Documentation Review and Maintenance Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
— The Responsible Entity shall review Already apply to TOs.
and update the documentation specified
in Standard CIP-007 at least annually. LCRA: Performed as Trasmission Owner (TO)
Changes resulting from modifications to X
the systems or controls shall be CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -006 responses
documented within ninety calendar days above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT needs to show its
of the change. compliance.
CIP–008–1 R1. Cyber Security Incident Response Plan Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
— The Responsible Entity shall develop Already apply to TOs.
and maintain a Cyber Security Incident
response plan. The Cyber Security LCRA: Performed as Trasmission Owner (TO)
Incident Response plan shall address, at a X
minimum, the following: CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -007 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
needs to show its compliance.
CIP–008–1 R1.1. Procedures to characterize and classify Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
events as reportable Cyber Security Already apply to TOs.
Incidents.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -007 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
needs to show its compliance.
CIP–008–1 R1.2. Response actions, including roles and Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
responsibilities of incident response Already apply to TOs.
teams, incident handling procedures, and
communication plans. LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -007 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
needs to show its compliance.
CIP–008–1 R1.3. Process for reporting Cyber Security Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Incidents to the Electricity Sector Already apply to TOs.
Information Sharing and Analysis Center
(ES ISAC). The Responsible Entity must LCRA: Performed as Trasmission Owner (TO)
ensure that all reportable Cyber Security X
Incidents are reported to the ES ISAC CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -007 responses
either directly or through an above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
intermediary. needs to show its compliance.
CIP–008–1 R1.4. Process for updating the Cyber Security Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Incident response plan within ninety Already apply to TOs.
calendar days of any changes.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -007 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
needs to show its compliance.
CIP–008–1 R1.5. Process for ensuring that the Cyber Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Security Incident response plan is Already apply to TOs.
reviewed at least annually.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -007 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
needs to show its compliance.
CIP–008–1 R1.6. Process for ensuring the Cyber Security Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Incident response plan is tested at least Already apply to TOs.
annually. A test of the incident response
plan can range from a paper drill, to a full LCRA: Performed as Trasmission Owner (TO)
operational exercise, to the response to X
an actual incident. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -007 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
needs to show its compliance.
CIP–008–1 R2. Cyber Security Incident Documentation Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
— The Responsible Entity shall keep Already apply to TOs.
relevant documentation related to Cyber
Security Incidents reportable per LCRA: Performed as Trasmission Owner (TO)
Requirement R1.1 for three calendar X
years. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -007 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
needs to show its compliance.
Texas RE - February 27, 2009 Page 9 of 14 From FERC Approved Standards - Last Updated by NERC September 13, 2008
3ba2745b-19a1-4d59-9111-49abaa4009f3.xls
QSE
ERC w/L TO
Standard Req. Text of Requirement OT AAR or DP Stakeholder Comments JRO Consensus Comments for Requirements Compliance Evidence Comments
ISO , DP
QSE
CIP–009–1 R1. Recovery Plans — The Responsible /EIL Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
Entity shall create and annually review Already apply to TOs.
recovery plan(s) for Critical Cyber
Assets. The recovery plan(s) shall LCRA: Performed as Trasmission Owner (TO)
address at a minimum the following: X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -008 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
needs to show its compliance.
CIP–009–1 R1.1. Specify the required actions in response Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
to events or conditions of varying Already apply to TOs.
duration and severity that would activate
the recovery plan(s). LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -008 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
needs to show its compliance.
CIP–009–1 R1.2. Define the roles and responsibilities of Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
responders. Already apply to TOs.
LCRA: Performed as Trasmission Owner (TO)
X
CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -008 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
needs to show its compliance.
CIP–009–1 R2. Exercises — The recovery plan(s) shall Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
be exercised at least annually. An Already apply to TOs.
exercise of the recovery plan(s) can
range from a paper drill, to a full LCRA: Performed as Trasmission Owner (TO)
operational exercise, to recovery from X
an actual incident. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -008 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
needs to show its compliance.
CIP–009–1 R3. Change Control — Recovery plan(s) Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
shall be updated to reflect any changes or Already apply to TOs.
lessons learned as a result of an exercise
or the recovery from an actual incident. LCRA: Performed as Trasmission Owner (TO)
Updates shall be communicated to X
personnel responsible for the activation CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -008 responses
and implementation of the recovery above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
plan(s) within ninety calendar days of the needs to show its compliance.
change.
CIP–009–1 R4. Backup and Restore — The recovery Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
plan(s) shall include processes and Already apply to TOs.
procedures for the backup and storage of
information required to successfully LCRA: Performed as Trasmission Owner (TO)
restore Critical Cyber Assets. For X
example, backups may include spare CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -008 responses
electronic components or equipment, above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
written documentation of configuration needs to show its compliance.
settings, tape backup, etc.
CIP–009–1 R5. Testing Backup Media — Information Brazos, College Station, Oncor, CenterPoint, AEP, Sharyland: Entity A
essential to recovery that is stored on Already apply to TOs.
backup media shall be tested at least
annually to ensure that the information is LCRA: Performed as Trasmission Owner (TO)
available. Testing can be completed off X
site. CPS: CPS Energy agrees with LCRA, Brazos, CS, Oncor, CNP, & AEP. Like CIP-001 to -008 responses
above, the LSE responsibility in general rolls up to TO/GO. Like above, ERCOT (as RC, BA, and TOP) also
needs to show its compliance.
EOP-002-2 R9.1. The deficient Load-Serving Entity shall Georgetown: RC assigned this. 1. ERCOT ISO shall initiate an Energy Emergency Alert in accordance with Attachment 1- No DP is capable of taking action related to EOP-002 Request RC to initiate
request its Reliability Coordinator to EOP-002-0. except responding to EEA direction from ERCOT. EEA
initiate an Energy Emergency Alert in ERCOT ISO: This standard/requirement does not apply to the ERCOT ISO region because ERCOT ISO If ERCOT doesn't think it applies, then this may need
accordance with Attachment 1-EOP-002- does not employ TLR as required in R9. Thus, there is no appropriate entity for LSE registration. to continue with a regional standard.
0. QSEs and TO orgs want to be clear it's not them.
CPS: (BA, RC, LSE) Responsibility for compliance with this standard resides with ERCOT. ERCOT needs Needs language about recognizing deficiency and who
X to define and document its and the LSE's responsbilities, if any. initiates EEAs, just so FERC/NERC know that's
covered.
Jerry - If you don't do TLR, what do you do, write that
up.
Matt - check language from draft from drafting team.
EOP-004-1 R2. A Reliability Coordinator, Balancing Brazos, College Station, Oncor, CenterPoint, and Sharyland Utilities If Entity A experiences a reportable incident on its facilities, it shall promptly analyze its TOs document that they analyze on their own facilites. analyze disturbances on
Authority, Transmission Operator, TOs want to be sure the JRO explains what they are doing, and set forth what ERCOT does as RC. TOs can own facilities. TOs only responsible for analyzing own facilities and its system or facilities
Generator Operator or Load-Serving only be responsible for events and reporting on their own system. ERCOT can analyze events on multiple sending own info to ERCOT.
Entity shall promptly analyze Bulk systems. Performance/Disturbance/Compliance analysis shall be performed by the ERCOT ISO for the
Electric System disturbances on its purpose of ensuring conformance to published control criteria of ERCOT ISO. TOs must maintain DFRs
system or facilities. and provide data to ERCOT ISO upon request as required by OG 7.1.2.4. TOs must analyze all relay/SPS
misoperations, implement corrective measures, and provide information to ERCOT ISO as requested per
X OG 7.2.3.
Georgetown: RC assigned this
CPS: CPS Energy agrees with Brazos, CS, Oncor, CNP, & SU and Georgetown. Additionally, a TO can
only be responsible for its own system. ERCOT (as RC, BA, TOP) must coordinate an ERCOT-wide
analysis. Any identified responsibilities (GO, LSE, RRO) need to be assigned and documented in a JRO
with ERCOT.
