Summary Standards

Document Sample
Summary Standards Powered By Docstoc
					                                   Number of Reliability Standards
Year                               2007             2008             2009          2010

Compliance Audit                    39               60              49             55

Self Certification                  39               60              52             59

Periodic Data Submittals             --               --             12             15

Exception Reporting                 --                --             14             19

Spot Check                          0                 0              13             17
Subject to Compliance
Violation Investigation              --               --             94             95

Subject to Self Reporting            --               --             94             95

Subject to Complaint                 --               --             94             95




                            2010 CMEP Reliability Standards Summary
       Reliability
                                Mandatory     Compliance            Self
        Standard                                                                Spot Check
                               Effective Date   Audit           Certification
    (FERC Approved)

                                                                                             Page 1 of 235
Summary Standards                                                                               2/22/2010
                     2010 CMEP Reliability Standards Summary
      Reliability
                         Mandatory     Compliance        Self
       Standard                                                      Spot Check
                        Effective Date   Audit       Certification
   (FERC Approved)
                            as of
BAL-001-0.1a
                          5/13/2009
BAL-002-0                                  X              X
                            as of
BAL-003-0.1b                               X              X               X
                          5/13/2009
BAL-004-0
                            as of
BAL-005-0.1b                               X              X
                          5/13/2009
BAL-006-1
                            as of
COM-001-1.1                                X              X
                          5/13/2009
COM-002-2                                  X              X
CIP-001-1                                  X              X
CIP-002-1                                  X         Semi-Annual          X

CIP-003-1                                  X         Semi-Annual          X

CIP-004-1                                  X         Semi-Annual          X

CIP-005-1                             eff 7/1/2010   Semi-Annual     eff 7/1/2010



                                                                                    Page 2 of 235
Summary Standards                                                                      2/22/2010
                     2010 CMEP Reliability Standards Summary
      Reliability
                         Mandatory     Compliance        Self
       Standard                                                      Spot Check
                        Effective Date   Audit       Certification
   (FERC Approved)
CIP-006-1                             eff 7/1/2010   Semi-Annual     eff 7/1/2010

CIP-007-1                                  X         Semi-Annual          X

CIP-008-1                                  X         Semi-Annual          X

CIP-009-1                                  X         Semi-Annual          X
EOP-001-0                                  X              X
                            as of
EOP-002-2.1                                X              X
                          5/13/2009
EOP-003-1                                  X              X
EOP-004-1
EOP-005-1                                  X              X
EOP-006-1                                  X              X               X
EOP-008-0                                  X              X
EOP-009-0
FAC-001-0                                  X              X
FAC-002-0                                  X              X
FAC-003-1                                  X              X
FAC-008-1                                  X              X
FAC-009-1                                  X              X               X

                                                                                    Page 3 of 235
Summary Standards                                                                      2/22/2010
                     2010 CMEP Reliability Standards Summary
      Reliability
                         Mandatory     Compliance       Self
       Standard                                                     Spot Check
                        Effective Date   Audit      Certification
   (FERC Approved)
                            as of
FAC-010-2                                  X             X
                          4/29/2009
                            as of
FAC-011-2                                  X             X
                          4/29/2009
FAC-013-1                                                X              X
                            as of
FAC-014-2                                  X             X              X
                          4/29/2009
INT-001-3
INT-003-2
INT-004-2                                                               X
INT-005-2
INT-006-2
INT-007-1
INT-008-2
INT-009-1
INT-010-1
                            as of
IRO-001-1.1                                X             X
                          5/13/2009
IRO-002-1                                  X             X
IRO-003-2                                  X             X
IRO-004-1                                  X             X


                                                                                 Page 4 of 235
Summary Standards                                                                   2/22/2010
                     2010 CMEP Reliability Standards Summary
      Reliability
                         Mandatory     Compliance       Self
       Standard                                                     Spot Check
                        Effective Date   Audit      Certification
   (FERC Approved)
IRO-005-2               as of 1/22/09*     X             X
IRO-006-4                                  X             X              X
IRO-014-1                                                               X
IRO-015-1
IRO-016-1
                            as of
MOD-006-0.1
                          5/13/2009
MOD-007-0
MOD-010-0                                                X
MOD-012-0                                                X
                            as of
MOD-16-1.1
                          5/13/2009
                            as of
MOD-017-0.1
                          5/13/2009
MOD-018-0
                            as of
MOD-019-0.1
                          5/13/2009
MOD-020-0
MOD-021-0
NUC-001-1               as of 4/01/10      X             X


                                                                                 Page 5 of 235
Summary Standards                                                                   2/22/2010
                    2010 CMEP Reliability Standards Summary
      Reliability
                        Mandatory     Compliance       Self
      Standard                                                     Spot Check
                       Effective Date   Audit      Certification
  (FERC Approved)
PER-001-0                                 X             X
PER-002-0                                 X             X
PER-003-0                                 X             X
PER-004-1                                 X             X
PRC-001-1                                 X             X
PRC-004-1                                 X             X
PRC-005-1                                 X             X
PRC-007-0
PRC-008-0                                 X             X
PRC-009-0
PRC-010-0                                                              X
PRC-011-0                                                              X
PRC-015-0
                           as of
PRC-16-0.1
                         5/13/2009
PRC-017-0                                 X             X
PRC-018-1
PRC-021-1
PRC-022-1
TOP-001-1                                 X             X
TOP-002-2                                 X             X
TOP-003-0                4/1/2009                       X              X

                                                                                Page 6 of 235
Summary Standards                                                                  2/22/2010
                    2010 CMEP Reliability Standards Summary
      Reliability
                          Mandatory     Compliance        Self
      Standard                                                        Spot Check
                         Effective Date   Audit       Certification
  (FERC Approved)
TOP-004-2                as of 1/22/09      X              X
                             as of
TOP-005-1.1
                          5/13/2009
TOP-006-1                                   X              X
TOP-007-0                                   X              X
TOP-008-1                                   X              X
                             as of
TPL-001-0.1                                 X              X
                           5/13/2009
TPL-002-0                                   X              X
TPL-003-0                                   X              X
TPL-004-0                                                  X
VAR-001-1                                   X              X
                             as of
VAR-002-1.1a                                X              X
                           5/13/2009
                    95                           55              60                19




                                                                                        Page 7 of 235
Summary Standards                                                                          2/22/2010
                                      Number of Requirements
Year                             2007               2008           2009         2010
Compliance Audit                  385                610            418          554
Self Certification                385                610            548          579
Periodic Data
Submittals                        --                 --              79          55
Exception Reporting               --                 --             102          58
Spot Check                        0                  0              106         259

Subject to
Compliance Violation
Investigation                     --                 --            1012         1016
Subject to Self
Reporting                         --                 --            1012         1016

Subject to Complaint              --                 --            1012         1016




                             2010 CMEP Requirements Summary
   Reliability
                                   Compliance                      Self         Spot
   Standard     Requirement Number
                                     Audit                     Certification   Check
(FERC Approved)
BAL-001-0.1a           R1.
BAL-001-0.1a           R2.

                                                                                       Page 8 of 235
Summary Requirements                                                                      2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
BAL-001-0.1a           R3.
BAL-001-0.1a           R4.
BAL-002-0              R1.                    X            X
BAL-002-0              R1.1.                  X            X
BAL-002-0              R2.                    X            X
BAL-002-0              R2.1.                  X            X
BAL-002-0              R2.2.
BAL-002-0              R2.3.
BAL-002-0              R2.4.
BAL-002-0              R2.5.
BAL-002-0              R2.6.
BAL-002-0              R3.                    X            X
BAL-002-0              R3.1.                  X            X
BAL-002-0              R4.
BAL-002-0              R4.1.
BAL-002-0              R4.2.
BAL-002-0              R5.
BAL-002-0              R5.1.
BAL-002-0              R5.2.
BAL-002-0              R6.
BAL-002-0              R6.1.


                                                                             Page 9 of 235
Summary Requirements                                                            2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
BAL-002-0              R6.2.
BAL-003-0.1b           R1.                    X            X          X
BAL-003-0.1b           R1.1.                  X            X          X
BAL-003-0.1b           R1.2.                  X            X          X
BAL-003-0.1b           R2.                    X            X          X
BAL-003-0.1b           R2.1.                  X            X          X
BAL-003-0.1b           R2.2.                  X            X          X
BAL-003-0.1b           R3.
BAL-003-0.1b           R4.
BAL-003-0.1b           R4.1.
BAL-003-0.1b           R4.2.
BAL-003-0.1b           R5.                    X            X          X
BAL-003-0.1b           R5.1.                  X            X          X
BAL-003-0.1b           R6.
BAL-004-0              R1.
BAL-004-0              R2.
BAL-004-0              R3.
BAL-004-0              R3.1.
BAL-004-0              R3.2.
BAL-004-0              R4.
BAL-004-0              R4.1.


                                                                             Page 10 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
BAL-005-0.1b           R1.
BAL-005-0.1b           R1.1.
BAL-005-0.1b           R1.2.
BAL-005-0.1b           R1.3.
BAL-005-0.1b           R2.                    X            X
BAL-005-0.1b           R3.
BAL-005-0.1b           R4.
BAL-005-0.1b           R5.
BAL-005-0.1b           R6.
BAL-005-0.1b           R7.
BAL-005-0.1b           R8.
BAL-005-0.1b           R8.1.
BAL-005-0.1b           R9.
BAL-005-0.1b           R9.1.
BAL-005-0.1b           R10.                   X            X
BAL-005-0.1b           R11.
BAL-005-0.1b           R12.
BAL-005-0.1b           R12.1.
BAL-005-0.1b           R12.2.
BAL-005-0.1b           R12.3.
BAL-005-0.1b           R13.


                                                                             Page 11 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
BAL-005-0.1b           R14.
BAL-005-0.1b           R15.
BAL-005-0.1b           R16.
BAL-005-0.1b           R17.
BAL-006-1              R1.
BAL-006-1              R2.
BAL-006-1              R3.
BAL-006-1              R4.
BAL-006-1              R4.1.
BAL-006-1              R4.1.1.
BAL-006-1              R4.1.2.
BAL-006-1              R4.2.
BAL-006-1              R4.3.
BAL-006-1              R5.
COM-001-1              R1.                    X            X
COM-001-1              R1.1.                  X            X
COM-001-1              R1.2.                  X            X
COM-001-1              R1.3.                  X            X
COM-001-1              R1.4.                  X            X
COM-001-1              R2.
COM-001-1              R3.


                                                                             Page 12 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
COM-001-1              R4.
COM-001-1              R5.                    X            X
COM-001-1              R6.
COM-002-2              R1.                    X           X
COM-002-2              R1.1.                  X           X
COM-002-2              R2.                    X           X
CIP-001-1              R1.                    X           X
CIP-001-1              R2.                    X           X
CIP-001-1              R3.                    X           X
CIP-001-1              R4.                    X           X
CIP-002-1              R1.                    X      Semi-Annual      X
CIP-002-1              R1.1.                  X      Semi-Annual      X
CIP-002-1              R1.2.                  X      Semi-Annual      X
CIP-002-1              R1.2.1.                X      Semi-Annual      X
CIP-002-1              R1.2.2.                X      Semi-Annual      X
CIP-002-1              R1.2.3.                X      Semi-Annual      X
CIP-002-1              R1.2.4.                X      Semi-Annual      X
CIP-002-1              R1.2.5.                X      Semi-Annual      X
CIP-002-1              R1.2.6.                X      Semi-Annual      X
CIP-002-1              R1.2.7.                X      Semi-Annual      X
CIP-002-1              R2.                    X      Semi-Annual      X


                                                                             Page 13 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance                Self           Spot
   Standard     Requirement Number
                                     Audit               Certification     Check
(FERC Approved)
CIP-002-1              R3.                      X        Semi-Annual           X
CIP-002-1              R3.1.                    X        Semi-Annual           X
CIP-002-1              R3.2.                    X        Semi-Annual           X
CIP-002-1              R3.3.                    X        Semi-Annual           X
CIP-002-1              R4.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-003-1              R1.                      X        Semi-Annual           X
CIP-003-1              R1.1.                    X        Semi-Annual           X
CIP-003-1              R1.2.                    X        Semi-Annual           X
CIP-003-1              R1.3.                    X        Semi-Annual           X
CIP-003-1              R2.                      X        Semi-Annual           X
CIP-003-1              R2.1.                    X        Semi-Annual           X
CIP-003-1              R2.2.                    X        Semi-Annual           X
CIP-003-1              R2.3.                    X        Semi-Annual           X
CIP-003-1              R3.                      X        Semi-Annual           X
CIP-003-1              R3.1.                    X        Semi-Annual           X
CIP-003-1              R3.2.                    X        Semi-Annual           X
CIP-003-1              R3.3.                    X        Semi-Annual           X
CIP-003-1              R4.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-003-1              R4.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-003-1              R4.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-003-1              R4.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010


                                                                                        Page 14 of 235
Summary Requirements                                                                        2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance                Self           Spot
   Standard     Requirement Number
                                     Audit               Certification     Check
(FERC Approved)
CIP-003-1              R5.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-003-1              R5.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-003-1              R5.1.1.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-003-1              R5.1.2.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-003-1              R5.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-003-1              R5.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-003-1              R6.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-004-1              R1.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-004-1              R2.                      X        Semi-Annual           X
CIP-004-1              R2.1.                    X        Semi-Annual           X
CIP-004-1              R2.2.                    X        Semi-Annual           X
CIP-004-1              R2.2.1.                  X        Semi-Annual           X
CIP-004-1              R2.2.2.                  X        Semi-Annual           X
CIP-004-1              R2.2.3.                  X        Semi-Annual           X
CIP-004-1              R2.2.4.                  X        Semi-Annual           X
CIP-004-1              R2.3.                    X        Semi-Annual           X
CIP-004-1              R3.                      X        Semi-Annual           X
CIP-004-1              R3.1.                    X        Semi-Annual           X
CIP-004-1              R3.2.                    X        Semi-Annual           X
CIP-004-1              R3.3.                    X        Semi-Annual           X
CIP-004-1              R4.                      X        Semi-Annual           X


                                                                                        Page 15 of 235
Summary Requirements                                                                        2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance                Self           Spot
   Standard     Requirement Number
                                     Audit               Certification     Check
(FERC Approved)
CIP-004-1              R4.1.                    X        Semi-Annual           X
CIP-004-1              R4.2.                    X        Semi-Annual           X
CIP-005-1              R1.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R1.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R1.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R1.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R1.4.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R1.5.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R1.6.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R2.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R2.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R2.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R2.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R2.4.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R2.5.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R2.5.1.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R2.5.2.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R2.5.3.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R2.5.4.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R2.6.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R3.                eff 7/1/2010   Semi-Annual     eff 7/1/2010


                                                                                        Page 16 of 235
Summary Requirements                                                                        2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance                Self           Spot
   Standard     Requirement Number
                                     Audit               Certification     Check
(FERC Approved)
CIP-005-1              R3.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R3.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R4.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R4.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R4.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R4.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R4.4.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R4.5.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R5.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R5.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R5.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-005-1              R5.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R1.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R1.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R1.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R1.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R1.4.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R1.5.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R1.6.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R1.7.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R1.8.              eff 7/1/2010   Semi-Annual     eff 7/1/2010


                                                                                        Page 17 of 235
Summary Requirements                                                                        2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance                Self           Spot
   Standard     Requirement Number
                                     Audit               Certification     Check
(FERC Approved)
CIP-006-1              R1.9.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R2.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R2.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R2.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R2.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R2.4.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R3.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R3.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R3.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R4.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R4.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R4.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R4.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R5.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R6.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R6.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R6.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-006-1              R6.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R1.                      X        Semi-Annual           X
CIP-007-1              R1.1.                    X        Semi-Annual           X
CIP-007-1              R1.2.                    X        Semi-Annual           X


                                                                                        Page 18 of 235
Summary Requirements                                                                        2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance                Self           Spot
   Standard     Requirement Number
                                     Audit               Certification     Check
(FERC Approved)
CIP-007-1              R1.3.                    X        Semi-Annual           X
CIP-007-1              R2.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R2.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R2.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R2.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R3.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R3.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R3.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R4.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R4.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R4.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R5.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R5.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R5.1.1.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R5.1.2.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R5.1.3.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R5.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R5.2.1.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R5.2.2.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R5.2.3.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R5.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010


                                                                                        Page 19 of 235
Summary Requirements                                                                        2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance                Self           Spot
   Standard     Requirement Number
                                     Audit               Certification     Check
(FERC Approved)
CIP-007-1              R5.3.1.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R5.3.2.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R5.3.3.            eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R6.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R6.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R6.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R6.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R6.4.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R6.5.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R7.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R7.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R7.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R7.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R8.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R8.1.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R8.2.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R8.3.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R8.4.              eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-007-1              R9.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-008-1              R1.                      X        Semi-Annual           X
CIP-008-1              R1.1.                    X        Semi-Annual           X


                                                                                        Page 20 of 235
Summary Requirements                                                                        2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance                Self           Spot
   Standard     Requirement Number
                                     Audit               Certification     Check
(FERC Approved)
CIP-008-1              R1.2.                    X        Semi-Annual           X
CIP-008-1              R1.3.                    X        Semi-Annual           X
CIP-008-1              R1.4.                    X        Semi-Annual           X
CIP-008-1              R1.5.                    X        Semi-Annual           X
CIP-008-1              R1.6.                    X        Semi-Annual           X
CIP-008-1              R2.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-009-1              R1.                      X        Semi-Annual           X
CIP-009-1              R1.1.                    X        Semi-Annual           X
CIP-009-1              R1.2.                    X        Semi-Annual           X
CIP-009-1              R2.                      X        Semi-Annual           X
CIP-009-1              R3.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-009-1              R4.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
CIP-009-1              R5.                eff 7/1/2010   Semi-Annual     eff 7/1/2010
EOP-001-0              R1.                      X             X
EOP-001-0              R2.
EOP-001-0              R3.
EOP-001-0              R3.1.
EOP-001-0              R3.2.
EOP-001-0              R3.3.
EOP-001-0              R3.4.
EOP-001-0              R4.


                                                                                        Page 21 of 235
Summary Requirements                                                                        2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
EOP-001-0              R4.1.
EOP-001-0              R4.2.
EOP-001-0              R4.3.
EOP-001-0              R4.4.
EOP-001-0              R5.
EOP-001-0              R6.
EOP-001-0              R7.
EOP-001-0              R7.1.
EOP-001-0              R7.2.
EOP-001-0              R7.3.
EOP-001-0              R7.4.
EOP-002-2              R1.                    X            X
EOP-002-2              R2.                    X            X
EOP-002-2              R3.                    X            X
EOP-002-2              R4.                    X            X
EOP-002-2              R5.                    X            X
EOP-002-2              R6.                    X            X
EOP-002-2              R6.1.                  X            X
EOP-002-2              R6.2.                  X            X
EOP-002-2              R6.3.                  X            X
EOP-002-2              R6.4.                  X            X


                                                                             Page 22 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
EOP-002-2              R6.5.                  X            X
EOP-002-2              R6.6.                  X            X
EOP-002-2              R7.                    X            X
EOP-002-2              R7.1.                  X            X
EOP-002-2              R7.2.                  X            X
EOP-002-2              R8.                    X            X
EOP-002-2              R9.                    X            X
EOP-002-2              R9.1.                  X            X
EOP-002-2              R9.2.                  X            X
EOP-002-2              R9.3.
EOP-002-2              R9.4.
EOP-003-1              R1.                    X            X
EOP-003-1              R2.                    X            X
EOP-003-1              R3.                    X            X
EOP-003-1              R4.                    X            X
EOP-003-1              R5.                    X            X
EOP-003-1              R6.                    X            X
EOP-003-1              R7.                    X            X
EOP-003-1              R8.                    X            X
EOP-004-1              R1.
EOP-004-1              R2.


                                                                             Page 23 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
EOP-004-1              R3.
EOP-004-1              R3.1.
EOP-004-1              R3.2.
EOP-004-1              R3.3.
EOP-004-1              R3.4.
EOP-004-1              R4.
EOP-004-1              R5.
EOP-005-1              R1.                    X            X
EOP-005-1              R2.                    X            X
EOP-005-1              R3.                    X            X
EOP-005-1              R4.                    X            X
EOP-005-1              R5.                    X            X
EOP-005-1              R6.                    X            X
EOP-005-1              R7.                    X            X
EOP-005-1              R8.
EOP-005-1              R9.                    X            X
EOP-005-1              R10.
EOP-005-1              R10.1.
EOP-005-1              R11.                   X            X
EOP-005-1              R11.1.
EOP-005-1              R11.2.                 X            X


                                                                             Page 24 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
EOP-005-1              R11.3.                 X            X
EOP-005-1              R11.4.                 X            X
EOP-005-1              R11.5.
EOP-005-1              R11.5.1.               X            X
EOP-005-1              R11.5.2.               X            X
EOP-005-1              R11.5.3.
EOP-005-1              R11.5.4.               X            X
EOP-006-1              R1.                                            X
EOP-006-1              R2.                    X            X
EOP-006-1              R3.                                            X
EOP-006-1              R4.
EOP-006-1              R5.                    X            X
EOP-006-1              R6.
EOP-008-0              R1.                    X            X
EOP-008-0              R1.1.                  X            X
EOP-008-0              R1.2.                  X            X
EOP-008-0              R1.3.                  X            X
EOP-008-0              R1.4.                  X            X
EOP-008-0              R1.5.                  X            X
EOP-008-0              R1.6.                  X            X
EOP-008-0              R1.7.                  X            X


                                                                             Page 25 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
EOP-008-0              R1.8.                  X            X
EOP-009-0              R1.
EOP-009-0              R2.
FAC-001-0              R1.                    X            X
FAC-001-0              R1.1.                  X            X
FAC-001-0              R1.2.                  X            X
FAC-001-0              R1.3.                  X            X
FAC-001-0              R2.                    X            X
FAC-001-0              R2.1.                  X            X
FAC-001-0              R2.1.1.                X            X
FAC-001-0              R2.1.10.               X            X
FAC-001-0              R2.1.11.               X            X
FAC-001-0              R2.1.12.               X            X
FAC-001-0              R2.1.13.               X            X
FAC-001-0              R2.1.14.               X            X
FAC-001-0              R2.1.15.               X            X
FAC-001-0              R2.1.16.               X            X
FAC-001-0              R2.1.2.                X            X
FAC-001-0              R2.1.3.                X            X
FAC-001-0              R2.1.4.                X            X
FAC-001-0              R2.1.5.                X            X


                                                                             Page 26 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
FAC-001-0              R2.1.6.                X            X
FAC-001-0              R2.1.7.                X            X
FAC-001-0              R2.1.8.                X            X
FAC-001-0              R2.1.9.                X            X
FAC-001-0              R3.                    X            X
FAC-002-0              R1.
FAC-002-0              R1.1.
FAC-002-0              R1.2.
FAC-002-0              R1.3.
FAC-002-0              R1.4.                  X            X
FAC-002-0              R1.5.                  X            X
FAC-002-0              R2.
FAC-003-1              R1.                    X            X
FAC-003-1              R1.1.                  X            X
FAC-003-1              R1.2.                  X            X
FAC-003-1              R1.2.1.                X            X
FAC-003-1              R1.2.2.                X            X
FAC-003-1              R1.2.2.1.              X            X
FAC-003-1              R1.2.2.2.              X            X
FAC-003-1              R1.3.                  X            X
FAC-003-1              R1.4.                  X            X


                                                                             Page 27 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
FAC-003-1              R1.5.                  X            X
FAC-003-1              R2.                    X            X
FAC-003-1              R3.
FAC-003-1              R3.1.
FAC-003-1              R3.2.
FAC-003-1              R3.3.
FAC-003-1              R3.4.
FAC-003-1              R3.4.1.
FAC-003-1              R3.4.2.
FAC-003-1              R3.4.3.
FAC-003-1              R4.
FAC-008-1              R1.                    X            X
FAC-008-1              R1.1.                  X            X
FAC-008-1              R1.2.                  X            X
FAC-008-1              R1.2.1.                X            X
FAC-008-1              R1.2.2.                X            X
FAC-008-1              R1.3.                  X            X
FAC-008-1              R1.3.1.                X            X
FAC-008-1              R1.3.2.                X            X
FAC-008-1              R1.3.3.                X            X
FAC-008-1              R1.3.4.                X            X


                                                                             Page 28 of 235
Summary Requirements                                                             2/22/2010
                           2010 CMEP Requirements Summary
   Reliability
                                   Compliance             Self         Spot
   Standard     Requirement Number
                                     Audit            Certification   Check
(FERC Approved)
FAC-008-1              R1.3.5.                 X            X
FAC-008-1              R2.                     X            X
FAC-008-1              R3.                     X            X
FAC-009-1              R1.                     X            X          X
FAC-009-1              R2.                     X            X          X
FAC-010-2              R1.
FAC-010-2              R1.1.
FAC-010-2              R1.2.
FAC-010-2              R1.3.
FAC-010-2              R2.
FAC-010-2              R2.1.                   X            X
FAC-010-2              R2.2.                   X            X
FAC-010-2              R2.2.1.                 X            X
FAC-010-2              R2.2.2.                 X            X
FAC-010-2              R2.2.3.                 X            X
FAC-010-2              R2.3.
FAC-010-2              R2.3.1.
FAC-010-2              R2.3.2.
                       R2.4. (was R2.3.3 in
FAC-010-2
                       version 1)
                       R2.5. (was R2.4 in
FAC-010-2
                       version 1)

                                                                              Page 29 of 235
Summary Requirements                                                              2/22/2010
                             2010 CMEP Requirements Summary
   Reliability
                                   Compliance               Self         Spot
   Standard     Requirement Number
                                     Audit              Certification   Check
(FERC Approved)
                       R2.6 (was R2.5 in version
FAC-010-2
                       1)
                       R2.6.1 (was R2.5.1 in
FAC-010-2
                       version 1)
FAC-010-2              R3.
FAC-010-2              R3.1.
FAC-010-2              R3.2.
FAC-010-2              R3.3.
FAC-010-2              R3.4.
FAC-010-2              R3.5.
FAC-010-2              R3.6.
FAC-010-2              R4.
FAC-010-2              R4.1.
FAC-010-2              R4.2.
FAC-010-2              R4.3.
FAC-010-2              R5.
FAC-011-2
                       R1.
FAC-011-2
                       R1.1.
FAC-011-2
                       R1.2.


                                                                                Page 30 of 235
Summary Requirements                                                                2/22/2010
                             2010 CMEP Requirements Summary
   Reliability
                                   Compliance               Self         Spot
   Standard     Requirement Number
                                     Audit              Certification   Check
(FERC Approved)
FAC-011-2
                       R1.3.
FAC-011-2
                       R2.
FAC-011-2
                       R2.1.                     X            X
FAC-011-2
                       R2.2.                     X            X
FAC-011-2
                       R2.2.1.                   X            X
FAC-011-2
                       R2.2.2.                   X            X
FAC-011-2
                       R2.2.3.                   X            X
FAC-011-2
                       R2.3.
FAC-011-2
                       R2.3.1.
FAC-011-2
                       R2.3.2.
FAC-011-2
                       R2.3.3.


                                                                                Page 31 of 235
Summary Requirements                                                                2/22/2010
                             2010 CMEP Requirements Summary
   Reliability
                                   Compliance               Self         Spot
   Standard     Requirement Number
                                     Audit              Certification   Check
(FERC Approved)
FAC-011-2
                       R2.4.
FAC-011-2
                       R3.
FAC-011-2
                       R3.1.
FAC-011-2
                       R3.2.
FAC-011-2
                       R3.3.
FAC-011-2
                       R3.3.1.
FAC-011-2
                       R3.4.
FAC-011-2
                       R3.5.
FAC-011-2
                       R3.6.
FAC-011-2
                       R3.7.
FAC-011-2
                       R4.


