NST began work in 2003 and has continued to provide services since then. Our projects include development of cyber-security policies for each business unit, identification of SME teams, creation of a centralized CIP compliance office supporting the responsibilities of the CIP Senior Manager, staff training and augmentation, and audit support. NST’s integration with this program is substantial. Over the past 18 years, NST has been involved in nearly every part of the program, from the very foundation of the NERC Compliance team through every audit cycle across multiple regions and versions of the standards.
In 2003 NST was part of the inaugural committee to create the compliance program and organize a response to NERC Urgent Action 1200.
In 2006, NST hosted a “CIP Summit” in which the new version of CIP was introduced to a wide audience of stakeholders and the plans to develop a robust program were laid out.
In 2010 NST created a CIP Charter focused on sustainability and continuous improvement models for compliance and security.
In 2013 NST led a remediation project for challenges with the implementation of Physical Access Control Systems.
In 2014 NST supported the preparation for a NERC CIP v3 regional entity audit, and separately for the implementation of NERC CIP v5 compliance program transition.
In 2017 NST provided long term staff augmentation resources to develop and implement process updates and facilitate the transfer of knowledge about newly created processes and documentation to new hires after they were onboarded.
Additionally, NST provided “audit leadership” on two separate audits spanning multiple states and regions. During the first phase, NST reviewed formal documentation, requested and reviewed sample data, assisted in updates to RSAWs to reflect the procedures and data, and toured areas housing in-scope BES cyber systems. During the second phase, NST prepared the SMEs for a formal audit by leading training sessions on approaches to responding to questions from auditors as well as playing the roles of auditors to enable SMEs to practice presenting their materials. NST provided feedback to SMEs on their ability to incorporate the advice introduced in the training to respond to questions with targeted responses.
In 2024, NST commenced yet another project to assess the program’s readiness for CIP-003-9 and to improve compliance posture with respect to CIP-005-7. The effort included a review of findings from the Entity’s recent audit, detailed analysis of supporting documentation, and in-depth discussions centered around the definition of “Vendor Remote Access” as well as its implications across other CIP Standards. NST evaluated current policies, processes, and tools to determine capabilities, and assessed potential tools and solutions to close any remaining gaps. NST provided AEP with actionable recommendations including new and updated definitions as well as updates to documentation to ensure that compliance can be demonstrated for all types of individuals and organizations classified as vendors that establish remote access sessions.