EOP-004-1 R3. A Reliability Coordinator, Balancing Brazos, College Station, Oncor, CenterPoint, and Sharyland Utilities If Entity A experiences a reportable incident on its facilities, it shall provide a TO reports to DOE, PUC and ERCOT info on own provide report
Authority, Transmission Operator, ERCOT ISO has the responsibility to submit the reports to NERC. The TOs are responsible to provide the preliminary report on its facilities to ERCOT ISO. ERCOT ISO shall compile and facilities, but not to NERC. ERCOT ISO must report
Generator Operator or Load-Serving information under the OGs. Individual TOs will not know if the cumulative size of the event is reportable. provide any reports sent to it by any Entity A, any Generator Operator, or other entities on its facilities and for overall market; ERCOT ISO is
Entity experiencing a reportable incident to NERC, along with all reports that ERCOT ISO creates for its own facilities and as RC, only entity who reports into NERC.
shall provide a preliminary written report Georgetown: TOP currently performs this function BA, or TOP.
to its Regional Reliability Organization X
and NERC. CPS: see EOP-004 R2 response. In addition, ERCOT must provide the system-wide writen report to
NERC. If a JRO for the LSE function is needed, then it only needs to document that the TO, upon request
from ERCOT, supplied its event review data and analysis.
EOP-004-1 R3.1. The affected Reliability Coordinator, Brazos, College Station, Oncor, CenterPoint, and Sharyland Utilities ERCOT ISO shall submit within 24 hours of the disturbance or unusual occurrence either submit report
Balancing Authority, Transmission ERCOT ISO has the responsibility to submit the reports to NERC. The TOs are responsible to provide the a copy of the report submitted to DOE or, if no DOE report is required, a copy of the
Operator, Generator Operator or Load- information under the OGs. Individual TOs will not know if the cumulative size of the event is reportable. NERC Interconnection Reliability Operating Limit and Preliminary Disturbance Report
Serving Entity shall submit within 24 form.
hours of the disturbance or unusual Georgetown: TOP currently performs this function
occurrence either a copy of the report
submitted to DOE, or, if no DOE report CPS: See EOP-004 R3 above
is required, a copy of the NERC X
Interconnection Reliability Operating
Limit and Preliminary Disturbance
Report form. Events that are not
identified until some time after they
occur shall be reported within 24 hours
of being recognized.
EOP-004-1 R3.2. Applicable reporting forms are provided Brazos, College Station, Oncor, CenterPoint, and Sharyland Utilities General statement - not a specific requirement no requirement
in Attachments 022-1 and 022-2. ERCOT ISO has the responsibility to submit the reports to NERC. The TOs are responsible to provide the
information under the OGs. Individual TOs will not know if the cumulative size of the event is reportable.
X Georgetown: TOP currently performs this function
CPS: See EOP-004 R3 above
EOP-004-1 R3.3. Under certain adverse conditions, e.g., Brazos, College Station, Oncor, CenterPoint, and Sharyland Utilities Under certain adverse conditions, e.g., severe weather, it may not be possible to assess
severe weather, it may not be possible to ERCOT ISO has the responsibility to submit the reports to NERC. The TOs are responsible to provide the the damage caused by a disturbance and issue a written Interconnection Reliability
assess the damage caused by a information under the OGs. Individual TOs will not know if the cumulative size of the event is reportable. Operating Limit and Preliminary Disturbance Report within 24 hours. In such cases, the
disturbance and issue a written affected Entity A shall promptly notify ERCOT ISO and verbally provide as much
Interconnection Reliability Operating Georgetown: TOP currently performs this function information as is available at that time. ERCOT ISO must promptly notify NERC of this
Limit and Preliminary Disturbance information. The affected Entity A shall then provide timely, periodic verbal updates to
Report within 24 hours. In such cases, CPS: See EOP-004 R3 above ERCOT ISO until adequate information is available to issue a written Preliminary
the affected Reliability Coordinator, Disturbance Report.
Balancing Authority, Transmission
Operator, Generator Operator, or Load-
Serving Entity shall promptly notify its
Regional Reliability Organization(s) and
NERC, and verbally provide as much
information as is available at that time. X
The affected Reliability Coordinator,
Balancing Authority, Transmission
Operator, Generator Operator, or Load-
Serving Entity shall then provide timely,
periodic verbal updates until adequate
information is available to issue a written
Preliminary Disturbance Report.
EOP-004-1 R3.4. If, in the judgment of the Regional Georgetown: TOP currently performs this function If ERCOT ISO determines that a final report is needed, ERCOT ISO will prepare this
Reliability Organization, after report within 60 days. Entity A will cooperate with and provide needed information to
consultation with the Reliability CPS: See EOP-004 R3 above ERCOT ISO for its report.
Coordinator, Balancing Authority,
Transmission Operator, Generator
Operator, or Load-Serving Entity in
which a disturbance occurred, a final
report is required, the affected
Reliability Coordinator, Balancing
Authority, Transmission Operator, X
Generator Operator, or Load-Serving
Entity shall prepare this report within 60
days. As a minimum, the final report
shall have a discussion of the events and
its cause, the conclusions reached, and
recommendations to prevent recurrence
of this type of event. The report shall be
subject to Regional Reliability
Organization approval.
FAC-002-0 R1. The Generator Owner, Transmission LCRA: Performed as Transmission Owner (TO) Entity A Liz - Interconnection process document specifies how coordinate and
Owner, Distribution Provider, and Load- this is done cooperate on
Serving Entity seeking to integrate CPS: (GO, TO, DP, LSE, TP, PA). CPS Energy agrees with LCRA in that this is already performed by the assessments with TP
generation facilities, transmission TO. In addtion, each other entity (GO, DP, LSE, TP, PA) must have documented process to demonstrate and PA
facilities, and electricity end-user compliance with FAC-002 and how it rolls up to the TO. TO must prove compliance and demonstrate how
facilities shall each coordinate and X it rolls up to ERCOT. ERCOT as PA must show (through regional planning) overal ERCOT wide coverage.
cooperate on its assessments with its
Transmission Planner and Planning
Authority. The assessment shall include:
FAC-002-0 R1.1. Evaluation of the reliability impact of the LCRA: Performed as Transmission Owner (TO) Entity A
new facilities and their connections on X
the interconnected transmission systems. CPS: see FAC-002 R1 above.
FAC-002-0 R1.2. Ensurance of compliance with NERC LCRA: Performed as Transmission Owner (TO) Entity A
Reliability Standards and applicable
Regional, subregional, Power Pool, and X CPS: see FAC-002 R1 above.
individual system planning criteria and
facility connection requirements.
Texas RE - February 27, 2009 Page 10 of 14 From FERC Approved Standards - Last Updated by NERC September 13, 2008
3ba2745b-19a1-4d59-9111-49abaa4009f3.xls
QSE
ERC w/L TO
Standard Req. Text of Requirement OT AAR or DP Stakeholder Comments JRO Consensus Comments for Requirements Compliance Evidence Comments
ISO , DP
QSE
FAC-002-0 R1.3. Evidence that the parties involved in the /EIL LCRA: Performed as Transmission Owner (TO) Entity A
assessment have coordinated and
cooperated on the assessment of the CPS: see FAC-002 R1 above.
reliability impacts of new facilities on
the interconnected transmission systems. X
While these studies may be performed
independently, the results shall be jointly
evaluated and coordinated by the entities
involved.
FAC-002-0 R1.4. Evidence that the assessment included LCRA: Performed as Transmission Owner (TO) Entity A
steady-state, short-circuit, and dynamics
studies as necessary to evaluate system X CPS: see FAC-002 R1 above.
performance in accordance with
Reliability Standard TPL-001-0.
FAC-002-0 R1.5. Documentation that the assessment LCRA: Performed as Transmission Owner (TO) Entity A
included study assumptions, system
performance, alternatives considered, X CPS: see FAC-002 R1 above.
and jointly coordinated
recommendations.
FAC-002-0 R2. The Planning Authority, Transmission LCRA: Performed as Transmission Owner (TO) Entity A
Planner, Generator Owner, Transmission
Owner, Load-Serving Entity, and CPS: see FAC-002 R1 above.
Distribution Provider shall each retain its
documentation (of its evaluation of the
reliability impact of the new facilities
and their connections on the
X
interconnected transmission systems)
for three years and shall provide the
documentation to the Regional
Reliability Organization(s) Regional
Reliability Organization(s) and NERC on
request (within 30 calendar days).