                                                                                Page 32 of 235
Summary Requirements                                                                2/22/2010
                             2010 CMEP Requirements Summary
   Reliability
                                   Compliance               Self         Spot
   Standard     Requirement Number
                                     Audit              Certification   Check
(FERC Approved)
FAC-011-2
                       R4.1.
FAC-011-2
                       R4.2.
FAC-011-2
                       R4.3.
FAC-011-2
                       R5.
FAC-013-1              R1.                                    X          X
FAC-013-1              R2.                                    X          X
FAC-013-1              R2.1.                                  X          X
FAC-013-1              R2.2.                                  X          X
                       R1. (new version replaces
FAC-014-2              Levels of Non Compliance                          X
                       with VSLs throughout)

FAC-014-2              R2.                                               X
FAC-014-2              R3.                                               X
FAC-014-2              R4.                                               X
FAC-014-2              R5.                         X          X          X
FAC-014-2              R5.1.                       X          X          X
FAC-014-2              R5.1.1.                     X          X          X


                                                                                Page 33 of 235
Summary Requirements                                                                2/22/2010
                            2010 CMEP Requirements Summary
   Reliability
                                   Compliance              Self         Spot
   Standard     Requirement Number
                                     Audit             Certification   Check
(FERC Approved)
FAC-014-2              R5.1.2.                     X         X          X
FAC-014-2              R5.1.3.                     X         X          X
FAC-014-2              R5.1.4.                     X         X          X
FAC-014-2              R5.2.                                            X
FAC-014-2              R5.3.                                            X
FAC-014-2              R5.4.                                            X
FAC-014-2              R6.                                              X
FAC-014-2              R6.1.                                            X
FAC-014-2              R6.2.                                            X
                       R1. (removal of WECC
                       Waiver from regional
INT-001-3
                       variences section of this
                       version)
INT-001-3              R1.1.
INT-001-3              R2.
INT-001-3              R2.1.
INT-001-3              R2.2.
INT-003-2              R1.
INT-003-2              R1.1.
INT-003-2              R1.1.1.
INT-003-2              R1.1.2.
INT-003-2              R1.2.

                                                                               Page 34 of 235
Summary Requirements                                                               2/22/2010
                            2010 CMEP Requirements Summary
   Reliability
                                   Compliance              Self         Spot
   Standard     Requirement Number
                                     Audit             Certification   Check
(FERC Approved)
                       R1. (removal of WECC
                       Waiver from regional
INT-004-2                                                               X
                       variences section of this
                       version)
INT-004-2              R2.                                              X
INT-004-2              R2.1.                                            X
INT-004-2              R2.2.                                            X
INT-004-2              R2.3.                                            X
                       R1. (changes/expansion of
INT-005-2              timing tables)
INT-005-2              R1.1.
                       R1. (changes/expansion
INT-006-2
                       of timing tables)
INT-006-2              R1.1.
INT-006-2              R1.1.1.
INT-006-2              R1.1.2.
INT-006-2              R1.1.3.
INT-006-2              R1.2.
INT-007-1              R1.
INT-007-1              R1.1.
INT-007-1              R1.2.
INT-007-1              R1.3.
INT-007-1              R1.3.1.

                                                                               Page 35 of 235
Summary Requirements                                                               2/22/2010
                             2010 CMEP Requirements Summary
   Reliability
                                   Compliance               Self         Spot
   Standard     Requirement Number
                                     Audit              Certification   Check
(FERC Approved)
INT-007-1              R1.3.2.
INT-007-1              R1.3.3.
INT-007-1              R1.3.4.
INT-007-1              R1.4.
                       R1. (changes/expansion
INT-008-2
                       of timing tables)
INT-008-2              R1.1.
INT-008-2              R1.1.1.
INT-008-2              R1.1.2.
INT-009-1              R1.
INT-010-1              R1.
INT-010-1              R2.
INT-010-1              R3.
                       R1. (changed term from
                       distribution provider to
IRO-001-1.1
                       transmission provider
                       under Section D1.3)
IRO-001-1.1            R2.
IRO-001-1.1            R3.                        X           X
IRO-001-1.1            R4.
IRO-001-1.1            R5.
IRO-001-1.1            R6.


                                                                                Page 36 of 235
Summary Requirements                                                                2/22/2010
                             2010 CMEP Requirements Summary
   Reliability
                                   Compliance               Self         Spot
   Standard     Requirement Number
                                     Audit              Certification   Check
(FERC Approved)
IRO-001-1.1            R7.                       X            X
IRO-001-1.1            R8.                       X            X
IRO-001-1.1            R9.                       X            X
IRO-002-1              R1.                       X            X
IRO-002-1              R2.
IRO-002-1              R3.
IRO-002-1              R4.                       X            X
IRO-002-1              R5.                       X            X
IRO-002-1              R6.                       X            X
IRO-002-1              R7.                       X            X
IRO-002-1              R8.                       X            X
IRO-002-1              R9.
IRO-003-2              R1.                       X            X
IRO-003-2              R2.                       X            X
IRO-004-1              R1.                       X            X
IRO-004-1              R2.                       X            X
IRO-004-1              R3.                       X            X
IRO-004-1              R4.                       X            X
IRO-004-1              R5.                       X            X
IRO-004-1              R6.                       X            X
IRO-004-1              R7.                       X            X


                                                                                Page 37 of 235
Summary Requirements                                                                2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
IRO-005-2              R1.                    X            X
IRO-005-2              R1.1.                  X            X
IRO-005-2              R1.10.                 X            X
IRO-005-2              R1.2.                  X            X
IRO-005-2              R1.3.                  X            X
IRO-005-2              R1.4.                  X            X
IRO-005-2              R1.5.                  X            X
IRO-005-2              R1.6.                  X            X
IRO-005-2              R1.7.                  X            X
IRO-005-2              R1.8.                  X            X
IRO-005-2              R1.9.                  X            X
IRO-005-2              R2.                    X            X
IRO-005-2              R3.                    X            X
IRO-005-2              R4.                    X            X
IRO-005-2              R5.                    X            X
IRO-005-2              R6.
IRO-005-2              R7.                    X            X
IRO-005-2              R8.                    X            X
IRO-005-2              R9.                    X            X
IRO-005-2              R10.                   X            X
IRO-005-2              R11.                   X            X


                                                                             Page 38 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
IRO-005-2              R12.                   X            X
IRO-005-2              R13.                   X            X
IRO-005-2              R14.                   X            X
IRO-005-2              R15.                   X            X
IRO-005-2              R16.                   X            X
IRO-005-2              R17.                   X            X
IRO-006-4              R1.                    X            X          X
IRO-006-4              R1.1.                  X            X          X
IRO-006-4              R1.2.                               X          X
IRO-006-4              R1.3.                               X          X
IRO-006-4              R2.                                 X          X
IRO-006-4              R3.                    X            X          X
IRO-006-4              R4.                    X            X          X
IRO-006-4              R5.                    X            X          X
IRO-014-1              R1.                                            X
IRO-014-1              R1.1.                                          X
IRO-014-1              R1.1.1.                                        X
IRO-014-1              R1.1.2.                                        X
IRO-014-1              R1.1.3.                                        X
IRO-014-1              R1.1.4.                                        X
IRO-014-1              R1.1.5.                                        X


                                                                             Page 39 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
IRO-014-1              R1.1.6.                                        X
IRO-014-1              R2.                                            X
IRO-014-1              R2.1.                                          X
IRO-014-1              R2.2.                                          X
IRO-014-1              R3.                                            X
IRO-014-1              R3.1.                                          X
IRO-014-1              R3.2.                                          X
IRO-014-1              R4.                                            X
IRO-014-1              R4.1.                                          X
IRO-014-1              R4.2.                                          X
IRO-014-1              R4.3.                                          X
IRO-015-1              R1.
IRO-015-1              R1.1.
IRO-015-1              R2.
IRO-015-1              R2.1.
IRO-015-1              R3.
IRO-016-1              R1.
IRO-016-1              R1.1.
IRO-016-1              R1.2.
IRO-016-1              R1.2.1.
IRO-016-1              R1.2.2.


                                                                             Page 40 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
IRO-016-1              R1.3.
IRO-016-1              R2.
MOD-006-0.1            R1.
MOD-006-0.1            R1.1.
MOD-006-0.1            R1.2.
MOD-006-0.1            R1.3.
MOD-006-0.1            R2.
MOD-007-0              R1.
MOD-007-0              R2.
MOD-007-0              R2.1.
MOD-007-0              R2.2.
MOD-007-0              R2.3.
MOD-010-0              R1.                                 X
MOD-010-0              R2.                                 X
MOD-012-0              R1.                                 X
MOD-012-0              R2.                                 X
MOD-016-1.1            R1.
MOD-016-1.1            R1.1.
MOD-016-1.1            R2.
MOD-016-1.1            R2.1.
MOD-016-1.1            R3.


                                                                             Page 41 of 235
Summary Requirements                                                             2/22/2010
                             2010 CMEP Requirements Summary
   Reliability
                                   Compliance               Self         Spot
   Standard     Requirement Number
                                     Audit              Certification   Check
(FERC Approved)
MOD-016-1.1            R3.1.
                       R1. (Errata, see standard
MOD-17-0.1
                       version history table)

MOD-17-0.1             R1.1.
MOD-17-0.1             R1.2.
MOD-17-0.1             R1.3.
MOD-17-0.1             R1.4.
MOD-018-0              R1.
MOD-018-0              R1.1.
MOD-018-0              R1.2.
MOD-018-0              R1.3.
MOD-018-0              R2.
                       R1. (Errata, see standard
MOD-019-0.1
                       version history table)

MOD-020-0              R1.
MOD-021-0              R1.
MOD-021-0              R2.
MOD-021-0              R3.
NUC-001-1              R1.
NUC-001-1              R2.


                                                                                Page 42 of 235
Summary Requirements                                                                2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
NUC-001-1              R3.                    X            X
NUC-001-1              R4.                    X            X
NUC-001-1              R4.1.                  X            X
NUC-001-1              R4.2.                  X            X
NUC-001-1              R4.3.                  X            X
NUC-001-1              R5.                    X            X
NUC-001-1              R6.                    X            X
NUC-001-1              R7.                    X            X
NUC-001-1              R8.                    X            X
NUC-001-1              R9.
NUC-001-1              R9.1.
NUC-001-1              R9.1.1.
NUC-001-1              R9.1.2.
NUC-001-1              R9.1.3.
NUC-001-1              R9.1.4.
NUC-001-1              R9.2.
NUC-001-1              R9.2.1.
NUC-001-1              R9.2.2.
NUC-001-1              R9.2.3.
NUC-001-1              R9.3.
NUC-001-1              R9.3.1.


                                                                             Page 43 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
NUC-001-1              R9.3.2.
NUC-001-1              R9.3.3.
NUC-001-1              R9.3.4.
NUC-001-1              R9.3.5.
NUC-001-1              R9.3.6.
NUC-001-1              R9.3.7.
NUC-001-1              R9.4.
NUC-001-1              R9.4.1.
NUC-001-1              R9.4.2.
NUC-001-1              R9.4.3.
NUC-001-1              R9.4.4.
NUC-001-1              R9.4.5.
PER-001-0              R1.                    X            X
PER-002-0              R1.                    X            X
PER-002-0              R2.                    X            X
PER-002-0              R2.1.                  X            X
PER-002-0              R2.2.                  X            X
PER-002-0              R3.                    X            X
PER-002-0              R3.1.                  X            X
PER-002-0              R3.2.                  X            X
PER-002-0              R3.3.                  X            X


                                                                             Page 44 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
PER-002-0              R3.4.                  X            X
PER-002-0              R4.                    X            X
PER-003-0              R1.                    X            X
PER-003-0              R1.1.                  X            X
PER-003-0              R1.2.                  X            X
PER-004-1              R1.                    X            X
PER-004-1              R2.                    X            X
PER-004-1              R3.                    X            X
PER-004-1              R4.                    X            X
PER-004-1              R5.                    X            X
PRC-001-1              R1.                    X            X
PRC-001-1              R2.                    X            X
PRC-001-1              R2.1.                  X            X
PRC-001-1              R2.2.                  X            X
PRC-001-1              R3.
PRC-001-1              R3.1.                  X            X
PRC-001-1              R3.2.                  X            X
PRC-001-1              R4.                    X            X
PRC-001-1              R5.                    X            X
PRC-001-1              R5.1.                  X            X
PRC-001-1              R5.2.                  X            X


                                                                             Page 45 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
PRC-001-1              R6.                    X            X
PRC-004-1              R1.                    X            X
PRC-004-1              R2.                    X            X
PRC-004-1              R3.
PRC-005-1              R1.                    X            X
PRC-005-1              R1.1.                  X            X
PRC-005-1              R1.2.                  X            X
PRC-005-1              R2.                    X            X
PRC-005-1              R2.1.                  X            X
PRC-005-1              R2.2.                  X            X
PRC-007-0              R1.
PRC-007-0              R2.
PRC-007-0              R3.
PRC-008-0              R1.                    X            X
PRC-008-0              R2.                    X            X
PRC-009-0              R1.
PRC-009-0              R1.1.
PRC-009-0              R1.2.
PRC-009-0              R1.3.
PRC-009-0              R1.4.
PRC-009-0              R2.


                                                                             Page 46 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
PRC-010-0              R1.                                            X
PRC-010-0              R1.1.                                          X
PRC-010-0              R1.1.1.                                        X
PRC-010-0              R1.1.2.                                        X
PRC-010-0              R1.1.3.                                        X
PRC-010-0              R2.                                            X
PRC-011-0              R1.                                            X
PRC-011-0              R1.1.                                          X
PRC-011-0              R1.1.1.                                        X
PRC-011-0              R1.1.2.                                        X
PRC-011-0              R1.1.3.                                        X
PRC-011-0              R1.1.4.                                        X
PRC-011-0              R1.2.                                          X
PRC-011-0              R1.3.                                          X
PRC-011-0              R1.4.                                          X
PRC-011-0              R1.5.                                          X
PRC-011-0              R1.6.                                          X
PRC-011-0              R2.                                            X
PRC-015-0              R1.
PRC-015-0              R2.
PRC-015-0              R3.


                                                                             Page 47 of 235
Summary Requirements                                                             2/22/2010
                            2010 CMEP Requirements Summary
   Reliability
                                   Compliance              Self         Spot
   Standard     Requirement Number
                                     Audit             Certification   Check
(FERC Approved)

                       R1. (Errata, see standard
PRC-16-0.1
                       version history table)

PRC-16-0.1             R2.
PRC-16-0.1             R3.
PRC-017-0              R1.                         X         X
PRC-017-0              R1.1.                       X         X
PRC-017-0              R1.1.1.                     X         X
PRC-017-0              R1.1.2.                     X         X
PRC-017-0              R1.1.3.                     X         X
PRC-017-0              R1.1.4.                     X         X
PRC-017-0              R1.2.                       X         X
PRC-017-0              R1.3.                       X         X
PRC-017-0              R1.4.                       X         X
PRC-017-0              R1.5.                       X         X
PRC-017-0              R1.6.
PRC-017-0              R2.
PRC-018-1              R1.
PRC-018-1              R1.1.
PRC-018-1              R1.2.
PRC-018-1              R2.
PRC-018-1              R3.

                                                                               Page 48 of 235
Summary Requirements                                                               2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
PRC-018-1              R3.1.
PRC-018-1              R3.2.
PRC-018-1              R3.3.
PRC-018-1              R3.4.
PRC-018-1              R3.5.
PRC-018-1              R3.6.
PRC-018-1              R3.7.
PRC-018-1              R3.8.
PRC-018-1              R4.
PRC-018-1              R5.
PRC-018-1              R6.
PRC-018-1              R6.1.
PRC-018-1              R6.2.
PRC-021-1              R1.
PRC-021-1              R1.1.
PRC-021-1              R1.2.
PRC-021-1              R1.3.
PRC-021-1              R1.4.
PRC-021-1              R1.5.
PRC-021-1              R2.
PRC-022-1              R1.


                                                                             Page 49 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
PRC-022-1              R1.1.
PRC-022-1              R1.2.
PRC-022-1              R1.3.
PRC-022-1              R1.4.
PRC-022-1              R1.5.
PRC-022-1              R2.
TOP-001-1              R1.                    X            X
TOP-001-1              R2.                    X            X
TOP-001-1              R3.                    X            X
TOP-001-1              R4.                    X            X
TOP-001-1              R5.                    X            X
TOP-001-1              R6.                    X            X
TOP-001-1              R7.                    X            X
TOP-001-1              R7.1.                  X            X
TOP-001-1              R7.2.                  X            X
TOP-001-1              R7.3.                  X            X
TOP-001-1              R8.                    X            X
TOP-002-2              R1.                    X            X
TOP-002-2              R2.                    X            X
TOP-002-2              R3.                    X            X
TOP-002-2              R4.                    X            X


                                                                             Page 50 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
TOP-002-2              R5.                    X            X
TOP-002-2              R6.                    X            X
TOP-002-2              R7.
TOP-002-2              R8.
TOP-002-2              R9.
TOP-002-2              R10.
TOP-002-2              R11.                   X            X
TOP-002-2              R12.
TOP-002-2              R13.                   X            X
TOP-002-2              R14.                   X            X
TOP-002-2              R14.1.                 X            X
TOP-002-2              R14.2.                 X            X
TOP-002-2              R15.                   X            X
TOP-002-2              R16.                   X            X
TOP-002-2              R16.1.                 X            X
TOP-002-2              R16.2.                 X            X
TOP-002-2              R17.                   X            X
TOP-002-2              R18.                   X            X
TOP-002-2              R19.                   X            X
TOP-003-0              R1.                    X            X          X
TOP-003-0              R1.1.                  X            X          X


                                                                             Page 51 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
TOP-003-0              R1.2.                  X            X          X
TOP-003-0              R1.3.                  X            X          X
TOP-003-0              R2.                    X            X          X
TOP-003-0              R3.                    X            X          X
TOP-003-0              R4.                    X            X          X
TOP-004-2              R1.                    X            X
TOP-004-2              R2.                    X            X
TOP-004-2              R3.
TOP-004-2              R4.                    X            X
TOP-004-2              R5.                    X            X
TOP-004-2              R6.
TOP-004-2              R6.1.
TOP-004-2              R6.2.
TOP-004-2              R6.3.
TOP-004-2              R6.4.
TOP-005-1.1            R1.
TOP-005-1.1            R1.1.
TOP-005-1.1            R2.
TOP-005-1.1            R3.
TOP-005-1.1            R4.
TOP-006-1              R1.


                                                                             Page 52 of 235
Summary Requirements                                                             2/22/2010
                           2010 CMEP Requirements Summary
   Reliability
                                   Compliance              Self         Spot
   Standard     Requirement Number
                                     Audit             Certification   Check
(FERC Approved)
TOP-006-1              R1.1.
TOP-006-1              R1.2.
TOP-006-1              R2.                         X        X
TOP-006-1              R3.
TOP-006-1              R4.
TOP-006-1              R5.
TOP-006-1              R6.                         X        X
TOP-006-1              R7.                         X        X
TOP-007-0              R1.                         X        X
TOP-007-0              R2.                         X        X
TOP-007-0              R3.                         X        X
TOP-007-0              R4.                         X        X
TOP-008-1              R1.                         X        X
TOP-008-1              R2.                         X        X
TOP-008-1              R3.                         X        X
TOP-008-1              R4.
                       R1. (Errata, see standard
TPL-001-0.1                                        X        X
                       version history table )

TPL-001-0.1            R1.1.                       X        X
TPL-001-0.1            R1.2.                       X        X
TPL-001-0.1            R1.3.                       X        X

                                                                               Page 53 of 235
Summary Requirements                                                               2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
TPL-001-0.1            R1.3.1.                X            X
TPL-001-0.1            R1.3.2.                X            X
TPL-001-0.1            R1.3.3.                X            X
TPL-001-0.1            R1.3.4.                X            X
TPL-001-0.1            R1.3.5.                X            X
TPL-001-0.1            R1.3.6.                X            X
TPL-001-0.1            R1.3.7.                X            X
TPL-001-0.1            R1.3.8.                X            X
TPL-001-0.1            R1.3.9.                X            X
TPL-001-0.1            R1.4.                  X            X
TPL-001-0.1            R2.
TPL-001-0.1            R2.1.
TPL-001-0.1            R2.1.1.
TPL-001-0.1            R2.1.2.
TPL-001-0.1            R2.1.3.
TPL-001-0.1            R2.2.
TPL-001-0.1            R3.
TPL-002-0              R1.                    X            X
TPL-002-0              R1.1.                  X            X
TPL-002-0              R1.2.                  X            X
TPL-002-0              R1.3.                  X            X


                                                                             Page 54 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
TPL-002-0              R1.3.1.                X            X
TPL-002-0              R1.3.10.               X            X
TPL-002-0              R1.3.11.               X            X
TPL-002-0              R1.3.12.               X            X
TPL-002-0              R1.3.2.                X            X
TPL-002-0              R1.3.3.                X            X
TPL-002-0              R1.3.4.                X            X
TPL-002-0              R1.3.5.                X            X
TPL-002-0              R1.3.6.                X            X
TPL-002-0              R1.3.7.                X            X
TPL-002-0              R1.3.8.                X            X
TPL-002-0              R1.3.9.                X            X
TPL-002-0              R1.4.                  X            X
TPL-002-0              R1.5.                  X            X
TPL-002-0              R2.
TPL-002-0              R2.1.
TPL-002-0              R2.1.1.
TPL-002-0              R2.1.2.
TPL-002-0              R2.1.3.
TPL-002-0              R2.2.
TPL-002-0              R3.


                                                                             Page 55 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
TPL-003-0              R1.                    X            X
TPL-003-0              R1.1.                  X            X
TPL-003-0              R1.2.                  X            X
TPL-003-0              R1.3.                  X            X
TPL-003-0              R1.3.1.                X            X
TPL-003-0              R1.3.10.               X            X
TPL-003-0              R1.3.11.               X            X
TPL-003-0              R1.3.12.               X            X
TPL-003-0              R1.3.2.                X            X
TPL-003-0              R1.3.3.                X            X
TPL-003-0              R1.3.4.                X            X
TPL-003-0              R1.3.5.                X            X
TPL-003-0              R1.3.6.                X            X
TPL-003-0              R1.3.7.                X            X
TPL-003-0              R1.3.8.                X            X
TPL-003-0              R1.3.9.                X            X
TPL-003-0              R1.4.                  X            X
TPL-003-0              R1.5.                  X            X
TPL-003-0              R2.
TPL-003-0              R2.1.
TPL-003-0              R2.1.1.


                                                                             Page 56 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
TPL-003-0              R2.1.2.
TPL-003-0              R2.1.3.
TPL-003-0              R2.2.
TPL-003-0              R3.
TPL-004-0              R1.                                 X
TPL-004-0              R1.1.                               X
TPL-004-0              R1.2.                               X
TPL-004-0              R1.3.                               X
TPL-004-0              R1.3.1.                             X
TPL-004-0              R1.3.2.                             X
TPL-004-0              R1.3.3.                             X
TPL-004-0              R1.3.4.                             X
TPL-004-0              R1.3.5.                             X
TPL-004-0              R1.3.6.                             X
TPL-004-0              R1.3.7.                             X
TPL-004-0              R1.3.8.                             X
TPL-004-0              R1.3.9.                             X
TPL-004-0              R1.4.                               X
TPL-004-0              R2.
VAR-001-1              R1.                    X            X
VAR-001-1              R2.                    X            X


                                                                             Page 57 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance            Self         Spot
   Standard     Requirement Number
                                     Audit           Certification   Check
(FERC Approved)
VAR-001-1              R3.
VAR-001-1              R3.1.
VAR-001-1              R3.2.
VAR-001-1              R4.
VAR-001-1              R5.                    X            X
VAR-001-1              R6.
VAR-001-1              R6.1.
VAR-001-1              R7.                    X            X
VAR-001-1              R8.                    X            X
VAR-001-1              R9.                    X            X
VAR-001-1              R9.1.                  X            X
VAR-001-1              R10.                   X            X
VAR-001-1              R11.
VAR-001-1              R12.                   X            X
VAR-002-1.1a           R1.                    X            X
VAR-002-1.1a           R2.                    X            X
VAR-002-1.1a           R2.1.                  X            X
VAR-002-1.1a           R2.2.                  X            X
VAR-002-1.1a           R3.                    X            X
VAR-002-1.1a           R3.1.                  X            X
VAR-002-1.1a           R3.2.                  X            X


                                                                             Page 58 of 235
Summary Requirements                                                             2/22/2010
                          2010 CMEP Requirements Summary
   Reliability
                                   Compliance               Self          Spot
   Standard     Requirement Number
                                     Audit              Certification    Check
(FERC Approved)
VAR-002-1.1a           R4.                    X              X
VAR-002-1.1a           R4.1.                  X              X
VAR-002-1.1a           R4.1.1.                X              X
VAR-002-1.1a           R4.1.2.                X              X
VAR-002-1.1a           R4.1.3.                X              X
VAR-002-1.1a           R4.1.4.                X              X
VAR-002-1.1a           R5.                    X              X
VAR-002-1.1a           R5.1.                  X              X
               1016                  1016         554              579       259




                                                                                   Page 59 of 235
Summary Requirements                                                                   2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                                Violation                Risk         Self                    - M:                                                          2007       2008             2009
   Standard                      Requirement                                                                                Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                         Risk                  Based      Certificatio            Monthly Q:                                                      Annual     Annual           Annual
    (FERC                          Number                                                                                   Monitored                             Audit               Reporting                            Check
                                                                                                                 Factor                 Criteria        n                   Quarterly                                                     Program    Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               RESOURCE AND DEMAND BALANCING
                                               Each Balancing Authority shall operate such that, on a
                                               rolling 12-month basis, the average of the clock-minute
                                               averages of the Balancing Authority’s Area Control Error
                                               (ACE) divided by 10B (B is the clock-minute average of the
                                               Balancing Authority Area’s Frequency Bias) times the
                                               corresponding clock-minute averages of the
BAL-001-0.1a             R1.                                                                                    MEDIUM         BA                                                            M                                                   x      x
                                               Interconnection’s Frequency Error is less than a specific
                                               limit. This limit is a constant derived from a targeted
                                               frequency bound (separately calculated for each
                                               Interconnection) that is reviewed and set as necessary by
                                               the NERC Operating Committee. See Standard for
                                               Formula.
                                               Each Balancing Authority shall operate such that its average
                                               ACE for at least 90% of clock-ten-minute periods (6 non-
BAL-001-0.1a             R2.                   overlapping periods per hour) during a calendar month is         MEDIUM         BA                                                            M                                                   x      x
                                               within a specific limit, referred to as L 10. See Standard for
                                               Formula.
                                               Each Balancing Authority providing Overlap Regulation
                                               Service shall evaluate Requirement R1 (i.e., Control
                                               Performance Standard 1 or CPS1) and Requirement R2
BAL-001-0.1a             R3.                                                                                    LOWER          BA                                                            M                                                   x      x
                                               (i.e., Control Performance Standard 2 or CPS2) using the
                                               characteristics of the combined ACE and combined
                                               Frequency Bias Settings.