INT-001-3 R1 The Load-Serving, Purchasing-Selling No Comments. Not an LSE requirement REMOVE FROM CHART BEFORE FINALIZING
Entity shall ensure that Arranged
Interchange is submitted to the CPS: (PSE, BA) ERCOT, as BA must handle. The standard is not applicable to a LSE or TO.
Interchange Authority for: R1.1. All
Dynamic Schedules at the expected
average MW profile for each hour.
IRO-001-1 R8. Transmission Operators, Balancing Lume: QSE’s with LaaR and/or EIL will instruct the LaaR or EIL operator that the Reliability Coordinator Entity A and Entity B shall comply with Reliability Coordinator directives unless such This is an event driven requirement, only if LaaR comply with directives
Authorities, Generator Operators, has issued a directive that requires the load to take action and if the operator is unable to take such action, actions would violate safety, equipment, or regulatory or statutory requirements. Under or EILS is asked to deploy would we need unless…
Transmission Service Providers, Load- they should inform the QSE (LSE) immediately so that the QSE may inform the Reliability Coordinator these circumstances, Entity A and Entity B shall immediately inform the Reliability evidence of such deployment. Entity B can only
Serving Entities, and Purchasing-Selling immediately. The QSE should have a documented procedure stating the above and a document from the Coordinator of the inability to perform the directive so that the Reliability Coordinator inform RC if they are informed by LaaR and EILS.
Entities shall comply with Reliability LaaR or EIL operator that it has internal procedures for the corresponding response and operation when may implement alternate remedial actions. If LaaR and EILS failed to follow own procedure,
Coordinator directives unless such notified by the QSE of such directives. Entity B won't be able to report. Have clear
actions would violate safety, equipment, If directed by the Reliability Coordinator, Entity B shall immediately instruct its LaaR procedures QSE has notified them, they have
or regulatory or statutory requirements. Oxy: The Agreement should state clearly that directives referred to in IRO-001, R8 refer to those and EILS that the Reliability Coordinator has issued a directive that requires the EILS or confirmed, or not, and QSE reports back to
Under these circumstances, the directives that the QSE is capable of and required to perform under the ERCOT Protocols and Operating LaaR to deploy. ERCOT. Not trying to make QSE reponsible of
Transmission Operator, Balancing Guides. Suggested Language: Pursuant to this JRO Agreement, the QSE w/LaaR assumes the LSE duties LaaR or EILS hasn't bid in. Wording needs to
Authority, Generator Operator, in IRO-001, R8 on the basis that the directives referred to in R8 are those that the QSE is resonably Entity B shall notify the LaaR or EILS that if it is unable to immediately take such action, take into account the 25MW or less threshold.
Transmission Service Provider, Load- capable of and required to perform under the ERCOT Protocols and Operating Guides. the Laar or EILS must immediately inform Entity B so that Entity B may immediately Need more comments, assumption was that EILS
Serving Entity, or Purchasing-Selling X X inform the Reliability Coordinator. or LaaR notified QSE they couldn't deploy. Need
Entity shall immediately inform the language on who should be exempted. How do we
Reliability Coordinator of the inability to Entity B must immediately notify the Reliability Coordinator if (a) the LaaR or EILS know which entities the QSE is not responsible for
perform the directive so that the notifies Entity B that it is not able to deploy, or (b) Entity B is otherwise aware that the getting a response from?
Reliability Coordinator may implement LaaR or EILS is not able to deploy.
alternate remedial actions.
Georgetown: Asigned to TOP as it already has this function.
Formosa: Voice recordings and/or log books would be required here to document instructions and
communications.
BP Energy: Under the NERC reliability standards, a QSE can only relay information to/from the LAAR it
serves. For instance, if the ERCOT ISO directs a particular LAAR to curtail its power consumption, the
QSE can notify the LAAR of its scheduled curtailment but the QSE does not necessarily have the
operational control to cause the LAAR’s facilities to curtail. Thus, the QSE should not bear responsibility,
under the NERC reliability standards, for the failure of a LAAR or EILS to respond to a directive that the
QSE has forwarded.
Therefore, the final standard should make clear that a QSE with LAAR or EILS only is responsible for
communicating directives to/from the Reliability Coordinator. Additionally, the TRE should clarify what
information will be acceptable to indicate a QSE’s compliance with this requirement and what specific
actions a QSE with LAAR/EILS must take to comply with this requirement. For instance, the TRE could
deem the fact, and record, of a communication from the QSE to the ERCOT ISO is sufficient evidence to
establish compliance with the requirement.
CPS: (RC, RRO, TOP, BA, GOP TSP, LSE, PSE). ERCOT as RC must handle. If a JRO for the LSE
function is needed, then it only needs to document that the TO's interrnal operating procedures demonstrate
compliance.
IRO-004-1 R4. Each Transmission Operator, Balancing Lume: To support the Reliability Coordinator’s development of system studies, the QSE (LSE) will submit REMOVED STANDARD CHANGED ON APRIL, 1 provide info for system
Authority, Transmission Owner, the Daily Resource Plan and update it as per the protocol (which addresses the ERCOT regional difference 2009 NO MORE LSE FUNCTION studies
Generator Owner, Generator Operator, in the timing of such submittals). Such submittals will include information on scheduled LAARs and EILS.
and Load-Serving Entity in the Reliability
Coordinator Area shall provide Brazos, College Station, Oncor, CenterPoint, and Sharyland Utilities:
information required for system studies, TO would supply facility status, QSE would supply other, ERCOT supplies operating reserve projections.
such as critical facility status, Load,
generation, operating reserve BP Energy: QSEs should only be required to provide the information they are already otherwise required
projections, and known Interchange to provide to the ERCOT ISO under the current Tariff and Protocols. Implementation of this Reliability
Transactions. This information shall be Standard should not obligate QSEs to provide new or additional information to the ERCOT ISO.
available by 1200 Central Standard Time
for the Eastern Interconnection and 1200 LCRA: Performed as Transmission Owner (TO)
Pacific Standard Time for the Western X
Interconnection. Oxy: The Agreement should state clearly that LSE "information" as used in IRO-004, R4 applicable to QSE
w/Laar refers to information that is routinely communicated to ERCOT by the QSE as required by the
ERCOT Protocols and Operating Guides, e.g., the Resource Plan and other planning information currently
supplied to ERCOT. Suggested Language: Pursuant to this JRO Agreement, the QSE w/LaaR assumes the
LSE duties in IRO-004, R4 on the basis that the "information required for system studies" referred to in R4
is the information currently supplied to ERCOT by the QSE w/LaaR as required by the ERCOT Protocols
and Operating Guides, e.g., the Resource Plan, etc.
Formosa: 1. The QSE submits the Resource Plan to ERCOT each day, would this be sufficient to meet this
criteria or do we need to submit more information? Also, will our bid instructions, with the Resource Plan
data be sufficient for audit documentation purposes? The RARF also has a significant amount of
generation and transmission data, can that also be used to meet compliance? 2. NERC does not have a time
for the ERCOT region? I assume 12:00 Central Time for the ERCOT area.
CPS: CPS Energy agrees with Brazos, CS, Oncor, CNP, SU in that the TO only supplies its facility status.
The JRO should show joint responsibility as defined by TOP, BA, TO, GO, GOP. Please note that IRO-004-
1 is applicable to RC, BA, TOP, TSP, TO, GO, GOP, LSE and the revised IRO-004-2 is applicable to only
BA, TOP, TSP with an effective date of April 1, 2009(?) approved by NERC BOT 10/17/08.
IRO-005-3 R10. In instances where there is a difference Brazos, College Station, Oncor, CenterPoint, Sherryland Utilities. In instances where there is a difference in derived limits, Entity A shall always operate TOs don't have much effect on SOL or IROL. Susan -
in derived limits, the Transmission ERCOT controls the generation that is manipulated to avoid reaching a SOL/IROL. TOs do not have the the Bulk Electric System to the most limiting parameter. interpretation that only LSE function is that LSE
Operators, Balancing Authorities, ability to operate or see generators across the Bulk Electric System. operate in most limiting parameter. TO operating
Generator Operators, Transmission their system to their derived most limiting element on
Service Providers, Load-Serving Entities Georgetown: TOP currently performs this function the facilities they provide ratings on. Liz - LSE
and Purchasing-Selling Entities shall applicability goes to that sentence only, "in instances
always operate the Bulk Electric System AEP: ERCOT monitors and controls the system with respect to SOL/IROL. where there is a difference in derived limits"
to the most limiting parameter.