                                               Any Balancing Authority receiving Overlap Regulation
                                               Service shall not have its control performance evaluated
BAL-001-0.1a             R4.                   (i.e. from a control performance perspective, the Balancing      LOWER          BA                                                            M                                                   x      x
                                               Authority has shifted all control requirements to the
                                               Balancing Authority providing Overlap Regulation Service).
                                               Each Balancing Authority shall have access to and/or
                                               operate Contingency Reserve to respond to Disturbances.
BAL-002-0                R1.                   Contingency Reserve may be supplied from generation,              HIGH          BA          1             X                 X                 Q                                                   x      x                    X
                                               controllable load resources, or coordinated adjustments to
                                               Interchange Schedules.


                                                                                                                                                                                                                                                            Page 60 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                                Violation                Risk         Self                    - M:                                                          2007       2008             2009
   Standard                      Requirement                                                                                Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                         Risk                  Based      Certificatio            Monthly Q:                                                      Annual     Annual           Annual
    (FERC                          Number                                                                                   Monitored                             Audit               Reporting                            Check
                                                                                                                 Factor                 Criteria        n                   Quarterly                                                     Program    Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               A Balancing Authority may elect to fulfill its Contingency
                                               Reserve obligations by participating as a member of a
                                               Reserve Sharing Group. In such cases, the Reserve
BAL-002-0                R1.1.                 Sharing Group shall have the same responsibilities and            HIGH          BA          1             X                 X                 Q                                                   x      x                    X
                                               obligations as each Balancing Authority with respect to
                                               monitoring and meeting the requirements of Standard BAL-
                                               002.
                                               Each Regional Reliability Organization, sub-Regional
BAL-002-0                R2.                   Reliability Organization or Reserve Sharing Group shall          MEDIUM      RRO, RSG See Below           X                 X                 Q                                                   x      x                    X
                                               specify its Contingency Reserve policies, including:
BAL-002-0                R2.1.                 The minimum reserve requirement for the group.                    HIGH       RRO, RSG       1             X                 X                 Q                                                   x      x                    X

BAL-002-0                R2.2.                 Its allocation among members.                                    LOWER       RRO, RSG                                                         Q                                                   x      x
                                               The permissible mix of Operating Reserve - Spinning and
BAL-002-0                R2.3.                 Operating Reserve - Supplemental that may be included in         LOWER       RRO, RSG                                                         Q                                                   x      x
                                               Contingency Reserve.
                                               The procedure for applying Contingency Reserve in
BAL-002-0                R2.4.                                                                                  LOWER       RRO, RSG                                                         Q                                                   x      x
                                               practice.
                                               The limitations, if any, upon the amount of interruptible load
BAL-002-0                R2.5.                                                                                  LOWER       RRO, RSG                                                         Q                                                   x      x
                                               that may be included.
                                               The same portion of resource capacity (e.g., reserves from
                                               jointly owned generation) shall not be counted more than
BAL-002-0                R2.6.                                                                                  MEDIUM      RRO, RSG                                                         Q                                                   x      x
                                               once as Contingency Reserve by multiple Balancing
                                               Authorities.
                                               Each Balancing Authority or Reserve Sharing Group shall
BAL-002-0                R3.                   activate sufficient Contingency Reserve to comply with the        HIGH          BA          1             X                 X                 Q                                                   x      x                    X
                                               DCS.
                                               As a minimum, the Balancing Authority or Reserve Sharing
                                               Group shall carry at least enough Contingency Reserve to
                                               cover the most severe single contingency. All Balancing
BAL-002-0                R3.1.                 Authorities and Reserve Sharing Groups shall review, no           HIGH          BA          1             X                 X                 Q                                                   x      x                    X
                                               less frequently than annually, their probable contingencies to
                                               determine their prospective most severe single
                                               contingencies.


                                                                                                                                                                                                                                                            Page 61 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                               Violation                Risk          Self                    - M:                                                          2007       2008             2009
   Standard                      Requirement                                                                               Functions                            Compliance            Exception                             Spot
                                                                      Text of Requirement                        Risk                  Based       Certificatio            Monthly Q:                                                      Annual     Annual           Annual
    (FERC                          Number                                                                                  Monitored                              Audit               Reporting                            Check
                                                                                                                Factor                 Criteria         n                   Quarterly                                                     Program    Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               A Balancing Authority or Reserve Sharing Group shall meet
                                               the Disturbance Recovery Criterion within the Disturbance
BAL-002-0                R4.                                                                                   MEDIUM         BA                                                             Q                                                   x      x
                                               Recovery Period for 100% of Reportable Disturbances. The
                                               Disturbance Recovery Criterion is:
                                               A Balancing Authority shall return its ACE to zero if its ACE
                                               just prior to the Reportable Disturbance was positive or
BAL-002-0                R4.1.                 equal to zero. For negative initial ACE values just prior to    MEDIUM         BA                                                             Q                                                   x      x
                                               the Disturbance, the Balancing Authority shall return ACE to
                                               its pre-Disturbance value.
                                               The default Disturbance Recovery Period is 15 minutes after
                                               the start of a Reportable Disturbance. This period may be
BAL-002-0                R4.2.                 adjusted to better suit the needs of an Interconnection         <blank>        BA                                                             Q                                                   x      x
                                               based on analysis approved by the NERC Operating
                                               Committee.

                                               Each Reserve Sharing Group shall comply with the DCS. A
                                               Reserve Sharing Group shall be considered in a Reportable
                                               Disturbance condition whenever a group member has
                                               experienced a Reportable Disturbance and calls for the
                                               activation of Contingency Reserves from one or more other
BAL-002-0                R5.                   group members. (If a group member has experienced a             LOWER         RSG                                                             Q                                                   x      x
                                               Reportable Disturbance but does not call for reserve
                                               activation from other members of the Reserve Sharing
                                               Group, then that member shall report as a single Balancing
                                               Authority.) Compliance may be demonstrated by either of
                                               the following two methods:

                                               The Reserve Sharing Group reviews group ACE (or
                                               equivalent) and demonstrates compliance to the DCS. To
                                               be in compliance, the group ACE (or its equivalent) must
BAL-002-0                R5.1.                 meet the Disturbance Recovery Criterion after the schedule      <blank>       RSG                                                             Q                                                   x      x
                                               change(s) related to reserve sharing have been fully
                                               implemented, and within the Disturbance Recovery Period.
                                               Or




                                                                                                                                                                                                                                                            Page 62 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                 Risk          Self                    - M:                                                          2007       2008             2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                   Based       Certificatio            Monthly Q:                                                      Annual     Annual           Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                  Criteria         n                   Quarterly                                                     Program    Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               The Reserve Sharing Group reviews each member’s ACE in
                                               response to the activation of reserves. To be in compliance,
                                               a member’s ACE (or its equivalent) must meet the
BAL-002-0                R5.2.                                                                                <blank>       RSG                                                              Q                                                   x      x
                                               Disturbance Recovery Criterion after the schedule change(s)
                                               related to reserve sharing have been fully implemented, and
                                               within the Disturbance Recovery Period.

                                               A Balancing Authority or Reserve Sharing Group shall fully
BAL-002-0                R6.                   restore its Contingency Reserves within the Contingency        MEDIUM      BA, RSG                                                            Q                                                   x      x
                                               Reserve Restoration Period for its Interconnection.
                                               The Contingency Reserve Restoration Period begins at the
BAL-002-0                R6.1.                                                                                <blank>     BA, RSG                                                            Q                                                   x      x
                                               end of the Disturbance Recovery Period.
                                               The default Contingency Reserve Restoration Period is 90
                                               minutes. This period may be adjusted to better suit the
BAL-002-0                R6.2.                                                                                <blank>     BA, RSG                                                            Q                                                   x      x
                                               reliability targets of the Interconnection based on analysis
                                               approved by the NERC Operating Committee.
                                               Each Balancing Authority shall review its Frequency Bias
                                               Settings by January 1 of each year and recalculate its
BAL-003-0.1b             R1.                                                                                  LOWER          BA           5,3             X                X                                                  X                  x      x
                                               setting to reflect any change in the Frequency Response of
                                               the Balancing Authority Area.
                                               The Balancing Authority may change its Frequency Bias
                                               Setting, and the method used to determine the setting,
BAL-003-0.1b             R1.1.                                                                                LOWER          BA           5,3             X                X                                                  X                  x      x
                                               whenever any of the factors used to determine the current
                                               bias value change.
                                               Each Balancing Authority shall report its Frequency Bias
BAL-003-0.1b             R1.2.                 Setting, and method for determining that setting, to the       LOWER          BA           5,3             X                X                 A                X               X                  x      x
                                               NERC Operating Committee.
                                               Each Balancing Authority shall establish and maintain a
                                               Frequency Bias Setting that is as close as practical to, or
BAL-003-0.1b             R2.                   greater than, the Balancing Authority’s Frequency              MEDIUM         BA           5,3             X                X                                                  X                  x      x
                                               Response. Frequency Bias may be calculated several
                                               ways:




                                                                                                                                                                                                                                                            Page 63 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                                Violation                Risk         Self                    - M:                                                          2007       2008             2009
   Standard                      Requirement                                                                                Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                         Risk                  Based      Certificatio            Monthly Q:                                                      Annual     Annual           Annual
    (FERC                          Number                                                                                   Monitored                             Audit               Reporting                            Check
                                                                                                                 Factor                 Criteria        n                   Quarterly                                                     Program    Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               The Balancing Authority may use a fixed Frequency Bias
                                               value which is based on a fixed, straight-line function of Tie
                                               Line deviation versus Frequency Deviation. The Balancing
BAL-003-0.1b             R2.1.                                                                                  LOWER          BA         5,3             X                X                                                  X                  x      x
                                               Authority shall determine the fixed value by observing and
                                               averaging the Frequency Response for several
                                               Disturbances during on-peak hours.

                                               The Balancing Authority may use a variable (linear or non-
                                               linear) bias value, which is based on a variable function of
                                               Tie Line deviation to Frequency Deviation. The Balancing
BAL-003-0.1b             R2.2.                 Authority shall determine the variable frequency bias value      LOWER          BA         5,3             X                X                                                  X                  x      x
                                               by analyzing Frequency Response as it varies with factors
                                               such as load, generation, governor characteristics, and
                                               frequency.
                                               Each Balancing Authority shall operate its Automatic
                                               Generation Control (AGC) on Tie Line Frequency Bias,
                                               unless such operation is adverse to system or
BAL-003-0.1b             R3.                                                                                    MEDIUM         BA                                                                                                                x      x
                                               Interconnection reliability.
                                               See Standard for Approved Interpretation of R3 for WECC
                                               WATEC Procedure
                                               Balancing Authorities that use Dynamic Scheduling or
                                               Pseudo-ties for jointly owned units shall reflect their
BAL-003-0.1b             R4.                                                                                    LOWER          BA                                                                                                                x      x
                                               respective share of the unit governor droop response in their
                                               respective Frequency Bias Setting.
                                               Fixed schedules for Jointly Owned Units mandate that
                                               Balancing Authority (A) that contains the Jointly Owned Unit
BAL-003-0.1b             R4.1.                 must incorporate the respective share of the unit governor       LOWER          BA                                                                                                                x      x
                                               droop response for any Balancing Authorities that have fixed
                                               schedules (B and C). See the diagram below.

                                               The Balancing Authorities that have a fixed schedule (B and
                                               C) but do not contain the Jointly Owned Unit shall not
BAL-003-0.1b             R4.2.                 include their share of the governor droop response in their      LOWER          BA                                                                                                                x      x
                                               Frequency Bias Setting. See Standard for Graphic.



                                                                                                                                                                                                                                                            Page 64 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                 Risk          Self                    - M:                                                          2007       2008             2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                   Based       Certificatio            Monthly Q:                                                      Annual     Annual           Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                  Criteria         n                   Quarterly                                                     Program    Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               Balancing Authorities that serve native load shall have a
                                               monthly average Frequency Bias Setting that is at least 1%
BAL-003-0.1b             R5.                                                                                  MEDIUM         BA           5,3             X                X                                                  X                  x      x
                                               of the Balancing Authority’s estimated yearly peak demand
                                               per 0.1 Hz change.
                                               Balancing Authorities that do not serve native load shall
                                               have a monthly average Frequency Bias Setting that is at
BAL-003-0.1b             R5.1.                                                                                MEDIUM         BA           5,3             X                X                                                  X                  x      x
                                               least 1% of its estimated maximum generation level in the
                                               coming year per 0.1 Hz change.
                                               A Balancing Authority that is performing Overlap Regulation
                                               Service shall increase its Frequency Bias Setting to match
BAL-003-0.1b             R6.                   the frequency response of the entire area being controlled.    MEDIUM         BA                                                                                                                  x      x
                                               A Balancing Authority shall not change its Frequency Bias
                                               Setting when performing Supplemental Regulation Service.
                                               Only a Reliability Coordinator shall be eligible to act as
                                               Interconnection Time Monitor. A single Reliability
BAL-004-0                R1.                   Coordinator in each Interconnection shall be designated by     LOWER          RC                                                                                                                         x
                                               the NERC Operating Committee to serve as Interconnection
                                               Time Monitor.
                                               The Interconnection Time Monitor shall monitor Time Error
                                               and shall initiate or terminate corrective action orders in
BAL-004-0                R2.                                                                                  LOWER          RC                                                                                                                         x
                                               accordance with the NAESB Time Error Correction
                                               Procedure.
                                               Each Balancing Authority, when requested, shall participate
BAL-004-0                R3.                                                                                  MEDIUM         BA                                                                                                                         x
                                               in a Time Error Correction by one of the following methods:

                                               The Balancing Authority shall offset its frequency schedule
BAL-004-0                R3.1.                                                                                LOWER          BA                                                                                                                         x
                                               by 0.02 Hertz, leaving the Frequency Bias Setting normal; or
                                               The Balancing Authority shall offset its Net Interchange
                                               Schedule (MW) by an amount equal to the computed bias
BAL-004-0                R3.2.                                                                                LOWER          BA                                                                                                                         x
                                               contribution during a 0.02 Hertz Frequency Deviation (i.e.
                                               20% of the Frequency Bias Setting).




                                                                                                                                                                                                                                                            Page 65 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                                Violation                Risk         Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                                Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                         Risk                  Based      Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                   Monitored                             Audit               Reporting                            Check
                                                                                                                 Factor                 Criteria        n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               Any Reliability Coordinator in an Interconnection shall have
                                               the authority to request the Interconnection Time Monitor to
BAL-004-0                R4.                   terminate a Time Error Correction in progress, or a              LOWER          RC                                                                                                                      x
                                               scheduled Time Error Correction that has not begun, for
                                               reliability considerations.
                                               Balancing Authorities that have reliability concerns with the
                                               execution of a Time Error Correction shall notify their
BAL-004-0                R4.1.                                                                                  LOWER          BA                                                                             X                                        x
                                               Reliability Coordinator and request the termination of a Time
                                               Error Correction in progress.
                                               All generation, transmission, and load operating within an
                                                                                                                            GOP, LSE,
BAL-005-0.1b             R1.                   Interconnection must be included within the metered              <blank>                                                                                                                                x
                                                                                                                              TOP
                                               boundaries of a Balancing Authority Area.
                                               Each Generator Operator with generation facilities operating
                                               in an Interconnection shall ensure that those generation
BAL-005-0.1b             R1.1.                                                                                  MEDIUM        GOP                                                                                                                      x
                                               facilities are included within the metered boundaries of a
                                               Balancing Authority Area.
                                               Each Transmission Operator with transmission facilities
                                               operating in an Interconnection shall ensure that those
BAL-005-0.1b             R1.2.                                                                                  MEDIUM        TOP                                                                                                                      x
                                               transmission facilities are included within the metered
                                               boundaries of a Balancing Authority Area.
                                               Each Load-Serving Entity with load operating in an
                                               Interconnection shall ensure that those loads are included
BAL-005-0.1b             R1.3.                                                                                  MEDIUM        LSE                                                                                                                      x
                                               within the metered boundaries of a Balancing Authority
                                               Area.
                                               Each Balancing Authority shall maintain Regulating Reserve
BAL-005-0.1b             R2.                   that can be controlled by AGC to meet the Control                 HIGH          BA          1             X                 X                                                                           x                    X
                                               Performance Standard.
                                               A Balancing Authority providing Regulation Service shall
                                               ensure that adequate metering, communications, and
BAL-005-0.1b             R3.                   control equipment are employed to prevent such service           MEDIUM         BA                                                                                                                      x
                                               from becoming a Burden on the Interconnection or other
                                               Balancing Authority Areas.
                                               A Balancing Authority providing Regulation Service shall
                                               notify the Host Balancing Authority for whom it is controlling
BAL-005-0.1b             R4.                                                                                    MEDIUM         BA                                                                                                                      x
                                               if it is unable to provide the service, as well as any
                                               Intermediate Balancing Authorities.

                                                                                                                                                                                                                                                           Page 66 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                                Violation                Risk         Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                                Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                         Risk                  Based      Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                   Monitored                             Audit               Reporting                            Check
                                                                                                                 Factor                 Criteria        n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               A Balancing Authority receiving Regulation Service shall
                                               ensure that backup plans are in place to provide
BAL-005-0.1b             R5.                   replacement Regulation Service should the supplying              MEDIUM         BA                                                                                                                      x
                                               Balancing Authority no longer be able to provide this
                                               service.
                                               The Balancing Authority’s AGC shall compare total Net
                                               Actual Interchange to total Net Scheduled Interchange plus
                                               Frequency Bias obligation to determine the Balancing
                                               Authority’s ACE. Single Balancing Authorities operating
BAL-005-0.1b             R6.                   asynchronously may employ alternative ACE calculations           MEDIUM         BA                                                                                                                      x
                                               such as (but not limited to) flat frequency control. If a
                                               Balancing Authority is unable to calculate ACE for more than
                                               30 minutes it shall notify its Reliability Coordinator.

                                               The Balancing Authority shall operate AGC continuously
                                               unless such operation adversely impacts the reliability of the
                                               Interconnection. If AGC has become inoperative, the
BAL-005-0.1b             R7.                                                                                    MEDIUM         BA                                                                                                                      x
                                               Balancing Authority shall use manual control to adjust
                                               generation to maintain the Net Scheduled Interchange.

                                               The Balancing Authority shall ensure that data acquisition
BAL-005-0.1b             R8.                   for and calculation of ACE occur at least every six seconds.     MEDIUM         BA                                                                                                                      x

                                               Each Balancing Authority shall provide redundant and
                                               independent frequency metering equipment that shall
BAL-005-0.1b             R8.1.                 automatically activate upon detection of failure of the          MEDIUM         BA                                                                                                                      x
                                               primary source. This overall installation shall provide a
                                               minimum availability of 99.95%.
                                               The Balancing Authority shall include all Interchange
                                               Schedules with Adjacent Balancing Authorities in the
BAL-005-0.1b             R9.                                                                                    LOWER          BA                                                                                                                      x
                                               calculation of Net Scheduled Interchange for the ACE
                                               equation.




                                                                                                                                                                                                                                                           Page 67 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                                Violation                Risk         Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                                Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                         Risk                  Based      Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                   Monitored                             Audit               Reporting                            Check
                                                                                                                 Factor                 Criteria        n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               Balancing Authorities with a high voltage direct current
                                               (HVDC) link to another Balancing Authority connected
                                               asynchronously to their Interconnection may choose to omit
BAL-005-0.1b             R9.1.                                                                                  LOWER          BA                                                                                                                      x
                                               the Interchange Schedule related to the HVDC link from the
                                               ACE equation if it is modeled as internal generation or load.

                                               The Balancing Authority shall include all Dynamic Schedules
BAL-005-0.1b             R10.                  in the calculation of Net Scheduled Interchange for the ACE       HIGH          BA          1             X                 X                                                                           x                    X
                                               equation.
                                               Balancing Authorities shall include the effect of ramp rates,
                                               which shall be identical and agreed to between affected
BAL-005-0.1b             R11.                                                                                   MEDIUM         BA                                                                                                                      x
                                               Balancing Authorities, in the Scheduled Interchange values
                                               to calculate ACE.
                                               Each Balancing Authority shall include all Tie Line flows with
BAL-005-0.1b             R12.                  Adjacent Balancing Authority Areas in the ACE calculation.       MEDIUM         BA                                                                                                                      x

                                               Balancing Authorities that share a tie shall ensure Tie Line
                                               MW metering is telemetered to both control centers, and
                                               emanates from a common, agreed-upon source using
BAL-005-0.1b             R12.1.                common primary metering equipment. Balancing                     LOWER          BA                                                                                                                      x
                                               Authorities shall ensure that megawatt-hour data is
                                               telemetered or reported at the end of each hour.

                                               Balancing Authorities shall ensure the power flow and ACE
                                               signals that are utilized for calculating Balancing Authority
                                               performance or that are transmitted for Regulation Service
BAL-005-0.1b             R12.2.                                                                                 MEDIUM         BA                                                                                                                      x
                                               are not filtered prior to transmission, except for the Anti-
                                               aliasing Filters of Tie Lines.

                                               Balancing Authorities shall install common metering
                                               equipment where Dynamic Schedules or Pseudo-Ties are
BAL-005-0.1b             R12.3.                implemented between two or more Balancing Authorities to         MEDIUM         BA                                                                                                                      x
                                               deliver the output of Jointly Owned Units or to serve remote
                                               load.




                                                                                                                                                                                                                                                           Page 68 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                 Risk          Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                   Based       Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                  Criteria         n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               Each Balancing Authority shall perform hourly error checks
                                               using Tie Line megawatt-hour meters with common time
                                               synchronization to determine the accuracy of its control
                                               equipment. The Balancing Authority shall adjust the
BAL-005-0.1b             R13.                  component (e.g., Tie Line meter) of ACE that is in error (if   LOWER          BA                                                                                                                        x
                                               known) or use the interchange meter error (IME) term of the
                                               ACE equation to compensate for any equipment error until
                                               repairs can be made.

                                               The Balancing Authority shall provide its operating
                                               personnel with sufficient instrumentation and data recording
                                               equipment to facilitate monitoring of control performance,
                                               generation response, and after-the-fact analysis of area
BAL-005-0.1b             R14.                  performance. As a minimum, the Balancing Authority shall       LOWER          BA                                                                                                                        x
                                               provide its operating personnel with real-time values for
                                               ACE, Interconnection frequency and Net Actual Interchange
                                               with each Adjacent Balancing Authority Area.

                                               The Balancing Authority shall provide adequate and reliable
                                               backup power supplies and shall periodically test these
                                               supplies at the Balancing Authority’s control center and
BAL-005-0.1b             R15.                                                                                 LOWER          BA                                                                                                                        x
                                               other critical locations to ensure continuous operation of
                                               AGC and vital data recording equipment during loss of the
                                               normal power supply.
                                               The Balancing Authority shall sample data at least at the
                                               same periodicity with which ACE is calculated. The
                                               Balancing Authority shall flag missing or bad data for
                                               operator display and archival purposes. The Balancing
BAL-005-0.1b             R16.                                                                                 MEDIUM         BA                                                                                                                        x
                                               Authority shall collect coincident data to the greatest
                                               practical extent, i.e., ACE, Interconnection frequency, Net
                                               Actual Interchange, and other data shall all be sampled at
                                               the same time.




                                                                                                                                                                                                                                                           Page 69 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                 Risk          Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                   Based       Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                  Criteria         n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               Each Balancing Authority shall at least annually check and
                                               calibrate its time error and frequency devices against a
                                               common reference. The Balancing Authority shall adhere to
BAL-005-0.1b             R17.                                                                                 MEDIUM         BA                                                                                                                        x
                                               the minimum values for measuring devices as listed below:
                                               See Standard for Values

                                               Each Balancing Authority shall calculate and record hourly
BAL-006-1                R1.                                                                                  LOWER          BA                                                                                                                        x
                                               Inadvertent Interchange.
                                               Each Balancing Authority shall include all AC tie lines that
                                               connect to its Adjacent Balancing Authority Areas in its
BAL-006-1                R2.                   Inadvertent Interchange account. The Balancing Authority       LOWER          BA                                                                                                                        x
                                               shall take into account interchange served by jointly owned
                                               generators.
                                               Each Balancing Authority shall ensure all of its Balancing
                                               Authority Area interconnection points are equipped with
BAL-006-1                R3.                   common megawatt-hour meters, with readings provided            LOWER          BA                                                              X                                                         x
                                               hourly to the control centers of Adjacent Balancing
                                               Authorities.
                                               Adjacent Balancing Authority Areas shall operate to a
                                               common Net Interchange Schedule and Actual Net
                                               Interchange value and shall record these hourly quantities,
BAL-006-1                R4.                                                                                  LOWER          BA                                                              X                                                         x
                                               with like values but opposite sign. Each Balancing Authority
                                               shall compute its Inadvertent Interchange based on the
                                               following:
                                               Each Balancing Authority, by the end of the next business
BAL-006-1                R4.1.                                                                                LOWER          BA                                                              X                                                         x
                                               day, shall agree with its Adjacent Balancing Authorities to:
BAL-006-1                R4.1.1.               The hourly values of Net Interchange Schedule.                 LOWER          BA                                                                                                                        x
                                               The hourly integrated megawatt-hour values of Net Actual
BAL-006-1                R4.1.2.                                                                              LOWER          BA                                                                                                                        x
                                               Interchange.
                                               Each Balancing Authority shall use the agreed-to daily and
                                               monthly accounting data to compile its monthly accumulated
BAL-006-1                R4.2.                                                                                LOWER          BA                                                              X                                                         x
                                               Inadvertent Interchange for the On-Peak and Off-Peak hours
                                               of the month.



                                                                                                                                                                                                                                                           Page 70 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                               Violation                Risk          Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                               Functions                            Compliance            Exception                             Spot
                                                                      Text of Requirement                        Risk                  Based       Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                  Monitored                              Audit               Reporting                            Check
                                                                                                                Factor                 Criteria         n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               A Balancing Authority shall make after-the-fact corrections
                                               to the agreed-to daily and monthly accounting data only as
                                               needed to reflect actual operating conditions (e.g. a meter
                                               being used for control was sending bad data). Changes or
BAL-006-1                R4.3.                 corrections based on non-reliability considerations shall not   LOWER          BA                                                                                                                       x
                                               be reflected in the Balancing Authority’s Inadvertent
                                               Interchange. After-the-fact corrections to scheduled or
                                               actual values will not be accepted without agreement of the
                                               Adjacent Balancing Authority(ies).

                                               Adjacent Balancing Authorities that cannot mutually agree
                                               upon their respective Net Actual Interchange or Net
                                               Scheduled Interchange quantities by the 15th calendar day
                                               of the following month shall, for the purposes of dispute
BAL-006-1                R5.                                                                                   LOWER          BA                                                                              X                                        x
                                               resolution, submit a report to their respective Regional
                                               Reliability Organization Survey Contact. The report shall
                                               describe the nature and the cause of the dispute as well as
                                               a process for correcting the discrepancy.
                                               COMMUNICATIONS
                                               Each Reliability Coordinator, Transmission Operator, and
                                               Balancing Authority shall provide adequate and reliable                      BA, RC,
COM-001-1.1              R1.                                                                                    HIGH                      1,3             X                X                                                                                                X
                                               telecommunications facilities for the exchange of                             TOP
                                               Interconnection and operating information:
                                                                                                                            BA, RC,
COM-001-1.1              R1.1.                 Internally.                                                      HIGH                      1,3             X                X                                                                                                X
                                                                                                                             TOP
                                               Between the Reliability Coordinator and its Transmission                     BA, RC,
COM-001-1.1              R1.2.                                                                                  HIGH                      1,3             X                X                                                                                                X
                                               Operators and Balancing Authorities.                                          TOP
                                               With other Reliability Coordinators, Transmission Operators,
                                                                                                                            BA, RC,
COM-001-1.1              R1.3.                 and Balancing Authorities as necessary to maintain               HIGH                      1,3             X                X                                                                                                X
                                                                                                                             TOP
                                               reliability.
                                               Where applicable, these facilities shall be redundant and                    BA, RC,
COM-001-1.1              R1.4.                                                                                  HIGH                      1,3             X                X                                                                                                X
                                               diversely routed.                                                             TOP




                                                                                                                                                                                                                                                           Page 71 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                                Violation                Risk         Self                    - M:                                                          2007       2008             2009
   Standard                      Requirement                                                                                Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                         Risk                  Based      Certificatio            Monthly Q:                                                      Annual     Annual           Annual
    (FERC                          Number                                                                                   Monitored                             Audit               Reporting                            Check
                                                                                                                 Factor                 Criteria        n                   Quarterly                                                     Program    Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               Each Reliability Coordinator, Transmission Operator, and
                                               Balancing Authority shall manage, alarm, test and/or actively
                                                                                                                             BA, RC,
COM-001-1.1              R2.                   monitor vital telecommunications facilities. Special attention   MEDIUM                                                                                                                           x      x
                                                                                                                              TOP
                                               shall be given to emergency telecommunications facilities
                                               and equipment not used for routine communications.

                                               Each Reliability Coordinator, Transmission Operator and
                                               Balancing Authority shall provide a means to coordinate
                                               telecommunications among their respective areas. This                         BA, RC,
COM-001-1.1              R3.                                                                                    LOWER
                                               coordination shall include the ability to investigate and                      TOP
                                               recommend solutions to telecommunications problems
                                               within the area and with other areas.

                                               Unless agreed to otherwise, each Reliability Coordinator,
                                               Transmission Operator, and Balancing Authority shall use
                                               English as the language for all communications between
                                               and among operating personnel responsible for the real-                       BA, RC,
COM-001-1.1              R4.                                                                                    MEDIUM
                                               time generation control and operation of the interconnected                    TOP
                                               Bulk Electric System. Transmission Operators and
                                               Balancing Authorities may use an alternate language for
                                               internal operations.

                                               Each Reliability Coordinator, Transmission Operator, and
                                               Balancing Authority shall have written operating instructions                 BA, RC,
COM-001-1.1              R5.                                                                                    LOWER                      3              X                X                                                                     x      x
                                               and procedures to enable continued operation of the system                     TOP
                                               during the loss of telecommunications facilities.
                                               Each NERCNet User Organization shall adhere to the
                                                                                                                            NERC_Net
COM-001-1.1              R6.                   requirements in Attachment 1-COM-001-0, ―NERCNet                 LOWER
                                                                                                                              Users
                                               Security Policy.‖
                                               Each Transmission Operator, Balancing Authority, and
                                               Generator Operator shall have communications (voice and
                                               data links) with appropriate Reliability Coordinators,                       BA, GOP,
COM-002-2                R1.                                                                                     HIGH                      1              X                X                                                                            x                    X
                                               Balancing Authorities, and Transmission Operators. Such                        TOP
                                               communications shall be staffed and available for
                                               addressing a real-time emergency condition.
                                                                                                                                                                                                                                                            Page 72 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                       RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                         1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                 2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                          4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                              5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                          6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                  Registered Entity-Specific Considerations:
                                                                                                                                                    a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                    b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                    * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                             Periodic
                                                                                                                                                                               Data
                                                                                                                                                                            Submittals
   Reliability
                                                                                                                 Violation                Risk         Self                    - M:                                                          2007       2008             2009
   Standard                      Requirement                                                                                 Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                          Risk                  Based      Certificatio            Monthly Q:                                                      Annual     Annual           Annual
    (FERC                          Number                                                                                    Monitored                             Audit               Reporting                            Check
                                                                                                                  Factor                 Criteria        n                   Quarterly                                                     Program    Program          Program
   Approved)
                                                                                                                                                                            A: Annual
                                                                                                                                                                             X:Region
                                                                                                                                                                            Specified

                                               Each Balancing Authority and Transmission Operator shall
                                               notify its Reliability Coordinator, and all other potentially
                                               affected Balancing Authorities and Transmission Operators
COM-002-2                R1.1.                                                                                    HIGH       BA, TOP        1              X                X                                                                            x                    X
                                               through predetermined communication paths of any
                                               condition that could threaten the reliability of its area or
                                               when firm load shedding is anticipated.

                                               Each Reliability Coordinator, Transmission Operator, and
                                               Balancing Authority shall issue directives in a clear, concise,
                                               and definitive manner; shall ensure the recipient of the                       BA, RC,
COM-002-2                R2.                                                                                     MEDIUM                    5,3             X                X                                                                            x
                                               directive repeats the information back correctly; and shall                     TOP
                                               acknowledge the response as correct or repeat the original
                                               statement to resolve any misunderstandings.
                                               CRITICAL INFRASTRUCTURE PROTECTION
                                               Each Reliability Coordinator, Balancing Authority,
                                               Transmission Operator, Generator Operator, and Load-
                                                                                                                             BA, GOP,
                                               Serving Entity shall have procedures for the recognition of
CIP-001-1                R1.                                                                                     MEDIUM      LSE, RC,      2,6             X                X                                                                     x      x                    X
                                               and for making their operating personnel aware of sabotage
                                                                                                                               TOP
                                               events on its facilities and multi site sabotage affecting
                                               larger portions of the Interconnection.
                                               Each Reliability Coordinator, Balancing Authority,
                                               Transmission Operator, Generator Operator, and Load-                          BA, GOP,
CIP-001-1                R2.                   Serving Entity shall have procedures for the communication        MEDIUM      LSE, RC,      2,6             X                X                                                                     x      x                    X
                                               of information concerning sabotage events to appropriate                        TOP
                                               parties in the Interconnection.
                                               Each Reliability Coordinator, Balancing Authority,
                                               Transmission Operator, Generator Operator, and Load-                          BA, GOP,
CIP-001-1                R3.                   Serving Entity shall provide its operating personnel with         MEDIUM      LSE, RC,      2,6             X                X                                                                     x      x                    X
                                               sabotage response guidelines, including personnel to                            TOP
                                               contact, for reporting disturbances due to sabotage events.




                                                                                                                                                                                                                                                             Page 73 of 235
           Requirements Detail                                                                                                                                                                                                                                   2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007       2008             2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual     Annual           Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program    Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               Each Reliability Coordinator, Balancing Authority,
                                               Transmission Operator, Generator Operator, and Load-
                                               Serving Entity shall establish communications contacts, as                 BA, GOP,
CIP-001-1                R4.                   applicable, with local Federal Bureau of Investigation (FBI)   MEDIUM      LSE, RC,        2,6             X                X                                                                     x      x                    X
                                               or Royal Canadian Mounted Police (RCMP) officials and                        TOP
                                               develop reporting procedures as appropriate to their
                                               circumstances.

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Critical Asset Identification Method — The Responsible                      RRO, TO,                                                                                                                                  Beginning
                                                                                                                                                     Semi-
CIP-002-1                R1.                   Entity shall identify and document a risk-based assessment                  TOP, TSP,       6                               X                                                  X                         x             July 1,
                                                                                                                                                     Annual
                                               methodology to use to identify its Critical Assets.                            NERC                                                                                                                                     2009
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               The Responsible Entity shall maintain documentation                         RRO, TO,                                                                                                                                  Beginning
                                                                                                                                                     Semi-
CIP-002-1                R1.1.                 describing its risk-based assessment methodology that                       TOP, TSP,       6                               X                                                  X                         x             July 1,
                                                                                                                                                     Annual
                                               includes procedures and evaluation criteria.                                   NERC                                                                                                                                     2009
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                                                                                                           RRO, TO,                                                                                                                                  Beginning
                                               The risk-based assessment shall consider the following                                                Semi-
CIP-002-1                R1.2.                                                                                             TOP, TSP,       6                               X                                                  X                         x             July 1,
                                               assets:                                                                                               Annual
                                                                                                                              NERC                                                                                                                                     2009
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table
                                                                                                                                                                                                                                                            Page 74 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                      2010 Compliance Monitoring and Enforcement Program
                                                                                                   Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                          RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                            1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                    2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                   3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                             4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                                 5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                             6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                     Registered Entity-Specific Considerations:
                                                                                                                                                       a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                       b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                       * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                                Periodic
                                                                                                                                                                                  Data
                                                                                                                                                                               Submittals
   Reliability
                                                                                                                  Violation                  Risk         Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                                  Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                           Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                     Monitored                               Audit               Reporting                            Check
                                                                                                                   Factor                   Criteria        n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                               A: Annual
                                                                                                                                                                                X:Region
                                                                                                                                                                               Specified

                                                                                                                                BA, GO,
                                                                                                                                GOP, IA,
                                                                                                                                LSE, RC,
                                               Control centers and backup control centers performing the                       RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                         Semi-
CIP-002-1                R1.2.1.               functions of the entities listed in the Applicability section of                TOP, TSP,       6                               X                                                  X                        x             July 1,
                                                                                                                                                         Annual
                                               this standard.                                                                     NERC                                                                                                                                    2009
                                                                                                                                   See
                                                                                                                              Implementa
                                                                                                                               tion Table

                                                                                                                                BA, GO,
                                                                                                                                GOP, IA,
                                                                                                                                LSE, RC,
                                                                                                                               RRO, TO,                                                                                                                                 Beginning
                                               Transmission substations that support the reliable operation                                              Semi-
CIP-002-1                R1.2.2.                                                                                               TOP, TSP,       6                               X                                                  X                        x             July 1,
                                               of the Bulk Electric System.                                                                              Annual
                                                                                                                                  NERC                                                                                                                                    2009
                                                                                                                                   See
                                                                                                                              Implementa
                                                                                                                               tion Table

                                                                                                                                BA, GO,
                                                                                                                                GOP, IA,
                                                                                                                                LSE, RC,
                                                                                                                               RRO, TO,                                                                                                                                 Beginning
                                               Generation resources that support the reliable operation of                                               Semi-
CIP-002-1                R1.2.3.                                                                                               TOP, TSP,       6                               X                                                  X                        x             July 1,
                                               the Bulk Electric System.                                                                                 Annual
                                                                                                                                  NERC                                                                                                                                    2009
                                                                                                                                   See
                                                                                                                              Implementa
                                                                                                                               tion Table




                                                                                                                                                                                                                                                               Page 75 of 235
           Requirements Detail                                                                                                                                                                                                                                     2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                          RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                            1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                    2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                   3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                             4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                                 5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                             6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                     Registered Entity-Specific Considerations:
                                                                                                                                                       a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                       b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                       * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                                Periodic
                                                                                                                                                                                  Data
                                                                                                                                                                               Submittals
   Reliability
                                                                                                                  Violation                  Risk         Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                                  Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                           Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                     Monitored                               Audit               Reporting                            Check
                                                                                                                   Factor                   Criteria        n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                               A: Annual
                                                                                                                                                                                X:Region
                                                                                                                                                                               Specified

                                                                                                                                BA, GO,
                                                                                                                                GOP, IA,
                                                                                                                                LSE, RC,
                                               Systems and facilities critical to system restoration, including                RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                         Semi-
CIP-002-1                R1.2.4.               blackstart generators and substations in the electrical path                    TOP, TSP,       6                               X                                                  X                        x             July 1,
                                                                                                                                                         Annual
                                               of transmission lines used for initial system restoration.                         NERC                                                                                                                                    2009
                                                                                                                                   See
                                                                                                                              Implementa
                                                                                                                               tion Table

                                                                                                                                BA, GO,
                                                                                                                                GOP, IA,
                                                                                                                                LSE, RC,
                                               Systems and facilities critical to automatic load shedding                      RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                         Semi-
CIP-002-1                R1.2.5.               under a common control system capable of shedding 300                           TOP, TSP,       6                               X                                                  X                        x             July 1,
                                                                                                                                                         Annual
                                               MW or more.                                                                        NERC                                                                                                                                    2009
                                                                                                                                   See
                                                                                                                              Implementa
                                                                                                                               tion Table

                                                                                                                                BA, GO,
                                                                                                                                GOP, IA,
                                                                                                                                LSE, RC,
                                                                                                                               RRO, TO,                                                                                                                                 Beginning
                                               Special Protection Systems that support the reliable                                                      Semi-
CIP-002-1                R1.2.6.                                                                                               TOP, TSP,       6                               X                                                  X                        x             July 1,
                                               operation of the Bulk Electric System.                                                                    Annual
                                                                                                                                  NERC                                                                                                                                    2009
                                                                                                                                   See
                                                                                                                              Implementa
                                                                                                                               tion Table




                                                                                                                                                                                                                                                               Page 76 of 235
           Requirements Detail                                                                                                                                                                                                                                     2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                          RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                            1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                    2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                   3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                             4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                                 5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                             6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                     Registered Entity-Specific Considerations:
                                                                                                                                                       a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                       b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                       * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                                Periodic
                                                                                                                                                                                  Data
                                                                                                                                                                               Submittals
   Reliability
                                                                                                                  Violation                  Risk         Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                                  Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                           Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                     Monitored                               Audit               Reporting                            Check
                                                                                                                   Factor                   Criteria        n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                               A: Annual
                                                                                                                                                                                X:Region
                                                                                                                                                                               Specified

                                                                                                                                BA, GO,
                                                                                                                                GOP, IA,
                                                                                                                                LSE, RC,
                                               Any additional assets that support the reliable operation of                    RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                         Semi-
CIP-002-1                R1.2.7.               the Bulk Electric System that the Responsible Entity deems                      TOP, TSP,       6                               X                                                  X                        x             July 1,
                                                                                                                                                         Annual
                                               appropriate to include in its assessment.                                          NERC                                                                                                                                    2009
                                                                                                                                   See
                                                                                                                              Implementa
                                                                                                                               tion Table

                                                                                                                                BA, GO,
                                                                                                                                GOP, IA,
                                               Critical Asset Identification — The Responsible Entity shall
                                                                                                                                LSE, RC,
                                               develop a list of its identified Critical Assets determined
                                                                                                                               RRO, TO,                                                                                                                                 Beginning
                                               through an annual application of the risk-based assessment                                                Semi-
CIP-002-1                R2.                                                                                                   TOP, TSP,       6                               X                                                  X                        x             July 1,
                                               methodology required in R1. The Responsible Entity shall                                                  Annual
                                                                                                                                  NERC                                                                                                                                    2009
                                               review this list at least annually,
                                                                                                                                   See
                                               and update it as necessary.
                                                                                                                              Implementa
                                                                                                                               tion Table


                                               Critical Cyber Asset Identification — Using the list of Critical
                                               Assets developed pursuant to Requirement R2, the
                                               Responsible Entity shall develop a list of associated Critical                   BA, GO,
                                               Cyber Assets essential to the operation of the Critical Asset.                   GOP, IA,
                                               Examples at control centers and backup control                                   LSE, RC,
                                               centers include systems and facilities at master and remote                     RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                         Semi-
CIP-002-1                R3.                   sites that provide monitoring and control, automatic                            TOP, TSP,       6                               X                                                  X                        x             July 1,
                                                                                                                                                         Annual
                                               generation control, real-time power system modeling, and                           NERC                                                                                                                                    2009
                                               real-time interutility data exchange. The Responsible Entity                        See
                                               shall review this list at least annually, and update it as                     Implementa
                                               necessary. For the purpose of Standard CIP-002, Critical                        tion Table
                                               Cyber Assets are further qualified to be those having at least
                                               one of the following characteristics:




                                                                                                                                                                                                                                                               Page 77 of 235
           Requirements Detail                                                                                                                                                                                                                                     2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                            Violation                   Risk          Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                            Functions                               Compliance            Exception                             Spot
                                                                      Text of Requirement                     Risk                     Based       Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                               Monitored                                 Audit               Reporting                            Check
                                                                                                             Factor                    Criteria         n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                                                                                                          LSE, RC,
                                                                                                                         RRO, TO,                                                                                                                                   Beginning
                                               The Cyber Asset uses a routable protocol to communicate                                               Semi-
CIP-002-1                R3.1.                                                                                           TOP, TSP,         6                               X                                                  X                        x             July 1,
                                               outside the Electronic Security Perimeter; or,                                                        Annual
                                                                                                                            NERC                                                                                                                                      2009
                                                                                                                             See
                                                                                                                        Implementa
                                                                                                                         tion Table

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                                                                                                          LSE, RC,
                                                                                                                         RRO, TO,                                                                                                                                   Beginning
                                               The Cyber Asset uses a routable protocol within a control                                             Semi-
CIP-002-1                R3.2.                                                                                           TOP, TSP,         6                               X                                                  X                        x             July 1,
                                               center; or,                                                                                           Annual
                                                                                                                            NERC                                                                                                                                      2009
                                                                                                                             See
                                                                                                                        Implementa
                                                                                                                         tion Table

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                                                                                                          LSE, RC,
                                                                                                                         RRO, TO,                                                                                                                                   Beginning
                                                                                                                                                     Semi-
CIP-002-1                R3.3.                 The Cyber Asset is dial-up accessible.                                    TOP, TSP,         6                               X                                                  X                        x             July 1,
                                                                                                                                                     Annual
                                                                                                                            NERC                                                                                                                                      2009
                                                                                                                             See
                                                                                                                        Implementa
                                                                                                                         tion Table




                                                                                                                                                                                                                                                           Page 78 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                          RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                            1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                    2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                   3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                             4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                                 5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                             6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                     Registered Entity-Specific Considerations:
                                                                                                                                                       a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                       b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                       * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                                Periodic
                                                                                                                                                                                  Data
                                                                                                                                                                               Submittals
   Reliability
                                                                                                                  Violation                  Risk         Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                                  Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                           Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                     Monitored                               Audit               Reporting                            Check
                                                                                                                   Factor                   Criteria        n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                               A: Annual
                                                                                                                                                                                X:Region
                                                                                                                                                                               Specified

                                               Annual Approval — A senior manager or delegate(s) shall                          BA, GO,
                                               approve annually the list of Critical Assets and the list of                     GOP, IA,
                                               Critical Cyber Assets. Based on Requirements R1, R2, and                         LSE, RC,
                                               R3 the Responsible Entity may determine that it has no                          RRO, TO,
                                                                                                                                                         Semi-
CIP-002-1                R4.                   Critical Assets or Critical Cyber Assets. The Responsible                       TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                         Annual
                                               Entity shall keep a signed and dated record of the senior                          NERC
                                               manager or delegate(s)’s approval of the list of Critical                           See
                                               Assets and the list of Critical Cyber Assets (even if such lists               Implementa
                                               are null.)                                                                      tion Table

                                                                                                                                BA, GO,
                                                                                                                                GOP, IA,
                                               Cyber Security Policy — The Responsible Entity shall                             LSE, RC,
                                               document and implement a cyber security policy that                             RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                         Semi-
CIP-003-1                R1.                   represents management’s commitment and ability to secure                        TOP, TSP,       6                               X                                                  X                        x             July 1,
                                                                                                                                                         Annual
                                               its Critical Cyber Assets. The Responsible Entity shall, at                        NERC                                                                                                                                    2009
                                               minimum, ensure the following:                                                      See
                                                                                                                              Implementa
                                                                                                                               tion Table

                                                                                                                                BA, GO,
                                                                                                                                GOP, IA,
                                                                                                                                LSE, RC,
                                               The cyber security policy addresses the requirements in                         RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                         Semi-
CIP-003-1                R1.1.                 Standards CIP-002 through CIP-009, including provision for                      TOP, TSP,       6                               X                                                  X                        x             July 1,
                                                                                                                                                         Annual
                                               emergency situations.                                                              NERC                                                                                                                                    2009
                                                                                                                                   See
                                                                                                                              Implementa
                                                                                                                               tion Table




                                                                                                                                                                                                                                                               Page 79 of 235
           Requirements Detail                                                                                                                                                                                                                                     2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                         RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                           1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                   2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                  3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                            4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                                5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                            6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                    Registered Entity-Specific Considerations:
                                                                                                                                                      a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                      b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                      * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                               Periodic
                                                                                                                                                                                 Data
                                                                                                                                                                              Submittals
   Reliability
                                                                                                                 Violation                  Risk         Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                                 Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                          Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                    Monitored                               Audit               Reporting                            Check
                                                                                                                  Factor                   Criteria        n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                              A: Annual
                                                                                                                                                                               X:Region
                                                                                                                                                                              Specified

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                                                                                                               LSE, RC,
                                               The cyber security policy is readily available to all personnel                RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                        Semi-
CIP-003-1                R1.2.                 who have access to, or are responsible for, Critical Cyber                     TOP, TSP,       6                               X                                                  X                        x             July 1,
                                                                                                                                                        Annual
                                               Assets.                                                                           NERC                                                                                                                                    2009
                                                                                                                                  See
                                                                                                                             Implementa
                                                                                                                              tion Table

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                                                                                                               LSE, RC,
                                                                                                                              RRO, TO,                                                                                                                                 Beginning
                                               Annual review and approval of the cyber security policy by                                               Semi-
CIP-003-1                R1.3.                                                                                                TOP, TSP,       6                               X                                                  X                        x             July 1,
                                               the senior manager assigned pursuant to R2.                                                              Annual
                                                                                                                                 NERC                                                                                                                                    2009
                                                                                                                                  See
                                                                                                                             Implementa
                                                                                                                              tion Table

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                                                                                                               LSE, RC,
                                               Leadership — The Responsible Entity shall assign a senior
                                                                                                                              RRO, TO,                                                                                                                                 Beginning
                                               manager with overall responsibility for leading and                                                      Semi-
CIP-003-1                R2.                                                                                                  TOP, TSP,       6                               X                                                  X                        x             July 1,
                                               managing the entity’s implementation of, and adherence to,                                               Annual
                                                                                                                                 NERC                                                                                                                                    2009
                                               Standards CIP-002 through CIP-009.
                                                                                                                                  See
                                                                                                                             Implementa
                                                                                                                              tion Table




                                                                                                                                                                                                                                                              Page 80 of 235
           Requirements Detail                                                                                                                                                                                                                                    2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                            Violation                   Risk          Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                            Functions                               Compliance            Exception                             Spot
                                                                      Text of Requirement                     Risk                     Based       Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                               Monitored                                 Audit               Reporting                            Check
                                                                                                             Factor                    Criteria         n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                                                                                                          LSE, RC,
                                                                                                                         RRO, TO,                                                                                                                                   Beginning
                                               The senior manager shall be identified by name, title,                                                Semi-
CIP-003-1                R2.1.                                                                                           TOP, TSP,         6                               X                                                  X                        x             July 1,
                                               business phone, business address, and date of designation.                                            Annual
                                                                                                                            NERC                                                                                                                                      2009
                                                                                                                             See
                                                                                                                        Implementa
                                                                                                                         tion Table

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                                                                                                          LSE, RC,
                                                                                                                         RRO, TO,                                                                                                                                   Beginning
                                               Changes to the senior manager must be documented within                                               Semi-
CIP-003-1                R2.2.                                                                                           TOP, TSP,         6                               X                                                  X                        x             July 1,
                                               thirty calendar days of the effective date.                                                           Annual
                                                                                                                            NERC                                                                                                                                      2009
                                                                                                                             See
                                                                                                                        Implementa
                                                                                                                         tion Table

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                                                                                                          LSE, RC,
                                               The senior manager or delegate(s), shall authorize and                    RRO, TO,                                                                                                                                   Beginning
                                                                                                                                                     Semi-
CIP-003-1                R2.3.                 document any exception from the requirements of the cyber                 TOP, TSP,         6                               X                                                  X                        x             July 1,
                                                                                                                                                     Annual
                                               security policy.                                                             NERC                                                                                                                                      2009
                                                                                                                             See
                                                                                                                        Implementa
                                                                                                                         tion Table




                                                                                                                                                                                                                                                           Page 81 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Exceptions — Instances where the Responsible Entity
                                                                                                                           RRO, TO,                                                                                                                                 Beginning
                                               cannot conform to its cyber security policy must be                                                   Semi-
CIP-003-1                R3.                                                                                               TOP, TSP,       6                               X                                                  X                        x             July 1,
                                               documented as exceptions and authorized by the senior                                                 Annual
                                                                                                                              NERC                                                                                                                                    2009
                                               manager or delegate(s).
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Exceptions to the Responsible Entity’s cyber security policy                RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                     Semi-
CIP-003-1                R3.1.                 must be documented within thirty days of being approved by                  TOP, TSP,       6                               X                                                  X                        x             July 1,
                                                                                                                                                     Annual
                                               the senior manager or delegate(s).                                             NERC                                                                                                                                    2009
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Documented exceptions to the cyber security policy must
                                                                                                                           RRO, TO,                                                                                                                                 Beginning
                                               include an explanation as to why the exception is necessary                                           Semi-
CIP-003-1                R3.2.                                                                                             TOP, TSP,       6                               X                                                  X                        x             July 1,
                                               and any compensating measures, or a statement accepting                                               Annual
                                                                                                                              NERC                                                                                                                                    2009
                                               risk.
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table




                                                                                                                                                                                                                                                           Page 82 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                             Violation                  Risk          Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                             Functions                              Compliance            Exception                             Spot
                                                                      Text of Requirement                      Risk                    Based       Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                Monitored                                Audit               Reporting                            Check
                                                                                                              Factor                   Criteria         n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                               Authorized exceptions to the cyber security policy must be
                                                                                                                          RRO, TO,                                                                                                                                  Beginning
                                               reviewed and approved annually by the senior manager or                                               Semi-
CIP-003-1                R3.3.                                                                                            TOP, TSP,        6                               X                                                  X                        x             July 1,
                                               delegate(s) to ensure the exceptions are still required and                                           Annual
                                                                                                                             NERC                                                                                                                                     2009
                                               valid. Such review and approval shall be documented.
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                               Information Protection — The Responsible Entity shall                      RRO, TO,
                                                                                                                                                     Semi-
CIP-003-1                R4.                   implement and document a program to identify, classify, and                TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               protect information associated with Critical Cyber Assets.                    NERC
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                               The Critical Cyber Asset information to be protected shall
                                                                                                                           GOP, IA,
                                               include, at a minimum and regardless of media type,
                                                                                                                           LSE, RC,
                                               operational procedures, lists as required in Standard CIP-
                                                                                                                          RRO, TO,
                                               002, network topology or similar diagrams, floor plans of                                             Semi-
CIP-003-1                R4.1.                                                                                            TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                               computing centers that contain Critical Cyber Assets,                                                 Annual
                                                                                                                             NERC
                                               equipment layouts of Critical Cyber Assets, disaster
                                                                                                                              See
                                               recovery plans, incident response plans, and security
                                                                                                                         Implementa
                                               configuration information.
                                                                                                                          tion Table




                                                                                                                                                                                                                                                           Page 83 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                        RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                          1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                  2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                 3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                           4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                               5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                           6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                   Registered Entity-Specific Considerations:
                                                                                                                                                     a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                     b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                     * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                              Periodic
                                                                                                                                                                                Data
                                                                                                                                                                             Submittals
   Reliability
                                                                                                                Violation                  Risk         Self                    - M:                                                          2007      2008           2009
   Standard                      Requirement                                                                                Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                         Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual         Annual
    (FERC                          Number                                                                                   Monitored                               Audit               Reporting                            Check
                                                                                                                 Factor                   Criteria        n                   Quarterly                                                     Program   Program        Program
   Approved)
                                                                                                                                                                             A: Annual
                                                                                                                                                                              X:Region
                                                                                                                                                                             Specified

                                                                                                                              BA, GO,
                                                                                                                              GOP, IA,
                                                                                                                              LSE, RC,
                                               The Responsible Entity shall classify information to be                       RRO, TO,
                                                                                                                                                       Semi-
CIP-003-1                R4.2.                 protected under this program based on the sensitivity of the                  TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                       Annual
                                               Critical Cyber Asset information.                                                NERC
                                                                                                                                 See
                                                                                                                            Implementa
                                                                                                                             tion Table

                                                                                                                              BA, GO,
                                                                                                                              GOP, IA,
                                               The Responsible Entity shall, at least annually, assess                        LSE, RC,
                                               adherence to its Critical Cyber Asset information protection                  RRO, TO,
                                                                                                                                                       Semi-
CIP-003-1                R4.3.                 program, document the assessment results, and implement                       TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                       Annual
                                               an action plan to remediate deficiencies identified during the                   NERC
                                               assessment.                                                                       See
                                                                                                                            Implementa
                                                                                                                             tion Table

                                                                                                                              BA, GO,
                                                                                                                              GOP, IA,
                                                                                                                              LSE, RC,
                                               Access Control — The Responsible Entity shall document                        RRO, TO,
                                                                                                                                                       Semi-
CIP-003-1                R5.                   and implement a program for managing access to protected                      TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                       Annual
                                               Critical Cyber Asset information.                                                NERC
                                                                                                                                 See
                                                                                                                            Implementa
                                                                                                                             tion Table




                                                                                                                                                                                                                                                           Page 84 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008           2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual         Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program        Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               The Responsible Entity shall maintain a list of designated                  RRO, TO,
                                                                                                                                                     Semi-
CIP-003-1                R5.1.                 personnel who are responsible for authorizing logical or                    TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               physical access to protected information.                                      NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Personnel shall be identified by name, title, business phone                RRO, TO,
                                                                                                                                                     Semi-
CIP-003-1                R5.1.1.               and the information for which they are responsible for                      TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               authorizing access.                                                            NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                                                                                                           RRO, TO,
                                               The list of personnel responsible for authorizing access to                                           Semi-
CIP-003-1                R5.1.2.                                                                                           TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               protected information shall be verified at least annually.                                            Annual
                                                                                                                              NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table




                                                                                                                                                                                                                                                         Page 85 of 235
           Requirements Detail                                                                                                                                                                                                                               2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008           2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual         Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program        Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                               The Responsible Entity shall review at least annually the                    LSE, RC,
                                               access privileges to protected information to confirm that                  RRO, TO,
                                                                                                                                                     Semi-
CIP-003-1                R5.2.                 access privileges are correct and that they correspond with                 TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               the Responsible Entity’s needs and appropriate personnel                       NERC
                                               roles and responsibilities.                                                     See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               The Responsible Entity shall assess and document at least                   RRO, TO,
                                                                                                                                                     Semi-
CIP-003-1                R5.3.                 annually the processes for controlling access privileges to                 TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               protected information.                                                         NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                               Change Control and Configuration Management — The                            BA, GO,
                                               Responsible Entity shall establish and document a process                    GOP, IA,
                                               of change control and configuration management for adding,                   LSE, RC,
                                               modifying, replacing, or removing Critical Cyber Asset                      RRO, TO,
                                                                                                                                                     Semi-
CIP-003-1                R6.                   hardware or software, and implement supporting                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               configuration management activities to identify, control and                   NERC
                                               document all entity or vendor related changes to hardware                       See
                                               and software components of Critical Cyber Assets pursuant                  Implementa
                                               to the change control process.                                              tion Table




                                                                                                                                                                                                                                                         Page 86 of 235
           Requirements Detail                                                                                                                                                                                                                               2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               Awareness — The Responsible Entity shall establish,
                                               maintain, and document a security awareness program to                       BA, GO,
                                               ensure personnel having authorized cyber or authorized                       GOP, IA,
                                               unescorted physical access receive on-going reinforcement                    LSE, RC,
                                               in sound security practices. The program shall                              RRO, TO,
                                                                                                                                                     Semi-
CIP-004-1                R1.                   include security awareness reinforcement on at least a                      TOP, TSP,    6, 2(X)                     eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               quarterly basis using mechanisms such as: Direct                               NERC
                                               communications (e.g., emails, memos, computer based                             See
                                               training, etc.); Indirect communications (e.g., posters,                   Implementa
                                               intranet, brochures, etc.); Management support and                          tion Table
                                               reinforcement (e.g., presentations, meetings, etc.).