CPS: CPS Energy agrees with Brazos, CS, O, CNP, SU in that ERCOT is in control. TO can only supply its THIS STANDARD WAS REVISED
own system limits & ensure they are being maintained & operated within limits. JRO needs to document
X this and any specific TO/GOP's responsibilities.
MOD-017-0 R1. The Load-Serving Entity, Planning Brazos, Colelge Station, Oncor, CenterPoint, Sherryland Utilities: 1. Entity A will provide the following Entity A-specific information to ERCOT ISO. 2. TOs send info for own meters to ERCOT, ERCOT provide info annually on
Authority, and Resource Planner shall TOs are required to provide modeling information to ERCOT pursuant to the Operating Guides. The JRO ERCOT ISO shall provide the following information annually on an aggregated Regional, aggregates and does modeling and gives to NERC, aggregated basis
each provide the following information should be specific as to the information that TOs actually provide to ERCOT. ERCOT aggregates and subregional, Power Pool, and ERCOT ISO system basis to NERC, Texas Regional Entity, RRO, other entities specified by MOD-016. ERCOT
annually on an aggregated Regional, modify the data and reports the information to NERC. Therefore, ERCOT should be responsible. and any other entities specified by the documentation in Standard MOD-016-1_R 1.. would not be doing this as LSE, doing it as aggregator
subregional, Power Pool, individual of information. Liz - might be helpful to attach ALDR
system, or Load-Serving Entity basis to Georgetown: PA or RP currently performs this function so it's clear what information they are providing and
NERC, the Regional Reliability what they can't provide. Susan - list including general
Organizations, and any other entities AEP: TOs support ERCOT in the model development through the ALDR process. ERCOT should be stuff without too much detail. Deeann - make it clear
specified by the documentation in responsible for providing information to NERC and RRO. that TOs are only providing their info, not aggregate.
Standard MOD-016-1_R 1. It is aggregated for the TO territory/region.
X X ERCOT ISO: The <<QSE for REPs or REPs>>, TPs, and DPs shall perform the LSE requirements for "Individual system" identify what info is provided by
MOD-017-0 R1 as stated in R1.1 through R1.4. TOs. Region & subregion are not descriptive terms
for ERCOT. ERCOT suggested "provide info for their
CPS: (LSE, PA, RP) ERCOT must define each individual TO's responsibilities, if any. ERCOT has overall portion of the interconnected load"...John suggested
responsibility. An individual TO can only be responsible for the data (ALDR data & modeling data) it check drafting team language.
provides. CPS Energy agrees with Brazos, CS, O, CNP, SU, & AEP. ERCOT needs to supply the system-
wide required annual information to NERC/RRO.
MOD-017-0 R1.1. Integrated hourly demands in megawatts Brazos, Colelge Station, Oncor, CenterPoint, Sherryland Utilities, AEP: See above. 1. Entity A will provide their information to ERCOT ISO. 2. ERCOT ISO shall submit same as MOD 017 R1 - actual & historical data
(MW) for the prior year. annual and aggregated information to NERC and any entities specified by the Charter planning guide? Regional Planning Guide -
Georgetown: PA or RP currently performs this function documentation in standard MOD-016_R1. could that be used as a basis for how they do it in
ERCOT.
ERCOT ISO: The <<QSE for REPs or REPs>> shall provide the information required by MOD-017-0
X X R1.1 for the portion of ERCOT interconnected load they represent to the Planning Authority annually, and
to Texas RE and NERC upon request.
**the TDSPs collect this data**
CPS: see MOD-017 R1 response.
Texas RE - February 27, 2009 Page 11 of 14 From FERC Approved Standards - Last Updated by NERC September 13, 2008
3ba2745b-19a1-4d59-9111-49abaa4009f3.xls
QSE
ERC w/L TO
Standard Req. Text of Requirement OT AAR or DP Stakeholder Comments JRO Consensus Comments for Requirements Compliance Evidence Comments
ISO , DP
QSE
MOD-017-0 R1.2. Monthly and annual peak hour actual /EIL Brazos, Colelge Station, Oncor, CenterPoint, Sherryland Utilities, AEP: See above. 1. Entity A will provide their information to ERCOT ISO. 2. ERCOT ISO shall submit same as MOD 017 R1 - actual & historical data
demands in MW and Net Energy for annual and aggregated information to NERC, Texas Regional Entity, and any entities
Load in gigawatthours (GWh) for the Georgetown: PA or RP currently performs this function specified by the documentation in standard MOD-016_R1.
prior year.
ERCOT ISO: The <<QSE for REPs or REPs>> shall provide the information required by MOD-017-0
R1.2 for the portion of ERCOT interconnected load they represent to the Planning Authority annually, and
X X
to Texas RE and NERC upon request.
**the TDSPs collect this data**
CPS: see MOD-017 R1 response.
MOD-017-0 R1.3. Monthly peak hour forecast demands in Brazos, Colelge Station, Oncor, CenterPoint, Sherryland Utilities, AEP: See above. 1. Entity A shall submit their monthly peak hour forecast demands in MW and Net same as MOD 017 R1 - forecast data
MW and Net Energy for Load in GWh Energy for Load in GWh for its facilities for the next two years to ERCOT ISO. 2.
for the next two years. Georgetown: PA or RP currently performs this function ERCOT ISO shall agregate monthly peak hour forecast demands for the region and submit
to NERC and any entities specified by the documentation in standard MOD-016_R1.
ERCOT ISO: The TPs and DPs shall perform the LSE requirements for MOD-017-0 R1.3.
The DPs shall provide information required by MOD-017 R1.3 for their respective interconnected loads to
the TPs annually, and to the Planning Authority, NERC and Texas RE upon request.
X X The TPs shall provide information required by MOD-017 R1.3 for their respective interconnected loads to
the Planning Authority annually, and to NERC and Texas RE upon request.
CPS: In addtion to MOD-017 R1 response, TO/DP should supply monthly peak hour forecast demands in
MW and Net Energy for Load in GWh for its facilities for the next two years. The JRO should detail the
joint responsibilties between the DP/TO and ERCOT. ERCOT should supply monthly peak hour forecast
demands for the entire ERCOT region.
MOD-017-0 R1.4. Annual Peak hour forecast demands Brazos, Colelge Station, Oncor, CenterPoint, Sherryland Utilities, AEP: See above. 1. Entity A shall submit their annual peak hour forecast demands (summer and winter) in same as MOD 017 R1 - forecast data
(summer and winter) in MW and annual MW and annual net Energy for load in GWh to ERCOT ISO. 2. ERCOT ISO shall submit
Net Energy for load in GWh for at least Georgetown: PA or RP currently performs this function the regional annual peak forecast demands (summer and winter) in MW and annual net
five years and up to ten years into the Energy for load in GWh for at least five years and up to ten years into the future to
future, as requested. ERCOT ISO: The TPs and DPs shall perform the LSE requirements for MOD-017-0 R1.4. NERC, Texas Regional Entity, and any entities specified by the documentation in standard
MOD-016_R1.
X X The DPs shall provide information required by MOD-017 R1.4 for their respective interconnected loads to
the TPs annually, and to the Planning Authority, NERC and Texas RE upon request.
The TPs shall provide information required by MOD-017 R1.4 for their respective interconnected loads to
the Planning Authority annually, and to NERC and Texas RE upon request.
CPS: see MOD-017 R1.3 response.
MOD-018-0 R1. The Load-Serving Entity, Planning Brazos: Do we need to reference ERCOT Planning Procedures for shared duties between ERCOT and TOs? Entity A shall provide actual and forecast demand data (reported on either an aggregated TPs provide forecast data, report
Authority, Transmission Planner and or dispersed basis) to ERCOT ISO. ERCOT ISO shall provide actual and forecaset
Resource Planner’s report of actual and LCRA: Performed as Trasmission Planner (TP) demand data (reported on either an aggregated or dispersed basis) for the ERCOT Region.
forecast demand data (reported on either
an aggregated or dispersed basis) shall: Georgetown: TP currently performs this function
AEP: TOs support ERCOT in the model development through the ALDR process. ERCOT should be
responsible for providing information to NERC and RRO.
ERCOT ISO: The <<QSE for REPs or REPs>>, TPs, and DPs shall perform the LSE requirements for
MOD-018-0 R1 as stated in R1.1 through R1.3.
X X
The <<QSE for REPs or REPs>> are responsible for actual data (MOD-017 R1.1 and R1.2).
TPs and DPs are responsible for forecast data (MOD-017 R1.3 and R1.4)
CPS: ERCOT, as the PA, should be responsible for compliance with this standard system-wide. Each TP is
responsible for its individual system only. Each TP/DP submits its ALDRs to ERCOT. If a JRO for the
LSE function is needed, then it only needs to document how the TP/DP supplies its data through ALDR.
MOD-018-0 R1.1. Indicate whether the demand data of LCRA: Performed as Trasmission Planner (TP) Entity A must indicate whether the demand data of nonmember entities within an area or
nonmember entities within an area or Regional Reliability Organization are included in actual and forecast demand data
Regional Reliability Organization are Georgetown: TP currently performs this function provided to ERCOT ISO.
included, and
AEP: See above.
ERCOT ISO: The <<QSE for REPs or REPs>>, TPs, and DPs shall perform the LSE requirements for
MOD-018-0 R1.1.
The <<QSE for REPs or REPs>> shall provide the information required by MOD-018-0 R1.1 for the
portion of ERCOT interconnected load they represent to the Planning Authority annually, and to Texas RE
X X
and NERC upon request.
The DPs shall provide information required by MOD-018 R1.1 for their respective interconnected loads to
the TPs annually, and to the Planning Authority, NERC and Texas RE upon request.
The TPs shall provide information required by MOD-018 R1.1 for their respective interconnected loads to
the Planning Authority annually, and to NERC and Texas RE upon request.
CPS: see MOD-018 R1 response.
MOD-018-0 R1.2. Address assumptions, methods, and the LCRA: Performed as Trasmission Planner (TP) Entity A shall ensure data provided to ERCOT ISO addresses assumptions, methods and
manner in which uncertainties are treated the manner in which uncertainties are treated in the forecasts of aggregated peak demands
in the forecasts of aggregated peak Georgetown: TP currently performs this function and Net Energy for Load in the ERCOT region.
demands and Net Energy for Load.
AEP: See above.
ERCOT ISO: The TPs and DPs shall perform the LSE requirements for MOD-018-0 R1.2.
X X
The DPs shall provide information required by MOD-018 R1.2 for their respective interconnected loads to
the TPs annually, and to the Planning Authority, NERC and Texas RE upon request.
The TPs shall provide information required by MOD-018 R1.2 for their respective interconnected loads to
the Planning Authority annually, and to NERC and Texas RE upon request.
CPS: see MOD-018 R1 response.
MOD-018-0 R1.3. Items (MOD-018-0_R 1.1) and (MOD- LCRA: Performed as Trasmission Planner (TP) Entity A must include the following in data provided to ERCOT ISO: Items (MOD-018-
018-0_R 1.2) shall be addressed as 0_R1.1) and (MOD-018-0_R1.2) shall be addressed as described in the reporting
described in the reporting procedures Georgetown: TP currently performs this function procedures developed for Standard MOD-016-1_R1 for its facilities.
developed for Standard MOD-016-1_R
1. AEP: See above.
ERCOT ISO: The <<QSE for REPs or REPs>>, TPs, and DPs shall perform the LSE requirements for
MOD-018-0 R1.3.
The <<QSE for REPs or REPs>> shall provide the information required by MOD-018-0 R1.3 for the
X X portion of ERCOT interconnected load they represent to the Planning Authority annually, and to Texas RE
and NERC upon request.
The DPs shall provide information required by MOD-018 R1.3 for their respective interconnected loads to
the TPs annually, and to the Planning Authority, NERC and Texas RE upon request.
The TPs shall provide information required by MOD-018 R1.3 for their respective interconnected loads to
the Planning Authority annually, and to NERC and Texas RE upon request.
CPS: see MOD-018 R1 response.
MOD-018-0 R2. The Load-Serving Entity, Planning LCRA: Performed as Trasmission Planner (TP) Entity A shall report data associated with Reliability Standard MOD-018-0_R1 to
Authority, Transmission Planner, and ERCOT ISO on request (within 30 calendar days).
Resource Planner shall each report data Georgetown: TP currently performs this function
associated with Reliability Standard ERCOT ISO shall report data associated with Reliabiity standard MOD-018-0_R1 to
MOD-018-0_R1 to NERC, the Regional AEP: See above. NERC and Texas Regional Entity, on request.
Reliability Organization, Load-Serving X X
Entity, Planning Authority, and Resource ERCOT ISO: The <<QSE for REPs or REPs>>, TPs, and DPs shall perform the LSE requirements for
Planner on request (within 30 calendar MOD-018-0 R2.
days).
CPS: see MOD-018 R1 response. In addition, ERCOT reports the data to NERC/RRO upon request.
MOD-019-0 R1. The Load-Serving Entity, Planning Brazos: In ERCOT interruptible loads are separated into two groups, market based and non-market based. Entity A will provide its forecasts of interruptible demands and Direct Control Load Entity A will never have any interruptible demand provide forecasts and
Authority, Transmission Planner, and Market based are driven by contraually arrangements through the QSEs. Non-market based goes through Manangement (DCLM) data for at least five years and up to ten years into the future, as forecast. data
Resource Planner shall each provide the wire companies with forecasts drilled up by the ALDR. We have multiple entities within ERCOT requested, for summer and winter peak system conditions to provide to ERCOT ISO .
annually its forecasts of interruptible preforming this requriement. Suggest looking at recently prepared language from LSE drafting team. LSE drafting team language can aid with who does
demands and Direct Control Load ERCOT ISO shall provide annually its forecasts of interruptible demands and Direct what. Interruptible load is insignificant (under
Management (DCLM) data for at least LCRA: Performed as Trasmission Planner (TP) Control Load Manangement (DCLM) data for at least five years and up to ten years into 25MW) for Transmission companies now but that
five years and up to ten years into the the future, as requested, for summer and winter peak system conditions to provide to could change. Market based interruptible programs
future, as requested, for summer and Georgetown: TP currently performs this function NERC and any entities specified by the documentation in standard MOD-016_R1. aren't UFLS.
winter peak system conditions to NERC,
the Regional Reliability Organizations, ERCOT ISO: The TPs and DPs shall perform the LSE requirements for MOD-019-0.
and other entities (Load-Serving Entities,
Planning Authorities, and Resource The DPs shall provide information required by MOD-019 R1 for non-market based demand services for
Planners) as specified by the X their respective interconnected loads to the TPs annually, and to the Planning Authority, NERC and Texas
documentation in Reliability Standard RE upon request.
MOD-016-1_R 1.
The TPs shall provide information required by MOD-019 R1 for non-market based demand services for
their respective interconnected loads to the Planning Authority annually, and to NERC and Texas RE upon
request.
CPS: CPS Energy agrees with Brazos. In addtion, the TP/TO/DP can only be held accountable for the
ALRD data it provides. On an ERCOT wide basis, interruptible load under 25MW should be recognized as
insignificant for TP function of this standard.
ERCOT ISO: By virtue of the definition, DCLM is load related to specific appliances or equipment on the
premises of an end-use customer and Interruptible Demand/Load (ID/L) is demand made available to its
LSE via contract/agreement. ERCOT ISO does not have any such product or service under its control. The
only demand based programs ERCOT ISO operates are LaaRs and EILS, and these are considered
“resources,” not demand side management (DSM). To the extent DCLM or ID/L programs exist, they are
operated by TDSPs, DPs through tariff programs, or REPs via competitive products.