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                               Training — The Responsible Entity shall establish, maintain,                 LSE, RC,
                                               and document an annual cyber security training program for                  RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                     Semi-
CIP-004-1                R2.                   personnel having authorized cyber or authorized unescorted                  TOP, TSP,    6, 2(X)                            X                                                  X                        x             July 1,
                                                                                                                                                     Annual
                                               physical access to Critical Cyber Assets, and review the                       NERC                                                                                                                                    2009
                                               program annually and update as necessary.                                       See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               This program will ensure that all personnel having such
                                                                                                                           RRO, TO,                                                                                                                                 Beginning
                                               access to Critical Cyber Assets, including contractors and                                            Semi-
CIP-004-1                R2.1.                                                                                             TOP, TSP,    6, 2(X)                            X                                                  X                        x             July 1,
                                               service vendors, are trained within ninety calendar days of                                           Annual
                                                                                                                              NERC                                                                                                                                    2009
                                               such authorization.
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table




                                                                                                                                                                                                                                                           Page 87 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                             Violation                  Risk          Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                             Functions                              Compliance            Exception                             Spot
                                                                      Text of Requirement                      Risk                    Based       Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                Monitored                                Audit               Reporting                            Check
                                                                                                              Factor                   Criteria         n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                               Training shall cover the policies, access controls, and                     LSE, RC,
                                               procedures as developed for the Critical Cyber Assets                      RRO, TO,                                                                                                                                  Beginning
                                                                                                                                                     Semi-
CIP-004-1                R2.2.                 covered by CIP-004, and include, at a minimum, the                         TOP, TSP,     6, 2(X)                            X                                                  X                        x             July 1,
                                                                                                                                                     Annual
                                               following required items appropriate to personnel roles and                   NERC                                                                                                                                     2009
                                               responsibilities:                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                                                                                                          RRO, TO,                                                                                                                                  Beginning
                                                                                                                                                     Semi-
CIP-004-1                R2.2.1.               The proper use of Critical Cyber Assets;                                   TOP, TSP,     6, 2(X)                            X                                                  X                        x             July 1,
                                                                                                                                                     Annual
                                                                                                                             NERC                                                                                                                                     2009
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                                                                                                          RRO, TO,                                                                                                                                  Beginning
                                               Physical and electronic access controls to Critical Cyber                                             Semi-
CIP-004-1                R2.2.2.                                                                                          TOP, TSP,     6, 2(X)                            X                                                  X                        x             July 1,
                                               Assets;                                                                                               Annual
                                                                                                                             NERC                                                                                                                                     2009
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table




                                                                                                                                                                                                                                                           Page 88 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                         RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                           1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                   2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                  3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                            4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                                5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                            6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                    Registered Entity-Specific Considerations:
                                                                                                                                                      a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                      b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                      * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                               Periodic
                                                                                                                                                                                 Data
                                                                                                                                                                              Submittals
   Reliability
                                                                                                                 Violation                  Risk         Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                                 Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                          Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                    Monitored                               Audit               Reporting                            Check
                                                                                                                  Factor                   Criteria        n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                              A: Annual
                                                                                                                                                                               X:Region
                                                                                                                                                                              Specified

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                                                                                                               LSE, RC,
                                                                                                                              RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                        Semi-
CIP-004-1                R2.2.3.               The proper handling of Critical Cyber Asset information; and,                  TOP, TSP,    6, 2(X)                            X                                                  X                        x             July 1,
                                                                                                                                                        Annual
                                                                                                                                 NERC                                                                                                                                    2009
                                                                                                                                  See
                                                                                                                             Implementa
                                                                                                                              tion Table

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                                                                                                               LSE, RC,
                                               Action plans and procedures to recover or re-establish                         RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                        Semi-
CIP-004-1                R2.2.4.               Critical Cyber Assets and access thereto following a Cyber                     TOP, TSP,    6, 2(X)                            X                                                  X                        x             July 1,
                                                                                                                                                        Annual
                                               Security Incident.                                                                NERC                                                                                                                                    2009
                                                                                                                                  See
                                                                                                                             Implementa
                                                                                                                              tion Table

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                                                                                                               LSE, RC,
                                               The Responsible Entity shall maintain documentation that                       RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                        Semi-
CIP-004-1                R2.3.                 training is conducted at least annually, including the date the                TOP, TSP,    6, 2(X)                            X                                                  X                        x             July 1,
                                                                                                                                                        Annual
                                               training was completed and attendance records.                                    NERC                                                                                                                                    2009
                                                                                                                                  See
                                                                                                                             Implementa
                                                                                                                              tion Table




                                                                                                                                                                                                                                                              Page 89 of 235
           Requirements Detail                                                                                                                                                                                                                                    2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                          RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                            1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                    2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                   3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                             4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                                 5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                             6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                     Registered Entity-Specific Considerations:
                                                                                                                                                       a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                       b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                       * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                                Periodic
                                                                                                                                                                                  Data
                                                                                                                                                                               Submittals
   Reliability
                                                                                                                  Violation                  Risk         Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                                  Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                           Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                     Monitored                               Audit               Reporting                            Check
                                                                                                                   Factor                   Criteria        n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                               A: Annual
                                                                                                                                                                                X:Region
                                                                                                                                                                               Specified

                                               Personnel Risk Assessment —The Responsible Entity shall                          BA, GO,
                                               have a documented personnel risk assessment program, in                          GOP, IA,
                                               accordance with federal, state, provincial, and local laws,                      LSE, RC,
                                               and subject to existing collective bargaining unit                              RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                         Semi-
CIP-004-1                R3.                   agreements, for personnel having authorized cyber or                            TOP, TSP,    6, 2(X)                            X                                                  X                        x             July 1,
                                                                                                                                                         Annual
                                               authorized unescorted physical access. A personnel risk                            NERC                                                                                                                                    2009
                                               assessment shall be conducted pursuant to that program                              See
                                               within thirty days of such personnel being granted such                        Implementa
                                               access. Such program shall at a minimum include:                                tion Table

                                                                                                                                BA, GO,
                                               The Responsible Entity shall ensure that each assessment                         GOP, IA,
                                               conducted include, at least, identity verification (e.g., Social                 LSE, RC,
                                               Security Number verification in the U.S.) and seven year                        RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                         Semi-
CIP-004-1                R3.1.                 criminal check. The Responsible Entity may conduct more                         TOP, TSP,    6, 2(X)                            X                                                  X                        x             July 1,
                                                                                                                                                         Annual
                                               detailed reviews, as permitted by law and subject to existing                      NERC                                                                                                                                    2009
                                               collective bargaining unit agreements, depending upon the                           See
                                               criticality of the position.                                                   Implementa
                                                                                                                               tion Table

                                                                                                                                BA, GO,
                                                                                                                                GOP, IA,
                                                                                                                                LSE, RC,
                                               The Responsible Entity shall update each personnel risk                         RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                         Semi-
CIP-004-1                R3.2.                 assessment at least every seven years after the initial                         TOP, TSP,    6, 2(X)                            X                                                  X                        x             July 1,
                                                                                                                                                         Annual
                                               personnel risk assessment or for cause.                                            NERC                                                                                                                                    2009
                                                                                                                                   See
                                                                                                                              Implementa
                                                                                                                               tion Table




                                                                                                                                                                                                                                                               Page 90 of 235
           Requirements Detail                                                                                                                                                                                                                                     2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008             2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual           Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program          Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                               The Responsible Entity shall document the results of                         GOP, IA,
                                               personnel risk assessments of its personnel having                           LSE, RC,
                                               authorized cyber or authorized unescorted physical access                   RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                     Semi-
CIP-004-1                R3.3.                 to Critical Cyber Assets, and that personnel risk                           TOP, TSP,    6, 2(X)                            X                                                  X                        x             July 1,
                                                                                                                                                     Annual
                                               assessments of contractor and service vendor personnel                         NERC                                                                                                                                    2009
                                               with such access are conducted pursuant to Standard CIP-                        See
                                               004.                                                                       Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                               Access — The Responsible Entity shall maintain list(s) of                    LSE, RC,
                                               personnel with authorized cyber or authorized unescorted                    RRO, TO,                                                                                                                                 Beginning
                                                                                                                                                     Semi-
CIP-004-1                R4.                   physical access to Critical Cyber Assets, including their                   TOP, TSP,    6, 2(X)                            X                                                  X                        x             July 1,
                                                                                                                                                     Annual
                                               specific electronic and physical access rights to Critical                     NERC                                                                                                                                    2009
                                               Cyber Assets.                                                                   See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                               The Responsible Entity shall review the list(s) of its
                                                                                                                            GOP, IA,
                                               personnel who have such access to Critical Cyber Assets
                                                                                                                            LSE, RC,
                                               quarterly, and update the list(s) within seven calendar days
                                                                                                                           RRO, TO,
                                               of any change of personnel with such access to Critical                                               Semi-
CIP-004-1                R4.1.                                                                                             TOP, TSP,    6, 2(X)                            X                                                  X
                                               Cyber Assets, or any change in the access rights of such                                              Annual
                                                                                                                              NERC
                                               personnel. The Responsible Entity shall ensure access
                                                                                                                               See
                                               list(s) for contractors and service vendors are properly
                                                                                                                          Implementa
                                               maintained.
                                                                                                                           tion Table




                                                                                                                                                                                                                                                           Page 91 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                        RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                          1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                  2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                 3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                           4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                               5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                           6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                   Registered Entity-Specific Considerations:
                                                                                                                                                     a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                     b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                     * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                              Periodic
                                                                                                                                                                                Data
                                                                                                                                                                             Submittals
   Reliability
                                                                                                                Violation                  Risk         Self                    - M:                                                          2007      2008           2009
   Standard                      Requirement                                                                                Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                         Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual         Annual
    (FERC                          Number                                                                                   Monitored                               Audit               Reporting                            Check
                                                                                                                 Factor                   Criteria        n                   Quarterly                                                     Program   Program        Program
   Approved)
                                                                                                                                                                             A: Annual
                                                                                                                                                                              X:Region
                                                                                                                                                                             Specified

                                                                                                                              BA, GO,
                                                                                                                              GOP, IA,
                                                                                                                              LSE, RC,
                                               The Responsible Entity shall revoke such access to Critical
                                                                                                                             RRO, TO,
                                               Cyber Assets within 24 hours for personnel terminated for                                               Semi-
CIP-004-1                R4.2.                                                                                               TOP, TSP,    6, 2(X)                            X                                                  X
                                               cause and within seven calendar days for personnel who no                                               Annual
                                                                                                                                NERC
                                               longer require such access to Critical Cyber Assets.
                                                                                                                                 See
                                                                                                                            Implementa
                                                                                                                             tion Table

                                                                                                                              BA, GO,
                                                                                                                              GOP, IA,
                                               Electronic Security Perimeter — The Responsible Entity                         LSE, RC,
                                               shall ensure that every Critical Cyber Asset resides within an                RRO, TO,
                                                                                                                                                       Semi-
CIP-005-1                R1.                   Electronic Security Perimeter. The Responsible Entity shall                   TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                       Annual
                                               identify and document the Electronic Security Perimeter(s)                       NERC
                                               and all access points to the perimeter(s).                                        See
                                                                                                                            Implementa
                                                                                                                             tion Table

                                                                                                                              BA, GO,
                                                                                                                              GOP, IA,
                                                                                                                              LSE, RC,
                                               Access points to the Electronic Security Perimeter(s) shall
                                                                                                                             RRO, TO,
                                               include any externally connected communication end point                                                Semi-
CIP-005-1                R1.1.                                                                                               TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               (for example, dial-up modems) terminating at any device                                                 Annual
                                                                                                                                NERC
                                               within the Electronic Security Perimeter(s).
                                                                                                                                 See
                                                                                                                            Implementa
                                                                                                                             tion Table




                                                                                                                                                                                                                                                           Page 92 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                        RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                          1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                  2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                 3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                           4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                               5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                           6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                   Registered Entity-Specific Considerations:
                                                                                                                                                     a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                     b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                     * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                              Periodic
                                                                                                                                                                                Data
                                                                                                                                                                             Submittals
   Reliability
                                                                                                                Violation                  Risk         Self                    - M:                                                          2007      2008           2009
   Standard                      Requirement                                                                                Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                         Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual         Annual
    (FERC                          Number                                                                                   Monitored                               Audit               Reporting                            Check
                                                                                                                 Factor                   Criteria        n                   Quarterly                                                     Program   Program        Program
   Approved)
                                                                                                                                                                             A: Annual
                                                                                                                                                                              X:Region
                                                                                                                                                                             Specified

                                                                                                                              BA, GO,
                                                                                                                              GOP, IA,
                                                                                                                              LSE, RC,
                                               For a dial-up accessible Critical Cyber Asset that uses a non-
                                                                                                                             RRO, TO,
                                               routable protocol, the Responsible Entity shall define an                                               Semi-
CIP-005-1                R1.2.                                                                                               TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               Electronic Security Perimeter for that single access point at                                           Annual
                                                                                                                                NERC
                                               the dial-up device.
                                                                                                                                 See
                                                                                                                            Implementa
                                                                                                                             tion Table

                                                                                                                              BA, GO,
                                                                                                                              GOP, IA,
                                               Communication links connecting discrete Electronic Security
                                                                                                                              LSE, RC,
                                               Perimeters shall not be considered part of the Electronic
                                                                                                                             RRO, TO,
                                               Security Perimeter. However, end points of these                                                        Semi-
CIP-005-1                R1.3.                                                                                               TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               communication links within the Electronic Security                                                      Annual
                                                                                                                                NERC
                                               Perimeter(s) shall be considered access points to the
                                                                                                                                 See
                                               Electronic Security Perimeter(s).
                                                                                                                            Implementa
                                                                                                                             tion Table

                                                                                                                              BA, GO,
                                                                                                                              GOP, IA,
                                                                                                                              LSE, RC,
                                               Any non-critical Cyber Asset within a defined Electronic                      RRO, TO,
                                                                                                                                                       Semi-
CIP-005-1                R1.4.                 Security Perimeter shall be identified and protected pursuant                 TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                       Annual
                                               to the requirements of Standard CIP-005.                                         NERC
                                                                                                                                 See
                                                                                                                            Implementa
                                                                                                                             tion Table




                                                                                                                                                                                                                                                           Page 93 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                       RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                         1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                 2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                          4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                              5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                          6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                  Registered Entity-Specific Considerations:
                                                                                                                                                    a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                    b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                    * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                             Periodic
                                                                                                                                                                               Data
                                                                                                                                                                            Submittals
   Reliability
                                                                                                               Violation                  Risk         Self                    - M:                                                          2007      2008           2009
   Standard                      Requirement                                                                               Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                        Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual         Annual
    (FERC                          Number                                                                                  Monitored                               Audit               Reporting                            Check
                                                                                                                Factor                   Criteria        n                   Quarterly                                                     Program   Program        Program
   Approved)
                                                                                                                                                                            A: Annual
                                                                                                                                                                             X:Region
                                                                                                                                                                            Specified

                                                                                                                             BA, GO,
                                               Cyber Assets used in the access control and monitoring of                     GOP, IA,
                                               the Electronic Security Perimeter(s) shall be afforded the                    LSE, RC,
                                               protective measures as a specified in Standard CIP-003,                      RRO, TO,
                                                                                                                                                      Semi-
CIP-005-1                R1.5.                 Standard CIP-004 Requirement R3, Standard CIP-005                            TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                      Annual
                                               Requirements R2 and R3, Standard CIP-006 Requirements                           NERC
                                               R2 and R3, Standard CIP-007, Requirements R1 and R3                              See
                                               through R9, Standard CIP-008, and Standard CIP-009.                         Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                               The Responsible Entity shall maintain documentation of
                                                                                                                             LSE, RC,
                                               Electronic Security Perimeter(s), all interconnected Critical
                                                                                                                            RRO, TO,
                                               and non-critical Cyber Assets within the Electronic Security                                           Semi-
CIP-005-1                R1.6.                                                                                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               Perimeter(s), all electronic access points to the Electronic                                           Annual
                                                                                                                               NERC
                                               Security Perimeter(s) and the Cyber Assets deployed for the
                                                                                                                                See
                                               access control and monitoring of these access points.
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                               Electronic Access Controls — The Responsible Entity shall                     LSE, RC,
                                               implement and document the organizational processes and                      RRO, TO,
                                                                                                                                                      Semi-
CIP-005-1                R2.                   technical and procedural mechanisms for control of                           TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                      Annual
                                               electronic access at all electronic access points to the                        NERC
                                               Electronic Security Perimeter(s).                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table




                                                                                                                                                                                                                                                          Page 94 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                       RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                         1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                 2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                          4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                              5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                          6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                  Registered Entity-Specific Considerations:
                                                                                                                                                    a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                    b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                    * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                             Periodic
                                                                                                                                                                               Data
                                                                                                                                                                            Submittals
   Reliability
                                                                                                               Violation                  Risk         Self                    - M:                                                          2007      2008           2009
   Standard                      Requirement                                                                               Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                        Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual         Annual
    (FERC                          Number                                                                                  Monitored                               Audit               Reporting                            Check
                                                                                                                Factor                   Criteria        n                   Quarterly                                                     Program   Program        Program
   Approved)
                                                                                                                                                                            A: Annual
                                                                                                                                                                             X:Region
                                                                                                                                                                            Specified

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                               These processes and mechanisms shall use an access                           RRO, TO,
                                                                                                                                                      Semi-
CIP-005-1                R2.1.                 control model that denies access by default, such that                       TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                      Annual
                                               explicit access permissions must be specified.                                  NERC
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                               At all access points to the Electronic Security Perimeter(s),
                                                                                                                             LSE, RC,
                                               the Responsible Entity shall enable only ports and services
                                                                                                                            RRO, TO,
                                               required for operations and for monitoring Cyber Assets                                                Semi-
CIP-005-1                R2.2.                                                                                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               within the Electronic Security Perimeter, and shall                                                    Annual
                                                                                                                               NERC
                                               document, individually or by specified grouping, the
                                                                                                                                See
                                               configuration of those ports and services.
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                               The Responsible Entity shall maintain a procedure for                        RRO, TO,
                                                                                                                                                      Semi-
CIP-005-1                R2.3.                 securing dial-up access to the Electronic Security                           TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                      Annual
                                               Perimeter(s).                                                                   NERC
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table




                                                                                                                                                                                                                                                          Page 95 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                             Violation                  Risk          Self                    - M:                                                          2007      2008           2009
   Standard                      Requirement                                                                             Functions                              Compliance            Exception                             Spot
                                                                      Text of Requirement                      Risk                    Based       Certificatio            Monthly Q:                                                      Annual    Annual         Annual
    (FERC                          Number                                                                                Monitored                                Audit               Reporting                            Check
                                                                                                              Factor                   Criteria         n                   Quarterly                                                     Program   Program        Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                               Where external interactive access into the Electronic                       LSE, RC,
                                               Security Perimeter has been enabled, the Responsible                       RRO, TO,
                                                                                                                                                     Semi-
CIP-005-1                R2.4.                 Entity shall implement strong procedural or technical                      TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               controls at the access points to ensure authenticity of the                   NERC
                                               accessing party, where technically feasible.                                   See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                                                                                                          RRO, TO,
                                               The required documentation shall, at least, identify and                                              Semi-
CIP-005-1                R2.5.                                                                                            TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                               describe:                                                                                             Annual
                                                                                                                             NERC
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                                                                                                          RRO, TO,
                                                                                                                                                     Semi-
CIP-005-1                R2.5.1.               The processes for access request and authorization.                        TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                                                                                                             NERC
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table




                                                                                                                                                                                                                                                         Page 96 of 235
           Requirements Detail                                                                                                                                                                                                                               2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                             Violation                  Risk          Self                    - M:                                                          2007      2008           2009
   Standard                      Requirement                                                                             Functions                              Compliance            Exception                             Spot
                                                                      Text of Requirement                      Risk                    Based       Certificatio            Monthly Q:                                                      Annual    Annual         Annual
    (FERC                          Number                                                                                Monitored                                Audit               Reporting                            Check
                                                                                                              Factor                   Criteria         n                   Quarterly                                                     Program   Program        Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                                                                                                          RRO, TO,
                                                                                                                                                     Semi-
CIP-005-1                R2.5.2.               The authentication methods.                                                TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                                                                                                             NERC
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                                                                                                          RRO, TO,
                                               The review process for authorization rights, in accordance                                            Semi-
CIP-005-1                R2.5.3.                                                                                          TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                               with Standard CIP-004 Requirement R4.                                                                 Annual
                                                                                                                             NERC
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                                                                                                          RRO, TO,
                                                                                                                                                     Semi-
CIP-005-1                R2.5.4.               The controls used to secure dial-up accessible connections.                TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                                                                                                             NERC
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table




                                                                                                                                                                                                                                                         Page 97 of 235
           Requirements Detail                                                                                                                                                                                                                               2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                            Violation                   Risk          Self                    - M:                                                          2007      2008           2009
   Standard                      Requirement                                                                            Functions                               Compliance            Exception                             Spot
                                                                      Text of Requirement                     Risk                     Based       Certificatio            Monthly Q:                                                      Annual    Annual         Annual
    (FERC                          Number                                                                               Monitored                                 Audit               Reporting                            Check
                                                                                                             Factor                    Criteria         n                   Quarterly                                                     Program   Program        Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                               Appropriate Use Banner — Where technically feasible,                       LSE, RC,
                                               electronic access control devices shall display an                        RRO, TO,
                                                                                                                                                     Semi-
CIP-005-1                R2.6.                 appropriate use banner on the user screen upon all                        TOP, TSP,         6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               interactive access attempts. The Responsible Entity shall                    NERC
                                               maintain a document identifying the content of the banner.                    See
                                                                                                                        Implementa
                                                                                                                         tion Table

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                               Monitoring Electronic Access — The Responsible Entity                      LSE, RC,
                                               shall implement and document an electronic or manual                      RRO, TO,
                                                                                                                                                     Semi-
CIP-005-1                R3.                   process(es) for monitoring and logging access at access                   TOP, TSP,         6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               points to the Electronic Security Perimeter(s) twenty-four                   NERC
                                               hours a day, seven days a week.                                               See
                                                                                                                        Implementa
                                                                                                                         tion Table

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                                                                                                          LSE, RC,
                                               For dial-up accessible Critical Cyber Assets that use non-
                                                                                                                         RRO, TO,
                                               routable protocols, the Responsible Entity shall implement                                            Semi-
CIP-005-1                R3.1.                                                                                           TOP, TSP,         6                        eff 7/1/2010                                       eff 7/1/2010
                                               and document monitoring process(es) at each access point                                              Annual
                                                                                                                            NERC
                                               to the dial-up device, where technically feasible.
                                                                                                                             See
                                                                                                                        Implementa
                                                                                                                         tion Table




                                                                                                                                                                                                                                                         Page 98 of 235
           Requirements Detail                                                                                                                                                                                                                               2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008           2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual         Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program        Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                               Where technically feasible, the security monitoring
                                                                                                                            GOP, IA,
                                               process(es) shall detect and alert for attempts at or actual
                                                                                                                            LSE, RC,
                                               unauthorized accesses. These alerts shall provide for
                                                                                                                           RRO, TO,
                                               appropriate notification to designated response personnel.                                            Semi-
CIP-005-1                R3.2.                                                                                             TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               Where alerting is not technically feasible, the Responsible                                           Annual
                                                                                                                              NERC
                                               Entity shall review or otherwise assess access logs for
                                                                                                                               See
                                               attempts at or actual unauthorized accesses at least every
                                                                                                                          Implementa
                                               ninety calendar days.
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                               Cyber Vulnerability Assessment — The Responsible Entity                      LSE, RC,
                                               shall perform a cyber vulnerability assessment of the                       RRO, TO,
                                                                                                                                                     Semi-
CIP-005-1                R4.                   electronic access points to the Electronic Security                         TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               Perimeter(s) at least annually. The vulnerability assessment                   NERC
                                               shall include, at a minimum, the following:                                     See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                                                                                                           RRO, TO,
                                               A document identifying the vulnerability assessment                                                   Semi-
CIP-005-1                R4.1.                                                                                             TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               process;                                                                                              Annual
                                                                                                                              NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table