It was noted that the effect of these programs is captured in load data and forecasts provided to ERCOT
ISO. Despite the fact that the data is indirectly reflected in information provided to ERCOT ISO, the entity
operating the programs is in the best position to provide the information. Provision of the load
data/forecasts to ERCOT ISO does not transform ERCOT ISO into the LSE simply because it receives
information that reflects the effects of these programs.
The genesis of the information are the programs and products operated and offered by TOs/DPs and the
retail competitive market. To the extent it is necessary to devise a way to extract granular data that reflects
the actual performance of DCLM and ID/L programs from demand data/forecasts, that is a separate issue
unrelated to which entity is best situated to meet this requirement as the LSE.
Chain of information: Data is collected by ERCOT ISO through the ALDR process. TPs collect data from
DPs to submit to ERCOT ISO per Operating Guide Section 5.1.2. DPs in ERCOT may respond to 4CP and
may operate direct load control programs. ERCOT TDSPs may operate direct load control programs and
may also administer Standard Offer Load Management Programs authorized by statute and PUCT Rule.
ERCOT ISO administers LaaR participation in its Ancillary Services markets, and also administers EILS –
both of which are market-based resources within ERCOT.
Texas RE - February 27, 2009 Page 12 of 14 From FERC Approved Standards - Last Updated by NERC September 13, 2008
3ba2745b-19a1-4d59-9111-49abaa4009f3.xls
QSE
ERC w/L TO
Standard Req. Text of Requirement OT AAR or DP Stakeholder Comments JRO Consensus Comments for Requirements Compliance Evidence Comments
ISO , DP
QSE
MOD-020-0 R1. The Load-Serving Entity, Transmission /EIL Lume: The QSE (LSE) will provide the amount of LaaR and EIL under contract for the time period Entity B must provide its amount of known interruptible demands and Direct Control May be done through contracts, including LaaR make interruptible
Planner, and Resource Planner shall each requested to the ERCOT upon request. Load Management (DCLM) to Transmission Operators, Balancing Authorities, and contract or Attachment A and B to the ERCOT demands and DCLM
make known its amount of interruptible Brazos: In ERCOT, some TOs/DPs may not have the authority to acquire DCLM data from DP serving Reliability Coordinators on request within 30 calendar days. Standard Form Emergency Interruptible Load Service known on request
demands and Direct Control Load retail loads to update ALDR. (EILS) Supplement.
Management (DCLM) to Transmission LCRA: Performed as Trasmission Planner (TP)
Operators, Balancing Authorities, and Georgetown: TP currently performs this function
Reliability Coordinators on request BP Energy: NERC defines DCLM as “Demand-Side Management that is under the direct control of the
within 30 calendar days. system operator.” As such, DCLM is not applicable to, or under the control of, QSEs. Thus, QSEs should
not be responsible for reporting regarding DCLM. With respect to interruptible demand, QSEs should only
be required to relay requests for such information to LAAR/EILS. To the extent that LAAR/EILS do not
respond to such requests or provide accurate information, the QSE should not be held responsible.
X X Oxy: No comment. Suggested Language: Pursuant to this JRO Agreement, the QSE w/Laar assumes the
LSE duties in MOD-020, R1.
Formosa: 1. Does this include Load Acting As Resource schedule not bid as Direct Control Load
Management? 2. If so, can we use the daily Bid Instructions and Resource Plan submitted to ERCOT as a
method to notify of interruptible service?
ERCOT ISO: The TPs and DPs shall perform the LSE requirements for MOD-020-0.
The TPs and DPs shall provide information required by MOD-020 R1 for non-market based demand
services for their respective interconnected loads to the Transmission Operators, Balancing Authority, and
Reliability Coordinator upon request.
CPS: CPS Energy agrees with Brazos and BP Energy.
MOD-021-0 R1. The Load-Serving Entity, Transmission Brazos: In some cases, ERCOT will need DPs help to meet this requirement. For wire companies DCLM Entity A will clearly document how Demand and energy effects of DSM programs are no additional comments - ERCOT Will provide document how things
Planner, and Resource Planner’s systems are probably so small at this time we may wish to not address this issue since we are preparing a addressed for its facilities. ERCOT ISO will clearly document how Demand and energy comments are addressed
forecasts shall each clearly document short term LSE solution. effects of DSM programs are addressed for the ERCOT region.
how the Demand and energy effects of
DSM programs (such as conservation, LCRA: Performed as Trasmission Planner (TP)
time-of-use rates, interruptible
Demands, and Direct Control Load Georgetown: TP currently performs this function
X
Management) are addressed.
ERCOT ISO:The <<QSEs for REPs or REPs>>, TPs and DPs shall perform the LSE requirements for
MOD-021-0 R1.
CPS: (LSE, TP, RP). CPS Energy agrees with Brazos in general & ERCOT will need TO/DP to confirm
forecasts.
MOD-021-0 R2. The Load-Serving Entity, Transmission Brazos: In some cases, ERCOT will need DPs help to meet this requirement. For wire companies DCLM Entity A shall include information detailing how Demand-Side Management measures are no additional comments - ERCOT Will provide detail how demandside
Planner, and Resource Planner shall each systems are probably so small at this time we may wish to not address this issue since we are preparing a addressed in the forecasts of its Peak demand and annual Net Energy for Load for its comments measures are addressed
include information detailing how short term LSE solution. facilities in the data reporting procedures of MOD-016-0_R1. in forecasts
Demand-Side Management measures are
addressed in the forecasts of its Peak LCRA: Performed as Trasmission Planner (TP) ERCOT ISO shall include information detailing how Demand-Side Management measures
Demand and annual Net Energy for Load are addressed in the forecasts for the ERCOT Region in the data reporting procedures of
in the data reporting procedures of Georgetown: TP currently performs this function Standard MOD-016-0_R1.
Standard MOD-016-0_R 1.
ERCOT ISO: The TPs and DPs shall perform the LSE requirements for MOD-021-0 R2.
X The DPs shall provide information required by MOD-021 R2 for non-market based demand services for
their respective interconnected loads to the TPs annually, and to the Planning Authority, NERC and Texas
RE upon request.
The TPs shall provide information required by MOD-021 R2 for non-market based demand services for
their respective interconnected loads to the Planning Authority annually, and to NERC and Texas RE upon
request.
CPS: (LSE, TP, RP). CPS Energy agrees with Brazos in general & ERCOT will need TO/DP to confirm
forecasts.
MOD-021-0 R3. The Load-Serving Entity, Transmission LCRA: Performed as Trasmission Planner (TP) Entity A shall make documentation on the treatment of its DSM programs for its no additional comments - ERCOT Will provide make documentation
Planner, and Resource Planner shall each facilities available to NERC on request. comments available on request
make documentation on the treatment of Georgetown: TP currently performs this function
its DSM programs available to NERC on ERCOT ISO will make documentation on the treatment of its DSM programs for the
request (within 30 calendar days). X ERCOT ISO: The <<QSEs for REPs or REPs>>, TPs and DPs shall perform the LSE requirements for ERCOT region available to NERC on request.
MOD-021-0 R3.
CPS: (LSE, TP, RP). CPS Energy agrees with Brazos in general & ERCOT will need TO/DP to confirm
forecasts, & document program (need to be available).
PRC-007-0 R2. The Transmission Owner, Transmission Brazos: Already applies to TOs/DPs. Entity A provide data and update
Operator, Distribution Provider, and annually
Load-Serving Entity that owns or LCRA: Performed as Trasmission Owner (TO)
operates a UFLS program (as required by
its Regional Reliability Organization) CPS: (TO, TOP, DP, LSE) CPS Energy agrees with Brazos & LCRA and feels we already comply through
shall provide, and annually update, its X the annual ERCOT UFLS annual update. CPS Energy can submit proof (ERCOT UFLS annual update) and
underfrequency data as necessary for its can show internal Operating Procedure E-11 UFLS load survey. ERCOT Operation should show overall
Regional Reliability Organization to ERCOT wide UFLS program.
maintain and update a UFLSprogram
database.
PRC-009-0 R1. The Transmission Owner, Transmission Brazos: Already applies to TOs/DPs. Since frequency is system-wide issue, ERCOT must be involved in Entity A analyze and document
Operator, Load-Serving Entity, and analysis and performance. ufls program, address
Distribution Provider that owns or certain things in sub
operates a UFLS program (as required by LCRA: Performed as Trasmission Owner (TO) requirements
its Regional Reliability Organization)
shall analyze and document its UFLS CPS: (TO, TOP, LSE, DP) ERCOT would need to enter into an JRO with TOs/DPs to document
program performance in accordance with responsibilities. This is most likely Not Applicable to ERCOT because ERCOT does not own and operate
its Regional Reliability Organization’s the UFLS systems, the TO/DP does. ERCOT should be responsible for the program. Need to know results
UFLS program. The analysis shall of ERCOT audit for further direction.
X
address the performance of UFLS
equipment and program effectiveness
following system events resulting in
system frequency excursions below the
initializing set points of the UFLS
program. The analysis shall include, but
not be limited to:
PRC-009-0 R1.1. A description of the event including LCRA: Performed as Trasmission Owner (TO) Entity A
initiating conditions. X
CPS: see PRC-009 R1.
PRC-009-0 R1.2. A review of the UFLS set points and LCRA: Performed as Trasmission Owner (TO) Entity A
tripping times. X
CPS: see PRC-009 R1.
PRC-009-0 R1.3. A simulation of the event. LCRA: Performed as Trasmission Owner (TO) Entity A
X
CPS: see PRC-009 R1.
PRC-009-0 R1.4. A summary of the findings. LCRA: Performed as Trasmission Owner (TO) Entity A
X
CPS: see PRC-009 R1.
PRC-009-0 R2. The Transmission Owner, Transmission LCRA: Performed as Trasmission Owner (TO) Any Entity A that owns or operates a UFLS program shall provide documentation of the same as PRC-009 R1
Operator, Load-Serving Entity, and analysis of the UFLS program for its facilities to its the TOP, Texas RE, and NERC on
Distribution Provider that owns or CPS: ERCOT should be accountable for submitting ERCOT wide UFLS performance report summary request 90 calendar days after the system event.
operates a UFLS program (as required by within 90 days after event. The JRO only documents each TO's participation as defined in the ERCOT
its Regional Reliability Organization) UFLS annual load survey. ERCOT ISO shall provide documentation of the UFLS program for the ERCOT region to
shall provide documentation of the NERC and Texas RE on request 90 calendar days after the system event.
X
analysis of the UFLS program to its
Regional Reliability Organization and
NERC on request 90 calendar days after
the system event.
PRC-010-0 R1. The Load-Serving Entity, Transmission CPS: (LSE, TO, TOP, DP) This is possibly Not Applicable N/A in ERCOT because ERCOT does not have a Any Entity A that owns or operates a UVLS program shall periodically (at least every five Doc - general note, need to check ones that aare conduct assessment of
Owner, Transmission Operator, and defined system wide UVLS program. As the TOP, ERCOT would need to show how it conducts and years or as required by changes in system conditions) conduct and document an marked to TO or DP, to see if it should be in DP uvls program every 5
Distribution Provider that owns or documents the assesment for the ERCOT region. assessment of the effectiveness of the UVLS program for its facilities and provide to column years or as required by
operates a UVLS program shall ERCOT ISO as TOP. changes in system
periodically (at least every five years or condition
as required by changes in system ERCOT ISO must periodically (at least every five years or as required by changes in
conditions) conduct and document an X system conditions) conduct and document an assessment of the effectiveness of the
assessment of the effectiveness of the UVLS program for the ERCOT region.
UVLS program. This assessment shall be
conducted with the associated
Transmission Planner(s) and Planning
Authority(ies).
PRC-010-0 R1.1. This assessment shall include, but is not CPS: see PRC-010 R1. Any Entity A that owns or operates a UVLS program shall periodically (at least every five no additional comments description of
limited to: years or as required by changes in system conditions) conduct and document an assessment
assessment of the effective ness of the UVLS program for its facilities and provide to
ERCOT ISO as TOP.
X
ERCOT ISO must periodically (at least every five years or as required by changes in
system conditions) conduct and document an assessment of the effective ness of the
UVLS program for the ERCOT region.
PRC-010-0 R1.1.1 Coordination of the UVLS programs with CPS: see PRC-010 R1. Any Entity A that owns or operates a UVLS program shall periodically (at least every five no additional comments description of
. other protection and control systems in years or as required by changes in system conditions) conduct and document an assessment
the Region and with other Regional assessment of the effectiveness of the UVLS program for its facilities and provide to
Reliability Organizations, as appropriate. ERCOT ISO as TOP.
X
ERCOT ISO must periodically (at least every five years or as required by changes in
system conditions) conduct and document an assessment of the effective ness of the
UVLS program for the ERCOT region.
PRC-010-0 R1.1.2 Simulations that demonstrate that the CPS: see PRC-010 R1. Any Entity A that owns or operates a UVLS program shall periodically (at least every five no additional comments description of
. UVLS programs performance is years or as required by changes in system conditions) conduct and document an assessment
consistent with Reliability Standards TPL- assessment of the effective ness of the UVLS program for its facilities and provide to
001-0, TPL-002-0, TPL-003-0 and TPL- ERCOT ISO as TOP.
004-0. X
ERCOT ISO must periodically (at least every five years or as required by changes in
system conditions) conduct and document an assessment of the effective ness of the
UVLS program for the ERCOT region.
PRC-010-0 R1.1.3 A review of the voltage set points and CPS: see PRC-010 R1. Any Entity A that owns or operates a UVLS program shall periodically (at least every five no additional comments description of
. timing. years or as required by changes in system conditions) conduct and document an assessment
assessment of the effectiveness of the UVLS program for its facilities and provide to
ERCOT ISO as TOP.
X
ERCOT ISO must periodically (at least every five years or as required by changes in
system conditions) conduct and document an assessment of the effectiveness of the
UVLS program for the ERCOT region.
PRC-010-0 R2. The Load-Serving Entity, Transmission CPS: see PRC-010 R1. Any Entity A that owns or operates a UVLS program shall provide documentation fo its no additional comments provide documentation
Owner, Transmission Operator, and current UVLS program assessment for its facilities to ERCOT ISO as TOP, and NERC, on request
Distribution Provider that owns or and Texas RE on request (within 30 calendar days).
operates a UVLS program shall provide
documentation of its current UVLS X ERCOT ISO shall provide documentation of the current UVLS program assessment for
program assessment to its Regional the ERCOT region to NERC and Texas RE on request (within 30 calendar days).
Reliability Organization and NERC on
request (30 calendar days).
PRC-022-1 R1. Each Transmission Operator, Load- Georgetown: DP currently performs this function Any Entity A that operates a UVLS program in the BES shall analyze and document all TO and DP will be registered fi they have UVLS mitigate risk of voltage
Serving Entity, and Distribution Provider UVLS operations and Misoperations on its facilities and provide to ERCOT ISO as TOP. program collapse, analyze uvls
that operates a UVLS program to CPS: (TOP, DP, LSE). This is possibly Not Applicable N/A in ERCOT because ERCOT does not have a The analysis shall include: operations and
mitigate the risk of voltage collapse or defined system wide UVLS program. As the TOP, ERCOT would need to show how it conducts and misoperations
voltage instability in the BES shall X documents the assesment for the ERCOT region. ERCOT ISO shall analyze and document all UVLS operations and Misoperations for the
analyze and document all UVLS ERCOT region. The analysis shall include:
operations and Misoperations. The
analysis shall include:
PRC-022-1 R1.1. A description of the event including Georgetown: DP currently performs this function Entity A and ERCOT ISO, as applicable. no additional comments details of analysis
initiating conditions. X
CPS: see PRC-022 R1.
PRC-022-1 R1.2. A review of the UVLS set points and Georgetown: DP currently performs this function Entity A and ERCOT ISO, as applicable. no additional comments details of analysis
tripping times. X
CPS: see PRC-022 R1.