                                                                                                                                                                                                                                                         Page 99 of 235
           Requirements Detail                                                                                                                                                                                                                               2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                       RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                         1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                 2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                          4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                              5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                          6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                  Registered Entity-Specific Considerations:
                                                                                                                                                    a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                    b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                    * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                             Periodic
                                                                                                                                                                               Data
                                                                                                                                                                            Submittals
   Reliability
                                                                                                               Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                               Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                        Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                  Monitored                               Audit               Reporting                            Check
                                                                                                                Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                            A: Annual
                                                                                                                                                                             X:Region
                                                                                                                                                                            Specified

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                                                                                                            RRO, TO,
                                               A review to verify that only ports and services required for                                           Semi-
CIP-005-1                R4.2.                                                                                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               operations at these access points are enabled;                                                         Annual
                                                                                                                               NERC
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                                                                                                            RRO, TO,
                                               The discovery of all access points to the Electronic Security                                          Semi-
CIP-005-1                R4.3.                                                                                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               Perimeter;                                                                                             Annual
                                                                                                                               NERC
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                                                                                                            RRO, TO,
                                               A review of controls for default accounts, passwords, and                                              Semi-
CIP-005-1                R4.4.                                                                                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               network management community strings; and,                                                             Annual
                                                                                                                               NERC
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table




                                                                                                                                                                                                                                                          Page 100 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                         RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                           1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                   2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                  3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                            4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                                5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                            6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                    Registered Entity-Specific Considerations:
                                                                                                                                                      a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                      b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                      * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                               Periodic
                                                                                                                                                                                 Data
                                                                                                                                                                              Submittals
   Reliability
                                                                                                                 Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                                 Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                          Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                    Monitored                               Audit               Reporting                            Check
                                                                                                                  Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                              A: Annual
                                                                                                                                                                               X:Region
                                                                                                                                                                              Specified

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                                                                                                               LSE, RC,
                                               Documentation of the results of the assessment, the action                     RRO, TO,
                                                                                                                                                        Semi-
CIP-005-1                R4.5.                 plan to remediate or mitigate vulnerabilities identified in the                TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                        Annual
                                               assessment, and the execution status of that action plan.                         NERC
                                                                                                                                  See
                                                                                                                             Implementa
                                                                                                                              tion Table

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                                                                                                               LSE, RC,
                                               Documentation Review and Maintenance — The
                                                                                                                              RRO, TO,
                                               Responsible Entity shall review, update, and maintain all                                                Semi-
CIP-005-1                R5.                                                                                                  TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               documentation to support compliance with the requirements                                                Annual
                                                                                                                                 NERC
                                               of Standard CIP-005.
                                                                                                                                  See
                                                                                                                             Implementa
                                                                                                                              tion Table

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                               The Responsible Entity shall ensure that all documentation                      LSE, RC,
                                               required by Standard CIP-005 reflect current configurations                    RRO, TO,
                                                                                                                                                        Semi-
CIP-005-1                R5.1.                 and processes and shall review the documents and                               TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                        Annual
                                               procedures referenced in Standard CIP-005 at least                                NERC
                                               annually.                                                                          See
                                                                                                                             Implementa
                                                                                                                              tion Table




                                                                                                                                                                                                                                                            Page 101 of 235
           Requirements Detail                                                                                                                                                                                                                                   2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                       RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                         1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                 2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                          4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                              5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                          6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                  Registered Entity-Specific Considerations:
                                                                                                                                                    a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                    b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                    * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                             Periodic
                                                                                                                                                                               Data
                                                                                                                                                                            Submittals
   Reliability
                                                                                                               Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                               Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                        Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                  Monitored                               Audit               Reporting                            Check
                                                                                                                Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                            A: Annual
                                                                                                                                                                             X:Region
                                                                                                                                                                            Specified

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                               The Responsible Entity shall update the documentation to                     RRO, TO,
                                                                                                                                                      Semi-
CIP-005-1                R5.2.                 reflect the modification of the network or controls within                   TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                      Annual
                                               ninety calendar days of the change.                                             NERC
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                               The Responsible Entity shall retain electronic access logs
                                                                                                                            RRO, TO,
                                               for at least ninety calendar days. Logs related to reportable                                          Semi-
CIP-005-1                R5.3.                                                                                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               incidents shall be kept in accordance with the requirements                                            Annual
                                                                                                                               NERC
                                               of Standard CIP-008.
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                               Physical Security Plan — The Responsible Entity shall
                                                                                                                            RRO, TO,
                                               create and maintain a physical security plan, approved by a                                            Semi-
CIP-006-1                R1.                                                                                                TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               senior manager or delegate(s) that shall address, at a                                                 Annual
                                                                                                                               NERC
                                               minimum, the following:
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table




                                                                                                                                                                                                                                                          Page 102 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                       RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                         1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                 2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                          4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                              5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                          6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                  Registered Entity-Specific Considerations:
                                                                                                                                                    a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                    b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                    * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                             Periodic
                                                                                                                                                                               Data
                                                                                                                                                                            Submittals
   Reliability
                                                                                                               Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                               Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                        Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                  Monitored                               Audit               Reporting                            Check
                                                                                                                Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                            A: Annual
                                                                                                                                                                             X:Region
                                                                                                                                                                            Specified

                                                                                                                             BA, GO,
                                               Processes to ensure and document that all Cyber Assets                        GOP, IA,
                                               within an Electronic Security Perimeter also reside within an                 LSE, RC,
                                               identified Physical Security Perimeter. Where a completely                   RRO, TO,
                                                                                                                                                      Semi-
CIP-006-1                R1.1.                 enclosed (―six-wall‖) border cannot be established, the                      TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                      Annual
                                               Responsible Entity shall deploy and document alternative                        NERC
                                               measures to control physical access to the Critical Cyber                        See
                                               Assets.                                                                     Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                               Processes to identify all access points through each                         RRO, TO,
                                                                                                                                                      Semi-
CIP-006-1                R1.2.                 Physical Security Perimeter and measures to control entry at                 TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                      Annual
                                               those access points.                                                            NERC
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                                                                                                            RRO, TO,
                                               Processes, tools, and procedures to monitor physical                                                   Semi-
CIP-006-1                R1.3.                                                                                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               access to the perimeter(s).                                                                            Annual
                                                                                                                               NERC
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table




                                                                                                                                                                                                                                                          Page 103 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                             Violation                  Risk          Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                             Functions                              Compliance            Exception                             Spot
                                                                      Text of Requirement                      Risk                    Based       Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                Monitored                                Audit               Reporting                            Check
                                                                                                              Factor                   Criteria         n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                               Procedures for the appropriate use of physical access
                                                                                                                          RRO, TO,
                                               controls as described in Requirement R3 including visitor                                             Semi-
CIP-006-1                R1.4.                                                                                            TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                               pass management, response to loss, and prohibition of                                                 Annual
                                                                                                                             NERC
                                               inappropriate use of physical access controls.
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                               Procedures for reviewing access authorization requests and                 RRO, TO,
                                                                                                                                                     Semi-
CIP-006-1                R1.5.                 revocation of access authorization, in accordance with CIP-                TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               004 Requirement R4.                                                           NERC
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                               Procedures for escorted access within the physical security                RRO, TO,
                                                                                                                                                     Semi-
CIP-006-1                R1.6.                 perimeter of personnel not authorized for unescorted                       TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               access.                                                                       NERC
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table




                                                                                                                                                                                                                                                         Page 104 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                       RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                         1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                 2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                          4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                              5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                          6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                  Registered Entity-Specific Considerations:
                                                                                                                                                    a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                    b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                    * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                             Periodic
                                                                                                                                                                               Data
                                                                                                                                                                            Submittals
   Reliability
                                                                                                               Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                               Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                        Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                  Monitored                               Audit               Reporting                            Check
                                                                                                                Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                            A: Annual
                                                                                                                                                                             X:Region
                                                                                                                                                                            Specified

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                               Process for updating the physical security plan within ninety
                                                                                                                             LSE, RC,
                                               calendar days of any physical security system redesign or
                                                                                                                            RRO, TO,
                                               reconfiguration, including, but not limited to, addition or                                            Semi-
CIP-006-1                R1.7.                                                                                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               removal of access points through the physical security                                                 Annual
                                                                                                                               NERC
                                               perimeter, physical access controls, monitoring controls, or
                                                                                                                                See
                                               logging controls.
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                               Cyber Assets used in the access control and monitoring of                     GOP, IA,
                                               the Physical Security Perimeter(s) shall be afforded the                      LSE, RC,
                                               protective measures specified in Standard CIP-003,                           RRO, TO,
                                                                                                                                                      Semi-
CIP-006-1                R1.8.                 Standard CIP-004 Requirement R3, Standard CIP-005                            TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                      Annual
                                               Requirements R2 and R3, Standard CIP-006 Requirement                            NERC
                                               R2 and R3, Standard CIP-007, Standard CIP-008 and                                See
                                               Standard CIP-009.                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                                                                                                            RRO, TO,
                                               Process for ensuring that the physical security plan is                                                Semi-
CIP-006-1                R1.9.                                                                                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               reviewed at least annually.                                                                            Annual
                                                                                                                               NERC
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table




                                                                                                                                                                                                                                                          Page 105 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                             Violation                  Risk          Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                             Functions                              Compliance            Exception                             Spot
                                                                      Text of Requirement                      Risk                    Based       Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                Monitored                                Audit               Reporting                            Check
                                                                                                              Factor                   Criteria         n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                               Physical Access Controls — The Responsible Entity shall
                                                                                                                           LSE, RC,
                                               document and implement the operational and procedural
                                                                                                                          RRO, TO,
                                               controls to manage physical access at all access points to                                            Semi-
CIP-006-1                R2.                                                                                              TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                               the Physical Security Perimeter(s) twenty-four hours a day,                                           Annual
                                                                                                                             NERC
                                               seven days a week. The Responsible Entity shall implement
                                                                                                                              See
                                               one or more of the following physical access methods:
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                               Card Key: A means of electronic access where the access
                                                                                                                          RRO, TO,
                                               rights of the card holder are predefined in a computer                                                Semi-
CIP-006-1                R2.1.                                                                                            TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                               database. Access rights may differ from one perimeter to                                              Annual
                                                                                                                             NERC
                                               another.
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                               Special Locks: These include, but are not limited to, locks                RRO, TO,
                                                                                                                                                     Semi-
CIP-006-1                R2.2.                 with ―restricted key‖ systems, magnetic locks that can be                  TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               operated remotely, and ―man-trap‖ systems.                                    NERC
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table




                                                                                                                                                                                                                                                         Page 106 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Security Personnel: Personnel responsible for controlling                   RRO, TO,
                                                                                                                                                     Semi-
CIP-006-1                R2.3.                 physical access who may reside on-site or at a monitoring                   TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               station.                                                                       NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Other Authentication Devices: Biometric, keypad, token, or                  RRO, TO,
                                                                                                                                                     Semi-
CIP-006-1                R2.4.                 other equivalent devices that control physical access to the                TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               Critical Cyber Assets.                                                         NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                               Monitoring Physical Access — The Responsible Entity shall
                                                                                                                            GOP, IA,
                                               document and implement the technical and procedural
                                                                                                                            LSE, RC,
                                               controls for monitoring physical access at all access points
                                                                                                                           RRO, TO,
                                               to the Physical Security Perimeter(s) twenty-four hours a                                             Semi-
CIP-006-1                R3.                                                                                               TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               day, seven days a week. Unauthorized access attempts                                                  Annual
                                                                                                                              NERC
                                               shall be reviewed immediately and handled in accordance
                                                                                                                               See
                                               with the procedures specified in Requirement CIP-008. One
                                                                                                                          Implementa
                                               or more of the following monitoring methods shall be used:
                                                                                                                           tion Table




                                                                                                                                                                                                                                                         Page 107 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Alarm Systems: Systems that alarm to indicate a door, gate
                                                                                                                           RRO, TO,
                                               or window has been opened without authorization. These                                                Semi-
CIP-006-1                R3.1.                                                                                             TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               alarms must provide for immediate notification to personnel                                           Annual
                                                                                                                              NERC
                                               responsible for response.
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Human Observation of Access Points: Monitoring of physical                  RRO, TO,
                                                                                                                                                     Semi-
CIP-006-1                R3.2.                 access points by authorized personnel as specified in                       TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               Requirement R2.3.                                                              NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                               Logging Physical Access — Logging shall record sufficient
                                                                                                                            GOP, IA,
                                               information to uniquely identify individuals and the time of
                                                                                                                            LSE, RC,
                                               access twenty-four hours a day, seven days a week. The
                                                                                                                           RRO, TO,
                                               Responsible Entity shall implement and document the                                                   Semi-
CIP-006-1                R4.                                                                                               TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               technical and procedural mechanisms for logging physical                                              Annual
                                                                                                                              NERC
                                               entry at all access points to the Physical Security
                                                                                                                               See
                                               Perimeter(s) using one or more of the following logging
                                                                                                                          Implementa
                                               methods or their equivalent:
                                                                                                                           tion Table




                                                                                                                                                                                                                                                         Page 108 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Computerized Logging: Electronic logs produced by the                       RRO, TO,
                                                                                                                                                     Semi-
CIP-006-1                R4.1.                 Responsible Entity’s selected access control and monitoring                 TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               method.                                                                        NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                                                                                                           RRO, TO,
                                               Video Recording: Electronic capture of video images of                                                Semi-
CIP-006-1                R4.2.                                                                                             TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               sufficient quality to determine identity.                                                             Annual
                                                                                                                              NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Manual Logging: A log book or sign-in sheet, or other record
                                                                                                                           RRO, TO,
                                               of physical access maintained by security or other personnel                                          Semi-
CIP-006-1                R4.3.                                                                                             TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               authorized to control and monitor physical access as                                                  Annual
                                                                                                                              NERC
                                               specified in Requirement R2.3.
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table




                                                                                                                                                                                                                                                         Page 109 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Access Log Retention — The Responsible Entity shall retain
                                                                                                                           RRO, TO,
                                               physical access logs for at least ninety calendar days. Logs                                          Semi-
CIP-006-1                R5.                                                                                               TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               related to reportable incidents shall be kept in accordance                                           Annual
                                                                                                                              NERC
                                               with the requirements of Standard CIP-008.
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                               Maintenance and Testing — The Responsible Entity shall                       LSE, RC,
                                               implement a maintenance and testing program to ensure                       RRO, TO,
                                                                                                                                                     Semi-
CIP-006-1                R6.                   that all physical security systems under Requirements R2,                   TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               R3, and R4 function properly. The program must include, at                     NERC
                                               a minimum, the following:                                                       See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                                                                                                           RRO, TO,
                                               Testing and maintenance of all physical security                                                      Semi-
CIP-006-1                R6.1.                                                                                             TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               mechanisms on a cycle no longer than three years.                                                     Annual
                                                                                                                              NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table




                                                                                                                                                                                                                                                         Page 110 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008              2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual            Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program           Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                                                                                                           RRO, TO,
                                               Retention of testing and maintenance records for the cycle                                            Semi-
CIP-006-1                R6.2.                                                                                             TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               determined by the Responsible Entity in Requirement R6.1.                                             Annual
                                                                                                                              NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                                                                                                           RRO, TO,
                                               Retention of outage records regarding access controls,                                                Semi-
CIP-006-1                R6.3.                                                                                             TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               logging, and monitoring for a minimum of one calendar year.                                           Annual
                                                                                                                              NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                               Test Procedures — The Responsible Entity shall ensure that                   BA, GO,
                                               new Cyber Assets and significant changes to existing Cyber                   GOP, IA,
                                               Assets within the Electronic Security Perimeter do not                       LSE, RC,
                                               adversely affect existing cyber security controls. For                      RRO, TO,                                                                                                                                  Beginning
                                                                                                                                                     Semi-
CIP-007-1                R1.                   purposes of Standard CIP-007, a significant change shall, at                TOP, TSP,       6                               X                                                  X                        x              July 1,
                                                                                                                                                     Annual
                                               a minimum, include implementation of security patches,                         NERC                                                                                                                                     2009
                                               cumulative service packs, vendor releases, and version                          See
                                               upgrades of operating systems, applications, database                      Implementa
                                               platforms, or other third-party software or firmware.                       tion Table




                                                                                                                                                                                                                                                           Page 111 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                            Violation                   Risk          Self                    - M:                                                          2007      2008              2009
   Standard                      Requirement                                                                            Functions                               Compliance            Exception                             Spot
                                                                      Text of Requirement                     Risk                     Based       Certificatio            Monthly Q:                                                      Annual    Annual            Annual
    (FERC                          Number                                                                               Monitored                                 Audit               Reporting                            Check
                                                                                                             Factor                    Criteria         n                   Quarterly                                                     Program   Program           Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                                                                                                          LSE, RC,
                                               The Responsible Entity shall create, implement, and
                                                                                                                         RRO, TO,                                                                                                                                    Beginning
                                               maintain cyber security test procedures in a manner that                                              Semi-
CIP-007-1                R1.1.                                                                                           TOP, TSP,         6                               X                                                  X                        x              July 1,
                                               minimizes adverse effects on the production system or its                                             Annual
                                                                                                                            NERC                                                                                                                                       2009
                                               operation.
                                                                                                                             See
                                                                                                                        Implementa
                                                                                                                         tion Table

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                                                                                                          LSE, RC,
                                               The Responsible Entity shall document that testing is                     RRO, TO,                                                                                                                                    Beginning
                                                                                                                                                     Semi-
CIP-007-1                R1.2.                 performed in a manner that reflects the production                        TOP, TSP,         6                               X                                                  X                        x              July 1,
                                                                                                                                                     Annual
                                               environment.                                                                 NERC                                                                                                                                       2009
                                                                                                                             See
                                                                                                                        Implementa
                                                                                                                         tion Table

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                                                                                                          LSE, RC,
                                                                                                                         RRO, TO,                                                                                                                                    Beginning
                                                                                                                                                     Semi-
CIP-007-1                R1.3.                 The Responsible Entity shall document test results.                       TOP, TSP,         6                               X                                                  X                        x              July 1,
                                                                                                                                                     Annual
                                                                                                                            NERC                                                                                                                                       2009
                                                                                                                             See
                                                                                                                        Implementa
                                                                                                                         tion Table




                                                                                                                                                                                                                                                           Page 112 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                       RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                         1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                 2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                          4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                              5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                          6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                  Registered Entity-Specific Considerations:
                                                                                                                                                    a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                    b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                    * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                             Periodic
                                                                                                                                                                               Data
                                                                                                                                                                            Submittals
   Reliability
                                                                                                               Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                               Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                        Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                  Monitored                               Audit               Reporting                            Check
                                                                                                                Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                            A: Annual
                                                                                                                                                                             X:Region
                                                                                                                                                                            Specified

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                               Ports and Services — The Responsible Entity shall establish
                                                                                                                            RRO, TO,
                                               and document a process to ensure that only those ports and                                             Semi-
CIP-007-1                R2.                                                                                                TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               services required for normal and emergency operations are                                              Annual
                                                                                                                               NERC
                                               enabled.
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                                                                                                            RRO, TO,
                                               The Responsible Entity shall enable only those ports and                                               Semi-
CIP-007-1                R2.1.                                                                                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               services required for normal and emergency operations.                                                 Annual
                                                                                                                               NERC
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                               The Responsible Entity shall disable other ports and
                                                                                                                            RRO, TO,
                                               services, including those used for testing purposes, prior to                                          Semi-
CIP-007-1                R2.2.                                                                                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               production use of all Cyber Assets inside the Electronic                                               Annual
                                                                                                                               NERC
                                               Security Perimeter(s).
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table




                                                                                                                                                                                                                                                          Page 113 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                       RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                         1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                 2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                          4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                              5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                          6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                  Registered Entity-Specific Considerations:
                                                                                                                                                    a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                    b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                    * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                             Periodic
                                                                                                                                                                               Data
                                                                                                                                                                            Submittals
   Reliability
                                                                                                               Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                               Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                        Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                  Monitored                               Audit               Reporting                            Check
                                                                                                                Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                            A: Annual
                                                                                                                                                                             X:Region
                                                                                                                                                                            Specified

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                               In the case where unused ports and services cannot be
                                                                                                                            RRO, TO,
                                               disabled due to technical limitations, the Responsible Entity                                          Semi-
CIP-007-1                R2.3.                                                                                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               shall document compensating measure(s) applied to                                                      Annual
                                                                                                                               NERC
                                               mitigate risk exposure or an acceptance of risk.
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                               Security Patch Management — The Responsible Entity,                           LSE, RC,
                                               either separately or as a component of the documented                        RRO, TO,
                                                                                                                                                      Semi-
CIP-007-1                R3.                   configuration management process specified in CIP-003                        TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                      Annual
                                               Requirement R6, shall establish and document a security                         NERC
                                               patch management program for tracking.                                           See
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                               The Responsible Entity shall document the assessment of
                                                                                                                            RRO, TO,
                                               security patches and security upgrades for applicability                                               Semi-
CIP-007-1                R3.1.                                                                                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               within thirty calendar days of availability of the patches or                                          Annual
                                                                                                                               NERC
                                               upgrades.
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table




                                                                                                                                                                                                                                                          Page 114 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                               The Responsible Entity shall document the implementation                     LSE, RC,
                                               of security patches. In any case where the patch is not                     RRO, TO,
                                                                                                                                                     Semi-
CIP-007-1                R3.2.                 installed, the Responsible Entity shall document                            TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               compensating measure(s) applied to mitigate risk exposure                      NERC
                                               or an acceptance of risk.                                                       See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                               Malicious Software Prevention — The Responsible Entity
                                                                                                                            LSE, RC,
                                               shall use anti-virus software and other malicious software
                                                                                                                           RRO, TO,
                                               (―malware‖) prevention tools, where technically feasible, to                                          Semi-
CIP-007-1                R4.                                                                                               TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               detect, prevent, deter, and mitigate the introduction,                                                Annual
                                                                                                                              NERC
                                               exposure, and propagation of malware on all Cyber Assets
                                                                                                                               See
                                               within the Electronic Security Perimeter(s).
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                               The Responsible Entity shall document and implement anti-
                                                                                                                            LSE, RC,
                                               virus and malware prevention tools. In the case where anti-
                                                                                                                           RRO, TO,
                                               virus software and malware prevention tools are not                                                   Semi-
CIP-007-1                R4.1.                                                                                             TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               installed, the Responsible Entity shall document                                                      Annual
                                                                                                                              NERC
                                               compensating measure(s) applied to mitigate risk exposure
                                                                                                                               See
                                               or an acceptance of risk.
                                                                                                                          Implementa
                                                                                                                           tion Table




                                                                                                                                                                                                                                                         Page 115 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                          RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                            1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                    2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                   3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                             4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                                 5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                             6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                     Registered Entity-Specific Considerations:
                                                                                                                                                       a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                       b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                       * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                                Periodic
                                                                                                                                                                                  Data
                                                                                                                                                                               Submittals
   Reliability
                                                                                                                  Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                                  Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                           Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                     Monitored                               Audit               Reporting                            Check
                                                                                                                   Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                               A: Annual
                                                                                                                                                                                X:Region
                                                                                                                                                                               Specified

                                                                                                                                BA, GO,
                                                                                                                                GOP, IA,
                                                                                                                                LSE, RC,
                                               The Responsible Entity shall document and implement a
                                                                                                                               RRO, TO,
                                               process for the update of anti-virus and malware prevention                                               Semi-
CIP-007-1                R4.2.                                                                                                 TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               ―signatures.‖ The process must address testing and                                                        Annual
                                                                                                                                  NERC
                                               installing the signatures.
                                                                                                                                   See
                                                                                                                              Implementa
                                                                                                                               tion Table

                                                                                                                                BA, GO,
                                                                                                                                GOP, IA,
                                               Account Management — The Responsible Entity shall                                LSE, RC,
                                               establish, implement, and document technical and                                RRO, TO,
                                                                                                                                                         Semi-
CIP-007-1                R5.                   procedural controls that enforce access authentication of,                      TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                         Annual
                                               and accountability for, all user activity, and that minimize the                   NERC
                                               risk of unauthorized system access.                                                 See
                                                                                                                              Implementa
                                                                                                                               tion Table

                                                                                                                                BA, GO,
                                                                                                                                GOP, IA,
                                                                                                                                LSE, RC,
                                               The Responsible Entity shall ensure that individual and
                                                                                                                               RRO, TO,
                                               shared system accounts and authorized access permissions                                                  Semi-
CIP-007-1                R5.1.                                                                                                 TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               are consistent with the concept of ―need to know‖ with                                                    Annual
                                                                                                                                  NERC
                                               respect to work functions performed.
                                                                                                                                   See
                                                                                                                              Implementa
                                                                                                                               tion Table




                                                                                                                                                                                                                                                             Page 116 of 235
           Requirements Detail                                                                                                                                                                                                                                    2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               The Responsible Entity shall ensure that user accounts are                  RRO, TO,
                                                                                                                                                     Semi-
CIP-007-1                R5.1.1.               implemented as approved by designated personnel. Refer to                   TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               Standard CIP-003 Requirement R5.                                               NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               The Responsible Entity shall establish methods, processes,
                                                                                                                           RRO, TO,
                                               and procedures that generate logs of sufficient detail to                                             Semi-
CIP-007-1                R5.1.2.                                                                                           TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               create historical audit trails of individual user account                                             Annual
                                                                                                                              NERC
                                               access activity for a minimum of ninety days.
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               The Responsible Entity shall review, at least annually, user
                                                                                                                           RRO, TO,
                                               accounts to verify access privileges are in accordance with                                           Semi-
CIP-007-1                R5.1.3.                                                                                           TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               Standard CIP-003 Requirement R5 and Standard CIP-004                                                  Annual
                                                                                                                              NERC
                                               Requirement R4.
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table




                                                                                                                                                                                                                                                         Page 117 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               The Responsible Entity shall implement a policy to minimize
                                                                                                                           RRO, TO,
                                               and manage the scope and acceptable use of administrator,                                             Semi-
CIP-007-1                R5.2.                                                                                             TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               shared, and other generic account privileges including                                                Annual
                                                                                                                              NERC
                                               factory default accounts.
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               The policy shall include the removal, disabling, or renaming
                                                                                                                           RRO, TO,
                                               of such accounts where possible. For such accounts that                                               Semi-
CIP-007-1                R5.2.1.                                                                                           TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               must remain enabled, passwords shall be changed prior to                                              Annual
                                                                                                                              NERC
                                               putting any system into service.
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                                                                                                           RRO, TO,
                                               The Responsible Entity shall identify those individuals with                                          Semi-
CIP-007-1                R5.2.2.                                                                                           TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               access to shared accounts.                                                                            Annual
                                                                                                                              NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table




                                                                                                                                                                                                                                                         Page 118 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                       RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                         1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                 2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                          4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                              5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                          6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                  Registered Entity-Specific Considerations:
                                                                                                                                                    a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                    b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                    * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                             Periodic
                                                                                                                                                                               Data
                                                                                                                                                                            Submittals
   Reliability
                                                                                                               Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                               Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                        Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                  Monitored                               Audit               Reporting                            Check
                                                                                                                Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                            A: Annual
                                                                                                                                                                             X:Region
                                                                                                                                                                            Specified

                                                                                                                             BA, GO,
                                               Where such accounts must be shared, the Responsible                           GOP, IA,
                                               Entity shall have a policy for managing the use of such                       LSE, RC,
                                               accounts that limits access to only those with authorization,                RRO, TO,
                                                                                                                                                      Semi-
CIP-007-1                R5.2.3.               an audit trail of the account use (automated or manual), and                 TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                      Annual
                                               steps for securing the account in the event of personnel                        NERC
                                               changes (for example, change in assignment or                                    See
                                               termination).                                                               Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                                                                                                            RRO, TO,
                                               At a minimum, the Responsible Entity shall require and use                                             Semi-
CIP-007-1                R5.3.                                                                                              TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               passwords, subject to the following, as technically feasible:                                          Annual
                                                                                                                               NERC
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                                                                                                            RRO, TO,
                                                                                                                                                      Semi-
CIP-007-1                R5.3.1.               Each password shall be a minimum of six characters.                          TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                      Annual
                                                                                                                               NERC
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table




                                                                                                                                                                                                                                                          Page 119 of 235
           Requirements Detail                                                                                                                                                                                                                                 2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                             Violation                  Risk          Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                             Functions                              Compliance            Exception                             Spot
                                                                      Text of Requirement                      Risk                    Based       Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                Monitored                                Audit               Reporting                            Check
                                                                                                              Factor                   Criteria         n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                                                                                                          RRO, TO,
                                               Each password shall consist of a combination of alpha,                                                Semi-
CIP-007-1                R5.3.2.                                                                                          TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                               numeric, and ―special‖ characters.                                                                    Annual
                                                                                                                             NERC
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                                                                                                          RRO, TO,
                                               Each password shall be changed at least annually, or more                                             Semi-
CIP-007-1                R5.3.3.                                                                                          TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                               frequently based on risk.                                                                             Annual
                                                                                                                             NERC
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                               Security Status Monitoring — The Responsible Entity shall                   LSE, RC,
                                               ensure that all Cyber Assets within the Electronic Security                RRO, TO,
                                                                                                                                                     Semi-
CIP-007-1                R6.                   Perimeter, as technically feasible, implement automated                    TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               tools or organizational process controls to monitor system                    NERC
                                               events that are related to cyber security.                                     See
                                                                                                                         Implementa
                                                                                                                          tion Table




                                                                                                                                                                                                                                                         Page 120 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                             Violation                  Risk          Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                             Functions                              Compliance            Exception                             Spot
                                                                      Text of Requirement                      Risk                    Based       Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                Monitored                                Audit               Reporting                            Check
                                                                                                              Factor                   Criteria         n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                               The Responsible Entity shall implement and document the
                                                                                                                          RRO, TO,
                                               organizational processes and technical and procedural                                                 Semi-
CIP-007-1                R6.1.                                                                                            TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                               mechanisms for monitoring for security events on all Cyber                                            Annual
                                                                                                                             NERC
                                               Assets within the Electronic Security Perimeter.
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                                                                                                          RRO, TO,
                                               The security monitoring controls shall issue automated or                                             Semi-
CIP-007-1                R6.2.                                                                                            TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                               manual alerts for detected Cyber Security Incidents.                                                  Annual
                                                                                                                             NERC
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table

                                                                                                                           BA, GO,
                                                                                                                           GOP, IA,
                                                                                                                           LSE, RC,
                                               The Responsible Entity shall maintain logs of system events                RRO, TO,
                                                                                                                                                     Semi-
CIP-007-1                R6.3.                 related to cyber security, where technically feasible, to                  TOP, TSP,        6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               support incident response as required in Standard CIP-008.                    NERC
                                                                                                                              See
                                                                                                                         Implementa
                                                                                                                          tion Table




                                                                                                                                                                                                                                                         Page 121 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                            Violation                   Risk          Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                            Functions                               Compliance            Exception                             Spot
                                                                      Text of Requirement                     Risk                     Based       Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                               Monitored                                 Audit               Reporting                            Check
                                                                                                             Factor                    Criteria         n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                                                                                                          LSE, RC,
                                                                                                                         RRO, TO,
                                               The Responsible Entity shall retain all logs specified in                                             Semi-
CIP-007-1                R6.4.                                                                                           TOP, TSP,         6                        eff 7/1/2010                                       eff 7/1/2010
                                               Requirement R6 for ninety calendar days.                                                              Annual
                                                                                                                            NERC
                                                                                                                             See
                                                                                                                        Implementa
                                                                                                                         tion Table

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                                                                                                          LSE, RC,
                                               The Responsible Entity shall review logs of system events                 RRO, TO,
                                                                                                                                                     Semi-
CIP-007-1                R6.5.                 related to cyber security and maintain records documenting                TOP, TSP,         6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               review of logs.                                                              NERC
                                                                                                                             See
                                                                                                                        Implementa
                                                                                                                         tion Table

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                               Disposal or Redeployment — The Responsible Entity shall                    LSE, RC,
                                               establish formal methods, processes, and procedures for                   RRO, TO,
                                                                                                                                                     Semi-
CIP-007-1                R7.                   disposal or redeployment of Cyber Assets within the                       TOP, TSP,         6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               Electronic Security Perimeter(s) as identified and                           NERC
                                               documented in Standard CIP-005.                                               See
                                                                                                                        Implementa
                                                                                                                         tion Table




                                                                                                                                                                                                                                                         Page 122 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                      2010 Compliance Monitoring and Enforcement Program
                                                                                                   Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                           RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                             1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                     2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                    3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                              4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                                  5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                              6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                      Registered Entity-Specific Considerations:
                                                                                                                                                        a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                        b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                        * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                                 Periodic
                                                                                                                                                                                   Data
                                                                                                                                                                                Submittals
   Reliability
                                                                                                                   Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                                   Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                            Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                      Monitored                               Audit               Reporting                            Check
                                                                                                                    Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                                A: Annual
                                                                                                                                                                                 X:Region
                                                                                                                                                                                Specified

                                                                                                                                 BA, GO,
                                                                                                                                 GOP, IA,
                                                                                                                                 LSE, RC,
                                               Prior to the disposal of such assets, the Responsible Entity
                                                                                                                                RRO, TO,
                                               shall destroy or erase the data storage media to prevent                                                   Semi-
CIP-007-1                R7.1.                                                                                                  TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               unauthorized retrieval of sensitive cyber security or reliability                                          Annual
                                                                                                                                   NERC
                                               data.
                                                                                                                                    See
                                                                                                                               Implementa
                                                                                                                                tion Table

                                                                                                                                 BA, GO,
                                                                                                                                 GOP, IA,
                                                                                                                                 LSE, RC,
                                               Prior to redeployment of such assets, the Responsible Entity
                                                                                                                                RRO, TO,
                                               shall, at a minimum, erase the data storage media to                                                       Semi-
CIP-007-1                R7.2.                                                                                                  TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               prevent unauthorized retrieval of sensitive cyber security or                                              Annual
                                                                                                                                   NERC
                                               reliability data.
                                                                                                                                    See
                                                                                                                               Implementa
                                                                                                                                tion Table

                                                                                                                                 BA, GO,
                                                                                                                                 GOP, IA,
                                                                                                                                 LSE, RC,
                                               The Responsible Entity shall maintain records that such                          RRO, TO,
                                                                                                                                                          Semi-
CIP-007-1                R7.3.                 assets were disposed of or redeployed in accordance with                         TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                          Annual
                                               documented procedures.                                                              NERC
                                                                                                                                    See
                                                                                                                               Implementa
                                                                                                                                tion Table




                                                                                                                                                                                                                                                              Page 123 of 235
           Requirements Detail                                                                                                                                                                                                                                     2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                               Cyber Vulnerability Assessment — The Responsible Entity                      LSE, RC,
                                               shall perform a cyber vulnerability assessment of all Cyber                 RRO, TO,
                                                                                                                                                     Semi-
CIP-007-1                R8.                   Assets within the Electronic Security Perimeter at least                    TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               annually. The vulnerability assessment shall include, at a                     NERC
                                               minimum, the following:                                                         See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                                                                                                           RRO, TO,
                                               A document identifying the vulnerability assessment                                                   Semi-
CIP-007-1                R8.1.                                                                                             TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               process;                                                                                              Annual
                                                                                                                              NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               A review to verify that only ports and services required for                RRO, TO,
                                                                                                                                                     Semi-
CIP-007-1                R8.2.                 operation of the Cyber Assets within the Electronic Security                TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                     Annual
                                               Perimeter are enabled;                                                         NERC
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table




                                                                                                                                                                                                                                                         Page 124 of 235
           Requirements Detail                                                                                                                                                                                                                                2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                         RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                           1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                   2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                  3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                            4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                                5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                            6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                    Registered Entity-Specific Considerations:
                                                                                                                                                      a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                      b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                      * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                               Periodic
                                                                                                                                                                                 Data
                                                                                                                                                                              Submittals
   Reliability
                                                                                                                 Violation                  Risk         Self                    - M:                                                          2007      2008            2009
   Standard                      Requirement                                                                                 Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                          Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual          Annual
    (FERC                          Number                                                                                    Monitored                               Audit               Reporting                            Check
                                                                                                                  Factor                   Criteria        n                   Quarterly                                                     Program   Program         Program
   Approved)
                                                                                                                                                                              A: Annual
                                                                                                                                                                               X:Region
                                                                                                                                                                              Specified

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                                                                                                               LSE, RC,
                                                                                                                              RRO, TO,
                                                                                                                                                        Semi-
CIP-007-1                R8.3.                 A review of controls for default accounts; and,                                TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                        Annual
                                                                                                                                 NERC
                                                                                                                                  See
                                                                                                                             Implementa
                                                                                                                              tion Table

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                                                                                                               LSE, RC,
                                               Documentation of the results of the assessment, the action                     RRO, TO,
                                                                                                                                                        Semi-
CIP-007-1                R8.4.                 plan to remediate or mitigate vulnerabilities identified in the                TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                                                                                                                                        Annual
                                               assessment, and the execution status of that action plan.                         NERC
                                                                                                                                  See
                                                                                                                             Implementa
                                                                                                                              tion Table

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                               Documentation Review and Maintenance — The
                                                                                                                               LSE, RC,
                                               Responsible Entity shall review and update the
                                                                                                                              RRO, TO,
                                               documentation specified in Standard CIP-007 at least                                                     Semi-
CIP-007-1                R9.                                                                                                  TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               annually. Changes resulting from modifications to the                                                    Annual
                                                                                                                                 NERC
                                               systems or controls shall be documented within ninety
                                                                                                                                  See
                                               calendar days of the change.
                                                                                                                             Implementa
                                                                                                                              tion Table




                                                                                                                                                                                                                                                            Page 125 of 235
           Requirements Detail                                                                                                                                                                                                                                   2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008              2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual            Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program           Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Cyber Security Incident Response Plan — The Responsible
                                                                                                                           RRO, TO,                                                                                                                                  Beginning
                                               Entity shall develop and maintain a Cyber Security Incident                                           Semi-
CIP-008-1                R1.                                                                                               TOP, TSP,       6                               X                                                  X                        x              July 1,
                                               response plan. The Cyber Security Incident Response plan                                              Annual
                                                                                                                              NERC                                                                                                                                     2009
                                               shall address, at a minimum, the following:
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                                                                                                           RRO, TO,                                                                                                                                  Beginning
                                               Procedures to characterize and classify events as reportable                                          Semi-
CIP-008-1                R1.1.                                                                                             TOP, TSP,       6                               X                                                  X                        x              July 1,
                                               Cyber Security Incidents.                                                                             Annual
                                                                                                                              NERC                                                                                                                                     2009
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Response actions, including roles and responsibilities of                   RRO, TO,                                                                                                                                  Beginning
                                                                                                                                                     Semi-
CIP-008-1                R1.2.                 incident response teams, incident handling procedures, and                  TOP, TSP,       6                               X                                                  X                        x              July 1,
                                                                                                                                                     Annual
                                               communication plans.                                                           NERC                                                                                                                                     2009
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table




                                                                                                                                                                                                                                                           Page 126 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                            Violation                   Risk          Self                    - M:                                                          2007      2008              2009
   Standard                      Requirement                                                                            Functions                               Compliance            Exception                             Spot
                                                                      Text of Requirement                     Risk                     Based       Certificatio            Monthly Q:                                                      Annual    Annual            Annual
    (FERC                          Number                                                                               Monitored                                 Audit               Reporting                            Check
                                                                                                             Factor                    Criteria         n                   Quarterly                                                     Program   Program           Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                               Process for reporting Cyber Security Incidents to the                      LSE, RC,
                                               Electricity Sector Information Sharing and Analysis Center                RRO, TO,                                                                                                                                    Beginning
                                                                                                                                                     Semi-
CIP-008-1                R1.3.                 (ES ISAC). The Responsible Entity must ensure that all                    TOP, TSP,         6                               X                                                  X                        x              July 1,
                                                                                                                                                     Annual
                                               reportable Cyber Security Incidents are reported to the ES                   NERC                                                                                                                                       2009
                                               ISAC either directly or through an intermediary.                              See
                                                                                                                        Implementa
                                                                                                                         tion Table

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                                                                                                          LSE, RC,
                                                                                                                         RRO, TO,                                                                                                                                    Beginning
                                               Process for updating the Cyber Security Incident response                                             Semi-
CIP-008-1                R1.4.                                                                                           TOP, TSP,         6                               X                                                  X                        x              July 1,
                                               plan within ninety calendar days of any changes.                                                      Annual
                                                                                                                            NERC                                                                                                                                       2009
                                                                                                                             See
                                                                                                                        Implementa
                                                                                                                         tion Table

                                                                                                                          BA, GO,
                                                                                                                          GOP, IA,
                                                                                                                          LSE, RC,
                                                                                                                         RRO, TO,                                                                                                                                    Beginning
                                               Process for ensuring that the Cyber Security Incident                                                 Semi-
CIP-008-1                R1.5.                                                                                           TOP, TSP,         6                               X                                                  X                        x              July 1,
                                               response plan is reviewed at least annually.                                                          Annual
                                                                                                                            NERC                                                                                                                                       2009
                                                                                                                             See
                                                                                                                        Implementa
                                                                                                                         tion Table




                                                                                                                                                                                                                                                           Page 127 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                  Risk         Self                    - M:                                                          2007      2008              2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual            Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                   Criteria        n                   Quarterly                                                     Program   Program           Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Process for ensuring the Cyber Security Incident response
                                                                                                                           RRO, TO,                                                                                                                                  Beginning
                                               plan is tested at least annually. A test of the incident                                              Semi-
CIP-008-1                R1.6.                                                                                             TOP, TSP,       6                               X                                                  X                        x              July 1,
                                               response plan can range from a paper drill, to a full                                                 Annual
                                                                                                                              NERC                                                                                                                                     2009
                                               operational exercise, to the response to an actual incident.
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Cyber Security Incident Documentation — The Responsible
                                                                                                                           RRO, TO,
                                               Entity shall keep relevant documentation related to Cyber                                             Semi-
CIP-008-1                R2.                                                                                               TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               Security Incidents reportable per Requirement R1.1 for three                                          Annual
                                                                                                                              NERC
                                               calendar years.
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table

                                                                                                                            BA, GO,
                                                                                                                            GOP, IA,
                                                                                                                            LSE, RC,
                                               Recovery Plans — The Responsible Entity shall create and
                                                                                                                           RRO, TO,                                                                                                                                  Beginning
                                               annually review recovery plan(s) for Critical Cyber Assets.                                           Semi-
CIP-009-1                R1.                                                                                               TOP, TSP,       6                               X                                                  X                        x              July 1,
                                               The recovery plan(s) shall address at a minimum the                                                   Annual
                                                                                                                              NERC                                                                                                                                     2009
                                               following:
                                                                                                                               See
                                                                                                                          Implementa
                                                                                                                           tion Table




                                                                                                                                                                                                                                                           Page 128 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                         RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                           1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                   2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                  3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                            4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                                5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                            6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                    Registered Entity-Specific Considerations:
                                                                                                                                                      a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                      b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                      * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                               Periodic
                                                                                                                                                                                 Data
                                                                                                                                                                              Submittals
   Reliability
                                                                                                                 Violation                  Risk         Self                    - M:                                                          2007      2008              2009
   Standard                      Requirement                                                                                 Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                          Risk                    Based      Certificatio            Monthly Q:                                                      Annual    Annual            Annual
    (FERC                          Number                                                                                    Monitored                               Audit               Reporting                            Check
                                                                                                                  Factor                   Criteria        n                   Quarterly                                                     Program   Program           Program
   Approved)
                                                                                                                                                                              A: Annual
                                                                                                                                                                               X:Region
                                                                                                                                                                              Specified

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                                                                                                               LSE, RC,
                                               Specify the required actions in response to events or                          RRO, TO,                                                                                                                                  Beginning
                                                                                                                                                        Semi-
CIP-009-1                R1.1.                 conditions of varying duration and severity that would                         TOP, TSP,       6                               X                                                  X                        x              July 1,
                                                                                                                                                        Annual
                                               activate the recovery plan(s).                                                    NERC                                                                                                                                     2009
                                                                                                                                  See
                                                                                                                             Implementa
                                                                                                                              tion Table

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                                                                                                               LSE, RC,
                                                                                                                              RRO, TO,                                                                                                                                  Beginning
                                                                                                                                                        Semi-
CIP-009-1                R1.2.                 Define the roles and responsibilities of responders.                           TOP, TSP,       6                               X                                                  X                        x              July 1,
                                                                                                                                                        Annual
                                                                                                                                 NERC                                                                                                                                     2009
                                                                                                                                  See
                                                                                                                             Implementa
                                                                                                                              tion Table

                                                                                                                               BA, GO,
                                                                                                                               GOP, IA,
                                                                                                                               LSE, RC,
                                               Exercises — The recovery plan(s) shall be exercised at least
                                                                                                                              RRO, TO,                                                                                                                                  Beginning
                                               annually. An exercise of the recovery plan(s) can range from                                             Semi-
CIP-009-1                R2.                                                                                                  TOP, TSP,       6                               X                                                  X                        x              July 1,
                                               a paper drill, to a full operational exercise, to recovery from                                          Annual
                                                                                                                                 NERC                                                                                                                                     2009
                                               an actual incident.
                                                                                                                                  See
                                                                                                                             Implementa
                                                                                                                              tion Table




                                                                                                                                                                                                                                                              Page 129 of 235
           Requirements Detail                                                                                                                                                                                                                                     2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                       RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                         1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                 2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                          4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                              5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                          6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                  Registered Entity-Specific Considerations:
                                                                                                                                                    a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                    b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                    * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                             Periodic
                                                                                                                                                                               Data
                                                                                                                                                                            Submittals
   Reliability
                                                                                                               Violation                  Risk         Self                    - M:                                                          2007       2008              2009
   Standard                      Requirement                                                                               Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                        Risk                    Based      Certificatio            Monthly Q:                                                      Annual     Annual            Annual
    (FERC                          Number                                                                                  Monitored                               Audit               Reporting                            Check
                                                                                                                Factor                   Criteria        n                   Quarterly                                                     Program    Program           Program
   Approved)
                                                                                                                                                                            A: Annual
                                                                                                                                                                             X:Region
                                                                                                                                                                            Specified

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                               Change Control — Recovery plan(s) shall be updated to
                                                                                                                             LSE, RC,
                                               reflect any changes or lessons learned as a result of an
                                                                                                                            RRO, TO,
                                               exercise or the recovery from an actual incident. Updates                                              Semi-
CIP-009-1                R3.                                                                                                TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               shall be communicated to personnel responsible for the                                                 Annual
                                                                                                                               NERC
                                               activation and implementation of the recovery plan(s) within
                                                                                                                                See
                                               ninety calendar days of the change.
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                               Backup and Restore — The recovery plan(s) shall include
                                                                                                                             LSE, RC,
                                               processes and procedures for the backup and storage of
                                                                                                                            RRO, TO,
                                               information required to successfully restore Critical Cyber                                            Semi-
CIP-009-1                R4.                                                                                                TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               Assets. For example, backups may include spare electronic                                              Annual
                                                                                                                               NERC
                                               components or equipment, written documentation of
                                                                                                                                See
                                               configuration settings, tape backup, etc.
                                                                                                                           Implementa
                                                                                                                            tion Table

                                                                                                                             BA, GO,
                                                                                                                             GOP, IA,
                                                                                                                             LSE, RC,
                                               Testing Backup Media — Information essential to recovery
                                                                                                                            RRO, TO,
                                               that is stored on backup media shall be tested at least                                                Semi-
CIP-009-1                R5.                                                                                                TOP, TSP,       6                        eff 7/1/2010                                       eff 7/1/2010
                                               annually to ensure that the information is available. Testing                                          Annual
                                                                                                                               NERC
                                               can be completed off site.
                                                                                                                                See
                                                                                                                           Implementa
                                                                                                                            tion Table
                                               EMERGENCY PREPAREDNESS AND OPERATIONS
                                               Balancing Authorities shall have operating agreements with
                                               adjacent Balancing Authorities that shall, at a minimum,
EOP-001-0                R1.                   contain provisions for emergency assistance, including           HIGH           BA           1              X                X                                                                     x      x                     X
                                               provisions to obtain emergency assistance from remote
                                               Balancing Authorities.

                                                                                                                                                                                                                                                             Page 130 of 235
           Requirements Detail                                                                                                                                                                                                                                    2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                              Violation                 Risk          Self                    - M:                                                          2007       2008              2009
   Standard                      Requirement                                                                              Functions                             Compliance            Exception                             Spot
                                                                      Text of Requirement                       Risk                   Based       Certificatio            Monthly Q:                                                      Annual     Annual            Annual
    (FERC                          Number                                                                                 Monitored                               Audit               Reporting                            Check
                                                                                                               Factor                  Criteria         n                   Quarterly                                                     Program    Program           Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               The Transmission Operator shall have an emergency load
                                               reduction plan for all identified IROLs. The plan shall
                                               include the details on how the Transmission Operator will
EOP-001-0                R2.                   implement load reduction in sufficient amount and time to      MEDIUM        TOP                                                                                                                  x      x                     X
                                               mitigate the IROL violation before system separation or
                                               collapse would occur. The load reduction plan must be
                                               capable of being implemented within 30 minutes.

EOP-001-0                R3.                   Each Transmission Operator and Balancing Authority shall:      MEDIUM      BA, TOP                                                                                                                x      x                     X

                                               Develop, maintain, and implement a set of plans to mitigate
EOP-001-0                R3.1.                                                                                MEDIUM      BA, TOP                                                                                                                x      x                     X
                                               operating emergencies for insufficient generating capacity.

                                               Develop, maintain, and implement a set of plans to mitigate
EOP-001-0                R3.2.                                                                                MEDIUM      BA, TOP                                                                                                                x      x                     X
                                               operating emergencies on the transmission system.
                                               Develop, maintain, and implement a set of plans for load
EOP-001-0                R3.3.                                                                                MEDIUM      BA, TOP                                                                                                                x      x                     X
                                               shedding.
                                               Develop, maintain, and implement a set of plans for system
EOP-001-0                R3.4.                                                                                MEDIUM      BA, TOP                                                                                                                x      x                     X
                                               restoration.
                                               Each Transmission Operator and Balancing Authority shall
                                               have emergency plans that will enable it to mitigate
EOP-001-0                R4.                   operating emergencies. At a minimum, Transmission              MEDIUM      BA, TOP                                                                                                                x      x                     X
                                               Operator and Balancing Authority emergency plans shall
                                               include:
EOP-001-0                R4.1.                 Communications protocols to be used during emergencies.        MEDIUM      BA, TOP                                                                                                                x      x                     X
                                               A list of controlling actions to resolve the emergency. Load
                                               reduction, in sufficient quantity to resolve the emergency
EOP-001-0                R4.2.                                                                                MEDIUM      BA, TOP                                                                                                                x      x                     X
                                               within NERC-established timelines, shall be one of the
                                               controlling actions.
                                               The tasks to be coordinated with and among adjacent
EOP-001-0                R4.3.                                                                                MEDIUM      BA, TOP                                                                                                                x      x                     X
                                               Transmission Operators and Balancing Authorities.
EOP-001-0                R4.4.                 Staffing levels for the emergency.                             MEDIUM      BA, TOP                                                                                                                x      x                     X



                                                                                                                                                                                                                                                            Page 131 of 235
           Requirements Detail                                                                                                                                                                                                                                   2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                       RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                         1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                 2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                          4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                              5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                          6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                  Registered Entity-Specific Considerations:
                                                                                                                                                    a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                    b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                    * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                             Periodic
                                                                                                                                                                               Data
                                                                                                                                                                            Submittals
   Reliability
                                                                                                                 Violation                Risk         Self                    - M:                                                          2007       2008              2009
   Standard                      Requirement                                                                                 Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                          Risk                  Based      Certificatio            Monthly Q:                                                      Annual     Annual            Annual
    (FERC                          Number                                                                                    Monitored                             Audit               Reporting                            Check
                                                                                                                  Factor                 Criteria        n                   Quarterly                                                     Program    Program           Program
   Approved)
                                                                                                                                                                            A: Annual
                                                                                                                                                                             X:Region
                                                                                                                                                                            Specified

                                               Each Transmission Operator and Balancing Authority shall
EOP-001-0                R5.                   include the applicable elements in Attachment 1-EOP-001-0         MEDIUM      BA, TOP                                                                                                              x      x                     X
                                               when developing an emergency plan.
                                               The Transmission Operator and Balancing Authority shall
                                               annually review and update each emergency plan. The
                                               Transmission Operator and Balancing Authority shall
EOP-001-0                R6.                                                                                     MEDIUM      BA, TOP                                                                                                              x      x                     X
                                               provide a copy of its updated emergency plans to its
                                               Reliability Coordinator and to neighboring Transmission
                                               Operators and Balancing Authorities.

                                               The Transmission Operator and Balancing Authority shall
                                               coordinate its emergency plans with other Transmission
EOP-001-0                R7.                                                                                     MEDIUM      BA, TOP                                                                                                              x      x                     X
                                               Operators and Balancing Authorities as appropriate. This
                                               coordination includes the following steps, as applicable:
                                               The Transmission Operator and Balancing Authority shall
EOP-001-0                R7.1.                 establish and maintain reliable communications between            MEDIUM      BA, TOP                                                                                                              x      x                     X
                                               interconnected systems.
                                               The Transmission Operator and Balancing Authority shall
                                               arrange new interchange agreements to provide for
EOP-001-0                R7.2.                                                                                   MEDIUM      BA, TOP                                                                                                              x      x                     X
                                               emergency capacity or energy transfers if existing
                                               agreements cannot be used.
                                               The Transmission Operator and Balancing Authority shall
                                               coordinate transmission and generator maintenance
EOP-001-0                R7.3.                                                                                   MEDIUM      BA, TOP                                                                                                              x      x                     X
                                               schedules to maximize capacity or conserve the fuel in short
                                               supply. (This includes water for hydro generators.)
                                               The Transmission Operator and Balancing Authority shall
EOP-001-0                R7.4.                 arrange deliveries of electrical energy or fuel from remote       MEDIUM      BA, TOP                                                                                                              x      x                     X
                                               systems through normal operating channels.
                                               Each Balancing Authority and Reliability Coordinator shall
                                               have the responsibility and clear decision-making authority
EOP-002-2.1              R1.                   to take whatever actions are needed to ensure the reliability      HIGH        BA, RC       1,3             X                X                                                                            x                     X
                                               of its respective area and shall exercise specific authority to
                                               alleviate capacity and energy emergencies.