Texas RE - February 27, 2009 Page 13 of 14 From FERC Approved Standards - Last Updated by NERC September 13, 2008
3ba2745b-19a1-4d59-9111-49abaa4009f3.xls
QSE
ERC w/L TO
Standard Req. Text of Requirement OT AAR or DP Stakeholder Comments JRO Consensus Comments for Requirements Compliance Evidence Comments
ISO , DP
QSE
PRC-022-1 R1.3. A simulation of the event, if deemed /EIL Georgetown: DP currently performs this function Entity A and ERCOT ISO, as applicable. no additional comments details of analysis
appropriate by the Regional Reliability
Organization. For most events, analysis CPS: see PRC-022 R1.
X
of sequence of events may be sufficient
and dynamic simulations may not be
needed.
PRC-022-1 R1.4. A summary of the findings. Georgetown: DP currently performs this function Entity A and ERCOT ISO, as applicable. no additional comments details of analysis
X
CPS: see PRC-022 R1.
PRC-022-1 R1.5. For any Misoperation, a Corrective Georgetown: DP currently performs this function Entity A and ERCOT ISO, as applicable. no additional comments details of analysis
Action Plan to avoid future X
Misoperations of a similar nature. CPS: see PRC-022 R1.
PRC-022-1 R2. Each Transmission Operator, Load- Georgetown: DP currently performs this function Each Entity A that operates a UVLS program shall provide documentation of its analysis no additional comments provide documentation
Serving Entity, and Distribution Provider of UVLS program performance for its facilities to ERCOT ISO within 90 calendar days within 90 days of
that operates a UVLS program shall CPS: see PRC-022 R1. of a request. request
provide documentation of its analysis of X
UVLS program performance to its
Regional Reliability Organization within
90 calendar days of a request.
TOP-001-1 R4. Each Distribution Provider and Load- Lume: The QSE (LSE) will have the documentation described in IRO-001-1 R8 above as measure of Entity A and Entity B shall comply with Reliability Coordinator directives unless such This is an event driven requirement only if comply with reliability
Serving Entity shall comply with all compliance for this requirement. actions would violate safety, equipment, or regulatory or statutory requirements. Under LaaR or EILS is asked to deploy would directives unless…..
reliability directives issued by the BP Energy: A QSE should only be required to communicate information from its LAAR or EILS to the these circumstances, Entity A and Entity B shall immediately inform the Reliability we need evidence of such deployment.
Transmission Operator, including ERCOT ISO or the Transmission Operator and vice versa. Coordinator of the inability to perform the directive so that the Reliability Coordinator
shedding firm load, unless such actions Furthermore, given that the QSE only acts as a communication interface between the ERCOT ISO and may implement alternate remedial actions.
would violate safety, equipment, LAAR/EILS, TRE should provide QSEs with guidance regarding what information would satisfy to prove
regulatory or statutory requirements. compliance with the requirement. If directed by the Reliability Coordinator, Entity B shall immediately instruct its LaaR Some EILS QSEs want qualifier to
Under these circumstances, the Oxy: This requirement should apply to the TDSP/TO and to the municipal and cooperative utilities and EILS that the Reliability Coordinator has issued a directive that requires the EILS or provide that any LaaR or EILS resource
Distribution Provider or Load-Serving operating as a DP and not to the QSE w/LaaR. However, to the extent this requirement is meant to have the LaaR to deploy. shall not be required to inform Entity B of
Entity shall immediately inform the QSE deploy LaaRs, the Agreement should state clearly that the "reliability directives" referred to in TOP- its inability to comply unless the failure of
Transmission Operator of the inability to 001, R4 are those reliability directives that involve the deployment of LaaRs and those that the QSE w/LaaR Entity B shall notify each LaaR or EILS resources that if it is unable to immediately the LaaR or EILS resource to comply
perform the directive so that the is capable of and required to perform under the ERCOT Protocols and Operating Guides. Suggested deploy, the Laar or EILS must immediately inform Entity B so that Entity B may
Transmission Operator can implement Language: Pursuant to this JRO Agreement, the QSE w/Laar assumes the LSE duties of TOP-001, R4 on immediately inform the Reliability Coordinator.
exceeds 25 MW of peak curtailable load.
X **
alternate remedial actions. the basis that the "reliability directives" referred to in R4 are those directives that invlove the
deployment of LaaRs and those that the QSE w/LaaR are reasonably capable of and required to Entity B must immediately notify the Reliability Coordinator if (a) the LaaR or EILS
perform under the ERCOT Protocols and Operatings Guides. notifies Entity B that it is not able to deploy, or (b) Entity B is otherwise aware that the
Georgetown: DP currently performs this function LaaR or EILS is not able to deploy.
Formosa: Voice recordings and/or log books would be required here to document instructions and
communications.
CPS: (BA, TOP, GOP, DP, LSE) ERCOT, as the TOP/BA needs to provide documentation defining the
firm loads available to be shed and the associated program/procedures. ERCOT also needs to provide the
documented LaaR & EILS programs and associated contracts.
TOP-002-2 R3. Each Load-Serving Entity and Generator BP Energy: To the extent the TRE requires QSEs to supply data to ERCOT or a Transmission Provider, the 1. Entity B must provide Attachment A and B to the ERCOT Standard Form Emergency Need to see the commitment - contract coordinate operations
Operator shall coordinate (where TRE should only require QSEs to pass on such information it receives from its LAAR or EILS. Interruptible Load Service (EILS) Supplement to ERCOT submit and update a Daily (no financials), resource plan, etc. Term with BA and TSP
confidentiality agreements allow) its Resource Plan or contract [or other commitment] for all LaaR and EILS that have a sheet.
current-day, next-day, and seasonal Oxy: The Agreement should state clearly that the coordination of "current-day, next-day, and seasonal curtailable peak load greater than 25 MW that it represents, pursuant to the ERCOT
operations with its Host Balancing operations" referred to in TOP-002, R3 refers to information supplied by the QSE w/LaaR as required by Protocols and Operating Guides.
Authority and Transmission Service the ERCOT Protocols and Operating Guides such as the Resource Plan and LaaR outage plans (seasonal
Provider. Each Balancing Authority and operations). Suggested Language: Pursuant to this JRO Agreement, the QSE w/LaaR assumes the LSE 2. For seasonal operations, Entity B must also submit any planned LaaR or EILS outages
Transmission Service Provider shall duties of TOP-002, R3 on the basis that the coordination of "current-day, next-day, and seasonal operations" or unavailabilities, pursuant to the ERCOT Protocols or Operating Guides to the extent it
coordinate its current-day, next-day, and referred to in R3 means the data routinely supplied to ERCOT by the QSE such as the Resource Plan, and, is aware of such unavailability.
seasonal operations with its for seasonal operations, LaaR planned outage periods and other such information as required by the
Transmission Operator. X ERCOT Protocols and Operating Guides.
Georgetown: GOP currently performs this function
Formosa: I believe most of this information is in the Resource Plan and bid instructions submitted to
ERCOT each day. Will the Resource Plan and Bid Instructions be acceptable to auditors and meet this
requirement?
CPS: No comment
TOP-002-2 R18. Neighboring Balancing Authorities, Georgetown: TOP currently performs this function Entity A shall use use uniform identifiers when referring to transmission facilities of an TOs use uniform line identifiers use uniform line
Transmission Operators, Generator interconnected network. identifiers
Operators, Transmission Service CPS: ERCOT, as BA/TOP provides this throught the existing ERCOT network models & planning models
Providers, and Load-Serving Entities X (for example use uniform line adentifiers & data dictionary). ERCOT JRO documents this & defining how
shall use uniform line identifiers when each TO provides its data & this is what the JRO needs to document.
referring to transmission facilities of an
interconnected network.
RegistrationKey:
LUME (If it’s Luminant) – PSE, GO, GOP,
Brazos Electric coop – DP, TO, TP, GO, GOP
BP Energy – PSE
College Station – DP, TO, TP
Oncor – DP, TO, TP
LCRA – TO, TP
Oxy – GO, GOP
Georgetown – DP, TO
CenterPoint – DP, TO, TP
AEP – TO, DP, GO, GOP, PSE
Formosa Utility Venture – GO, GOP
Sharyland Utilities – DP, TO, TP
Texas RE - February 27, 2009 Page 14 of 14 From FERC Approved Standards - Last Updated by NERC September 13, 2008