                                                                                                                                                                                                                                                             Page 132 of 235
           Requirements Detail                                                                                                                                                                                                                                    2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                               Violation                Risk          Self                    - M:                                                          2007      2008              2009
   Standard                      Requirement                                                                               Functions                            Compliance            Exception                             Spot
                                                                      Text of Requirement                        Risk                  Based       Certificatio            Monthly Q:                                                      Annual    Annual            Annual
    (FERC                          Number                                                                                  Monitored                              Audit               Reporting                            Check
                                                                                                                Factor                 Criteria         n                   Quarterly                                                     Program   Program           Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               Each Balancing Authority shall implement its capacity and
EOP-002-2.1              R2.                   energy emergency plan, when required and as appropriate,         HIGH          BA           1              X                X                                                                           x                     X
                                               to reduce risks to the interconnected system.
                                               A Balancing Authority that is experiencing an operating
                                               capacity or energy emergency shall communicate its current
EOP-002-2.1              R3.                                                                                    HIGH          BA           1              X                X                                                                           x                     X
                                               and future system conditions to its Reliability Coordinator
                                               and neighboring Balancing Authorities.
                                               A Balancing Authority anticipating an operating capacity or
                                               energy emergency shall perform all actions necessary
EOP-002-2.1              R4.                   including bringing on all available generation, postponing       HIGH          BA           1              X                X                                                                           x                     X
                                               equipment maintenance, scheduling interchange purchases
                                               in advance, and being prepared to reduce firm load.

                                               A deficient Balancing Authority shall only use the assistance
                                               provided by the Interconnection’s frequency bias for the time
                                               needed to implement corrective actions. The Balancing
                                               Authority shall not unilaterally adjust generation in an
EOP-002-2.1              R5.                                                                                    HIGH          BA           1              X                X                                                                           x                     X
                                               attempt to return Interconnection frequency to normal
                                               beyond that supplied through frequency bias action and
                                               Interchange Schedule changes. Such unilateral adjustment
                                               may overload transmission facilities.

                                               If the Balancing Authority cannot comply with the Control
                                               Performance and Disturbance Control Standards, then it
EOP-002-2.1              R6.                                                                                    HIGH          BA           1              X                X                                                                           x                     X
                                               shall immediately implement remedies to do so. These
                                               remedies include, but are not limited to:
EOP-002-2.1              R6.1.                 Loading all available generating capacity.                       HIGH          BA           1              X                X                                                                           x                     X
EOP-002-2.1              R6.2.                 Deploying all available operating reserve.                       HIGH          BA           1              X                X                                                                           x                     X
EOP-002-2.1              R6.3.                 Interrupting interruptible load and exports.                     HIGH          BA           1              X                X                                                                           x                     X
                                               Requesting emergency assistance from other Balancing
EOP-002-2.1              R6.4.                                                                                  HIGH          BA           1              X                X                                                                           x                     X
                                               Authorities.
                                               Declaring an Energy Emergency through its Reliability
EOP-002-2.1              R6.5.                                                                                  HIGH          BA           1              X                X                                                                           x                     X
                                               Coordinator; and


                                                                                                                                                                                                                                                           Page 133 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                       RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                         1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                 2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                          4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                              5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                          6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                  Registered Entity-Specific Considerations:
                                                                                                                                                    a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                    b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                    * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                             Periodic
                                                                                                                                                                               Data
                                                                                                                                                                            Submittals
   Reliability
                                                                                                                 Violation                Risk         Self                    - M:                                                          2007      2008              2009
   Standard                      Requirement                                                                                 Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                          Risk                  Based      Certificatio            Monthly Q:                                                      Annual    Annual            Annual
    (FERC                          Number                                                                                    Monitored                             Audit               Reporting                            Check
                                                                                                                  Factor                 Criteria        n                   Quarterly                                                     Program   Program           Program
   Approved)
                                                                                                                                                                            A: Annual
                                                                                                                                                                             X:Region
                                                                                                                                                                            Specified

                                               Reducing load, through procedures such as public appeals,
EOP-002-2.1              R6.6.                 voltage reductions, curtailing interruptible loads and firm        HIGH          BA          1              X                X                                                                           x                     X
                                               loads.
                                               Once the Balancing Authority has exhausted the steps listed
                                               in Requirement 6, or if these steps cannot be completed in
EOP-002-2.1              R7.                                                                                      HIGH          BA          1              X                X                                                                           x                     X
                                               sufficient time to resolve the emergency condition, the
                                               Balancing Authority shall:
                                               Manually shed firm load without delay to return its ACE to
EOP-002-2.1              R7.1.                                                                                    HIGH          BA          1              X                X                                                                           x                     X
                                               zero; and
                                               Request the Reliability Coordinator to declare an Energy
EOP-002-2.1              R7.2.                 Emergency Alert in accordance with Attachment 1-EOP-002-           HIGH          BA          1              X                X                                                                           x                     X
                                               0 ―Energy Emergency Alert Levels.‖

                                               A Reliability Coordinator that has any Balancing Authority
                                               within its Reliability Coordinator area experiencing a
                                               potential or actual Energy Emergency shall initiate an
EOP-002-2.1              R8.                   Energy Emergency Alert as detailed in Attachment 1-EOP-            HIGH          RC          1              X                X                                                                           x                     X
                                               002-0 ―Energy Emergency Alert Levels.‖ The Reliability
                                               Coordinator shall act to mitigate the emergency condition,
                                               including a request for emergency assistance if required.

                                               When a Transmission Service Provider expects to elevate
                                               the transmission service priority of an Interchange
                                               Transaction from Priority 6 (Network Integration
                                               Transmission Service from Non-designated Resources) to
EOP-002-2.1              R9.                   Priority 7 (Network Integration Transmission Service from          HIGH       LSE, RC        1              X                X                                                                           x                     X
                                               designated Network Resources) as permitted in its
                                               transmission tariff (See Attachment 1-IRO-006-0
                                               ―Transmission Loading Relief Procedure‖ for explanation of
                                               Transmission Service Priorities):

                                               The deficient Load-Serving Entity shall request its Reliability
EOP-002-2.1              R9.1.                 Coordinator to initiate an Energy Emergency Alert in               HIGH         LSE          1              X                X                                                                           x                     X
                                               accordance with Attachment 1-EOP-002-0.



                                                                                                                                                                                                                                                            Page 134 of 235
           Requirements Detail                                                                                                                                                                                                                                   2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                             Violation                  Risk          Self                    - M:                                                          2007       2008              2009
   Standard                      Requirement                                                                             Functions                              Compliance            Exception                             Spot
                                                                      Text of Requirement                      Risk                    Based       Certificatio            Monthly Q:                                                      Annual     Annual            Annual
    (FERC                          Number                                                                                Monitored                                Audit               Reporting                            Check
                                                                                                              Factor                   Criteria         n                   Quarterly                                                     Program    Program           Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               The Reliability Coordinator shall submit the report to NERC
EOP-002-2.1              R9.2.                 for posting on the NERC Website, noting the expected total     HIGH          RC             1              X                X                                  X                                         x                     X
                                               MW that may have its transmission service priority changed.
                                               The Reliability Coordinator shall use EEA 1 to forecast the
                                               change of the priority of transmission service of an
EOP-002-2.1              R9.3.                                                                               LOWER          RC                                                                                X                                         x
                                               Interchange Transaction on the system from Priority 6 to
                                               Priority 7.
                                               The Reliability Coordinator shall use EEA 2 to announce the
                                               change of the priority of transmission service of an
EOP-002-2.1              R9.4.                                                                               LOWER          RC                                                                                X                                         x
                                               Interchange Transaction on the system from Priority 6 to
                                               Priority 7.
                                               After taking all other remedial steps, a Transmission
                                               Operator or Balancing Authority operating with insufficient
EOP-003-1                R1.                   generation or transmission capacity shall shed customer        HIGH        BA, TOP          1              X                X                                                                     x      x                     X
                                               load rather than risk an uncontrolled failure of components
                                               or cascading outages of the Interconnection.
                                               Each Transmission Operator and Balancing Authority shall
EOP-003-1                R2.                   establish plans for automatic load shedding for                HIGH        BA, TOP          1              X                X                                                                     x      x                     X
                                               underfrequency or undervoltage conditions.
                                               Each Transmission Operator and Balancing Authority shall
EOP-003-1                R3.                   coordinate load shedding plans among other interconnected      HIGH        BA, TOP          1              X                X                                                                     x      x                     X
                                               Transmission Operators and Balancing Authorities.
                                               A Transmission Operator or Balancing Authority shall
                                               consider one or more of these factors in designing an
EOP-003-1                R4.                   automatic load shedding scheme: frequency, rate of             HIGH        BA, TOP          1              X                X                                                                     x      x                     X
                                               frequency decay, voltage level, rate of voltage decay, or
                                               power flow levels.
                                               A Transmission Operator or Balancing Authority shall
                                               implement load shedding in steps established to minimize
EOP-003-1                R5.                                                                                  HIGH        BA, TOP          1              X                X                                                                     x      x                     X
                                               the risk of further uncontrolled separation, loss of
                                               generation, or system shutdown.



                                                                                                                                                                                                                                                            Page 135 of 235
           Requirements Detail                                                                                                                                                                                                                                   2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                                Violation                Risk         Self                    - M:                                                          2007       2008              2009
   Standard                      Requirement                                                                                Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                         Risk                  Based      Certificatio            Monthly Q:                                                      Annual     Annual            Annual
    (FERC                          Number                                                                                   Monitored                             Audit               Reporting                            Check
                                                                                                                 Factor                 Criteria        n                   Quarterly                                                     Program    Program           Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               After a Transmission Operator or Balancing Authority Area
                                               separates from the Interconnection, if there is insufficient
EOP-003-1                R6.                   generating capacity to restore system frequency following         HIGH       BA, TOP        1              X                X                                                                     x      x                     X
                                               automatic underfrequency load shedding, the Transmission
                                               Operator or Balancing Authority shall shed additional load.
                                               The Transmission Operator and Balancing Authority shall
                                               coordinate automatic load shedding throughout their areas
                                               with underfrequency isolation of generating units, tripping of
EOP-003-1                R7.                                                                                     HIGH       BA, TOP        1              X                X                                                                     x      x                     X
                                               shunt capacitors, and other automatic actions that will occur
                                               under abnormal frequency, voltage, or power flow
                                               conditions.
                                               Each Transmission Operator or Balancing Authority shall
                                               have plans for operator-controlled manual load shedding to
                                               respond to real-time emergencies. The Transmission
EOP-003-1                R8.                                                                                     HIGH       BA, TOP        1              X                X                                                                     x      x                     X
                                               Operator or Balancing Authority shall be capable of
                                               implementing the load shedding in a timeframe adequate for
                                               responding to the emergency.
                                               Each Regional Reliability Organization shall establish and
EOP-004-1                R1.                   maintain a Regional reporting procedure to facilitate            LOWER         RRO                                                                                                                       x
                                               preparation of preliminary and final disturbance reports.
                                               A Reliability Coordinator, Balancing Authority, Transmission
                                                                                                                            BA, GOP,
                                               Operator, Generator Operator or Load-Serving Entity shall
EOP-004-1                R2.                                                                                    MEDIUM      LSE, RC,                                                                                                                    x
                                               promptly analyze Bulk Electric System disturbances on its
                                                                                                                              TOP
                                               system or facilities.
                                               A Reliability Coordinator, Balancing Authority, Transmission
                                               Operator, Generator Operator or Load-Serving Entity                          BA, GOP,
EOP-004-1                R3.                   experiencing a reportable incident shall provide a               LOWER       LSE, RC,                                                                          X                                         x
                                               preliminary written report to its Regional Reliability                         TOP
                                               Organization and NERC.




                                                                                                                                                                                                                                                            Page 136 of 235
           Requirements Detail                                                                                                                                                                                                                                   2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                                Violation                Risk         Self                    - M:                                                          2007      2008              2009
   Standard                      Requirement                                                                                Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                         Risk                  Based      Certificatio            Monthly Q:                                                      Annual    Annual            Annual
    (FERC                          Number                                                                                   Monitored                             Audit               Reporting                            Check
                                                                                                                 Factor                 Criteria        n                   Quarterly                                                     Program   Program           Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               The affected Reliability Coordinator, Balancing Authority,
                                               Transmission Operator, Generator Operator or Load-Serving
                                               Entity shall submit within 24 hours of the disturbance or
                                               unusual occurrence either a copy of the report submitted to                  BA, GOP,
EOP-004-1                R3.1.                 DOE, or, if no DOE report is required, a copy of the NERC        LOWER       LSE, RC,                                                                          X                                        x
                                               Interconnection Reliability Operating Limit and Preliminary                    TOP
                                               Disturbance Report form. Events that are not identified until
                                               some time after they occur shall be reported within 24 hours
                                               of being recognized.

                                                                                                                            BA, GOP,
                                               Applicable reporting forms are provided in Attachments 022-
EOP-004-1                R3.2.                                                                                  <blank>     LSE, RC,                                                                                                                   x
                                               1 and 022-2.
                                                                                                                              TOP

                                               Under certain adverse conditions, e.g., severe weather, it
                                               may not be possible to assess the damage caused by a
                                               disturbance and issue a written Interconnection Reliability
                                               Operating Limit and Preliminary Disturbance Report within
                                               24 hours. In such cases, the affected Reliability
                                               Coordinator, Balancing Authority, Transmission Operator,
                                                                                                                            BA, GOP,
                                               Generator Operator, or Load-Serving Entity shall promptly
EOP-004-1                R3.3.                                                                                  LOWER       LSE, RC,                                                                          X                                        x
                                               notify its Regional Reliability Organization(s) and NERC, and
                                                                                                                              TOP
                                               verbally provide as much information as is available at that
                                               time. The affected Reliability Coordinator, Balancing
                                               Authority, Transmission Operator, Generator Operator, or
                                               Load-Serving Entity shall then provide timely, periodic verbal
                                               updates until adequate information is available to issue a
                                               written Preliminary Disturbance Report.




                                                                                                                                                                                                                                                           Page 137 of 235
           Requirements Detail                                                                                                                                                                                                                                  2/22/2010
                                                                                      2010 Compliance Monitoring and Enforcement Program
                                                                                                   Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                         RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                           1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                   2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                  3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                            4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                                5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                            6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                    Registered Entity-Specific Considerations:
                                                                                                                                                      a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                      b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                      * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                               Periodic
                                                                                                                                                                                 Data
                                                                                                                                                                              Submittals
   Reliability
                                                                                                                   Violation                Risk         Self                    - M:                                                          2007      2008              2009
   Standard                      Requirement                                                                                   Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                            Risk                  Based      Certificatio            Monthly Q:                                                      Annual    Annual            Annual
    (FERC                          Number                                                                                      Monitored                             Audit               Reporting                            Check
                                                                                                                    Factor                 Criteria        n                   Quarterly                                                     Program   Program           Program
   Approved)
                                                                                                                                                                              A: Annual
                                                                                                                                                                               X:Region
                                                                                                                                                                              Specified

                                               If, in the judgment of the Regional Reliability Organization,
                                               after consultation with the Reliability Coordinator, Balancing
                                               Authority, Transmission Operator, Generator Operator, or
                                               Load-Serving Entity in which a disturbance occurred, a final
                                               report is required, the affected Reliability Coordinator,
                                                                                                                               BA, GOP,
                                               Balancing Authority, Transmission Operator, Generator
EOP-004-1                R3.4.                                                                                     LOWER       LSE, RC,                                                                                                                   x
                                               Operator, or Load-Serving Entity shall prepare this report
                                                                                                                                 TOP
                                               within 60 days. As a minimum, the final report shall have a
                                               discussion of the events and its cause, the conclusions
                                               reached, and recommendations to prevent recurrence of
                                               this type of event. The report shall be subject to Regional
                                               Reliability Organization approval.

                                               When a Bulk Electric System disturbance occurs, the
                                               Regional Reliability Organization shall make its
                                               representatives on the NERC Operating Committee and
                                               Disturbance Analysis Working Group available to the
EOP-004-1                R4.                   affected Reliability Coordinator, Balancing Authority,              LOWER         RRO                                                                             X                                        x
                                               Transmission Operator, Generator Operator, or Load-
                                               Serving Entity immediately affected by the disturbance for
                                               the purpose of providing any needed assistance in the
                                               investigation and to assist in the preparation of a final report.

                                               The Regional Reliability Organization shall track and review
                                               the status of all final report recommendations at least twice
                                               each year to ensure they are being acted upon in a timely
                                               manner. If any recommendation has not been acted on
                                               within two years, or if Regional Reliability Organization
                                               tracking and review indicates at any time that any
EOP-004-1                R5.                                                                                       LOWER         RRO                                                                             X                                        x
                                               recommendation is not being acted on with sufficient
                                               diligence, the Regional Reliability Organization shall notify
                                               the NERC Planning Committee and Operating Committee of
                                               the status of the recommendation(s) and the steps the
                                               Regional Reliability Organization has taken to accelerate
                                               implementation.


                                                                                                                                                                                                                                                              Page 138 of 235
           Requirements Detail                                                                                                                                                                                                                                     2/22/2010
                                                                                      2010 Compliance Monitoring and Enforcement Program
                                                                                                   Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                          RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                            1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                    2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                                   3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                             4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                                 5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                             6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                     Registered Entity-Specific Considerations:
                                                                                                                                                       a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                       b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                       * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                                Periodic
                                                                                                                                                                                  Data
                                                                                                                                                                               Submittals
   Reliability
                                                                                                                    Violation                Risk         Self                    - M:                                                          2007       2008              2009
   Standard                      Requirement                                                                                    Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                             Risk                  Based      Certificatio            Monthly Q:                                                      Annual     Annual            Annual
    (FERC                          Number                                                                                       Monitored                             Audit               Reporting                            Check
                                                                                                                     Factor                 Criteria        n                   Quarterly                                                     Program    Program           Program
   Approved)
                                                                                                                                                                               A: Annual
                                                                                                                                                                                X:Region
                                                                                                                                                                               Specified

                                               Each Transmission Operator shall have a restoration plan to
                                               reestablish its electric system in a stable and orderly manner
                                               in the event of a partial or total shutdown of its system,
                                               including necessary operating instructions and procedures
EOP-005-1                R1.                                                                                        MEDIUM      BA, TOP       1,2             X                X                                                                     x      x                     X
                                               to cover emergency conditions, and the loss of vital
                                               telecommunications channels. Each Transmission Operator
                                               shall include the applicable elements listed in Attachment 1-
                                               EOP-005 in developing a restoration plan.

                                               Each Transmission Operator shall review and update its
                                               restoration plan at least annually and whenever it makes
EOP-005-1                R2.                   changes in the power system network, and shall correct               MEDIUM        TOP          2              X                X                                                                     x      x                     X
                                               deficiencies found during the simulated restoration
                                               exercises.
                                               Each Transmission Operator shall develop restoration plans
EOP-005-1                R3.                                                                                        MEDIUM        TOP          2              X                X                                                                     x      x                     X
                                               with a priority of restoring the integrity of the Interconnection.

                                               Each Transmission Operator shall coordinate its restoration
                                               plans with the Generator Owners and Balancing Authorities
EOP-005-1                R4.                                                                                        MEDIUM        TOP          2              X                X                                                                     x      x                     X
                                               within its area, its Reliability Coordinator, and neighboring
                                               Transmission Operators and Balancing Authorities.
                                               Each Transmission Operator and Balancing Authority shall
EOP-005-1                R5.                   periodically test its telecommunication facilities needed to         MEDIUM      BA, TOP        2              X                X                                                                     x      x                     X
                                               implement the restoration plan.
                                               Each Transmission Operator and Balancing Authority shall
                                               train its operating personnel in the implementation of the
EOP-005-1                R6.                                                                                         HIGH       BA, TOP       1,2             X                X                                                                     x      x                     X
                                               restoration plan. Such training shall include simulated
                                               exercises, if practicable.
                                               Each Transmission Operator and Balancing Authority shall
EOP-005-1                R7.                   verify the restoration procedure by actual testing or by              HIGH       BA, TOP       1,2             X                X                                                                     x      x                     X
                                               simulation.
                                               Each Transmission Operator shall verify that the number,
                                               size, availability, and location of system blackstart
EOP-005-1                R8.                   generating units are sufficient to meet Regional Reliability          HIGH         TOP         1,2                                                                                                    x      x                     X
                                               Organization restoration plan requirements for the
                                               Transmission Operator’s area.
                                                                                                                                                                                                                                                                Page 139 of 235
           Requirements Detail                                                                                                                                                                                                                                       2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                                Violation                Risk         Self                    - M:                                                          2007       2008              2009
   Standard                      Requirement                                                                                Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                         Risk                  Based      Certificatio            Monthly Q:                                                      Annual     Annual            Annual
    (FERC                          Number                                                                                   Monitored                             Audit               Reporting                            Check
                                                                                                                 Factor                 Criteria        n                   Quarterly                                                     Program    Program           Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               The Transmission Operator shall document the Cranking
                                               Paths, including initial switching requirements, between
                                               each blackstart generating unit and the unit(s) to be started
EOP-005-1                R9.                                                                                    MEDIUM        TOP          2              X                X                                                                     x      x                     X
                                               and shall provide this documentation for review by the
                                               Regional Reliability Organization upon request. Such
                                               documentation may include Cranking Path diagrams.
                                               The Transmission Operator shall demonstrate, through
                                               simulation or testing, that the blackstart generating units in
EOP-005-1                R10.                                                                                   MEDIUM        TOP          2                                                                                                     x      x                     X
                                               its restoration plan can perform their intended functions as
                                               required in the regional restoration plan.
                                               The Transmission Operator shall perform this simulation or
EOP-005-1                R10.1.                                                                                 MEDIUM        TOP                                                                                                                x      x                     X
                                               testing at least once every five years.
                                               Following a disturbance in which one or more areas of the
                                               Bulk Electric System become isolated or blacked out, the
EOP-005-1                R11.                  affected Transmission Operators and Balancing Authorities         HIGH       BA, TOP       1,2             X                X                                  X                                  x      x                     X
                                               shall begin immediately to return the Bulk Electric System to
                                               normal.
                                               The affected Transmission Operators and Balancing
                                               Authorities shall work in conjunction with their Reliability
EOP-005-1                R11.1.                                                                                 MEDIUM      BA, TOP                                                                           X                                  x      x
                                               Coordinator(s) to determine the extent and condition of the
                                               isolated area(s).
                                               The affected Transmission Operators and Balancing
                                               Authorities shall take the necessary actions to restore Bulk
EOP-005-1                R11.2.                Electric System frequency to normal, including adjusting          HIGH       BA, TOP        1              X                X                                                                     x      x                     X
                                               generation, placing additional generators on line, or load
                                               shedding.
                                               The affected Balancing Authorities, working with their
                                               Reliability Coordinator(s), shall immediately review the
                                               Interchange Schedules between those Balancing Authority
                                               Areas or fragments of those Balancing Authority Areas
EOP-005-1                R11.3.                within the separated area and make adjustments as needed          HIGH          BA          1              X                X                                                                     x      x                     X
                                               to facilitate the restoration. The affected Balancing
                                               Authorities shall make all attempts to maintain the adjusted
                                               Interchange Schedules, whether generation control is
                                               manual or automatic.

                                                                                                                                                                                                                                                            Page 140 of 235
           Requirements Detail                                                                                                                                                                                                                                   2/22/2010
                                                                                     2010 Compliance Monitoring and Enforcement Program
                                                                                                  Requirements Spreadsheet
ABBREVIATIONS                                                                                                                                      RISK BASED CRITERIA
BA - Balancing Authority                       RC - Reliability Coordinator                                                                        1 - Violation Risk Factor = High
DP - Distribution Provider                     RE - Regional Entity                                                                                2 - NERC Violations (Top NERC Violated Requirements)
GO - Generation Owner                          RP - Resource Planner                                                                               3 - Past Events & Major Reliability Issues (identified in event analysis/disturbances, CVI)
GOP - Generation Operator                      RSG - Reserve Sharing Group                                                                         4 - Regional Violations (Top Regional Violated Requirements) regional footprint
IA - Interchange Authority                     TO - Transmission Owner                                                                             5 - Regional Input
LSE - Load-Serving Entity                      TOP - Transmission Operator                                                                         6 - Cyber Security
PA - Planning Authority                        TP - Transmission Planner
PSE - Purchasing-Selling Entities              TSP - Transmission Service Provider                                                                 Registered Entity-Specific Considerations:
                                                                                                                                                   a - Past Performance (past violations, open mitigation plan, complaints, etc can expand the audit scope)
                                                                                                                                                   b - Mergers and Acquisitions (Note: the scope of the audit can expand following a merger or acquisition.)
                                                                                                                                                   * Note: The Risk Based Criteria value may not apply to all requirements in the standard.

Compliance is required with all regulatory authority approved reliability standards whether or not they are included in the subset of reliability standards and requirements designated to be audited in the NERC annual compliance program.
All requirements are subject to a possible CVI, Self-Report, or Complaint. Spot checks listed for BAL-003 and CIP-002 through CIP-009 are mandatory; all other spot checks are at the discretion of the Regional Entity consistent with any
requirements in the Reliability Standards, CMEP or RoP.

                                                                                                                                                                            Periodic
                                                                                                                                                                              Data
                                                                                                                                                                           Submittals
   Reliability
                                                                                                                Violation                Risk         Self                    - M:                                                          2007       2008              2009
   Standard                      Requirement                                                                                Functions                           Compliance            Exception                             Spot
                                                                      Text of Requirement                         Risk                  Based      Certificatio            Monthly Q:                                                      Annual     Annual            Annual
    (FERC                          Number                                                                                   Monitored                             Audit               Reporting                            Check
                                                                                                                 Factor                 Criteria        n                   Quarterly                                                     Program    Program           Program
   Approved)
                                                                                                                                                                           A: Annual
                                                                                                                                                                            X:Region
                                                                                                                                                                           Specified

                                               The affected Transmission Operators shall give high priority
EOP-005-1                R11.4.                                                                                  HIGH         TOP          1              X                X                                                                     x      x                     X
                                               to restoration of off-site power to nuclear stations.
                                               The affected Transmission Operators may resynchronize the
EOP-005-1                R11.5.                isolated area(s) with the surrounding area(s) when the           MEDIUM        TOP                                                                             X                                  x      x
                                               following conditions are met:
EOP-005-1                R11.5.1.              Voltage, frequency, and phase angle permit.                       HIGH         TOP          1              X                X                                                                     x      x                     X
                                               The size of the area being reconnected and the capacity of
                                               the transmission lines effecting the reconnection and the
EOP-005-1                R11.5.2.                                                                                HIGH         TOP          1              X                X                                                                     x      x                     X
                                               number of synchronizing points across the system are
                                               considered.
                                               Reliability Coordinator(s) and adjacent areas are notified
EOP-005-1                R11.5.3.                                                                               MEDIUM        TOP                                                                             X                                  x      x
                                               and Reliability Coordinator approval is given.
                                               Load is shed in neighboring areas, if required, to permit
EOP-005-1                R11.5.4.                                                                                HIGH         TOP          1              X                X                                                                     x      x                     X
                                               successful interconnected system restoration.
                                               Each Reliability Coordinator shall be aware of the restoration
                                               plan of each Transmission Operator in its Reliability
EOP-006-1                R1.                                                                                    MEDIUM         RC                                                                                             X                  x      x
                                               Coordinator Area in accordance with NERC and regional
                                               requirements.
                                               The Reliability Coordinator shall monitor restoration
EOP-006-1                R2.                                                                                     HIGH          RC          1              X                X                                                                     x      x                     X
                                               progress and coordinate any needed assistance.
                                               The Reliability Coordinator shall have a Reliability
                                               Coordinator Area restoration plan that provides coordination
EOP-006-1                R3.                   between individual Transmission Operator restoration plans       MEDIUM         RC                                                                                             X                  x      x
                                               and that ensures reliability is maintained during system
                                               restoration events.
                                               The Reliability Coordinator shall serve as the primary
                                               contact for disseminating information regarding restoration
EOP-006-1                R4.                   to neighboring Reliability Coordinators and Transmission         MEDIUM         RC                                                                                                                x      x
                                               Operators or Balancing Authorities not immediately involved