Azure and Azure Government support for NERC CIP standards
This blog was co-authored by Larry Cochrane , Principal Program Manager, Microsoft.
We recently published two blogs on how you can use Azure Government to meet export control regulations: Export control implication on Azure and Azure Government and Managing export controls in Azure and Azure Government. This blog provides another deep dive on compliance for bulk power systems owners, operators, and users, focused on current Azure and Azure Government support for NERC CIP standards as of July 2019.
All bulk power system owners, operators, and users must comply with NERC CIP standards. For detailed information about Azure and Azure Government support for NERC CIP standards, see the Microsoft Trust Center NERC coverage. To learn more about how Microsoft helps customers meet their own compliance obligations across regulated industries and markets worldwide, see Microsoft Azure Compliance Offerings.
Background on the NERC CIP Standards
The North American Electric Reliability Corporation (NERC) is a nonprofit regulatory authority whose mission is to ensure the reliability of the North American bulk power system. NERC is subject to oversight by the U.S. Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. In 2006, FERC granted the Electric Reliability Organization (ERO) designation to NERC in accordance with the Energy Policy Act of 2005. NERC develops and enforces reliability standards known as NERC Critical Infrastructure Protection (CIP) standards.
As mentioned above, all bulk power system owners, operators, and users must comply with these standards. These entities are required to register with NERC. Cloud Service Providers and third-party vendors are not subject to NERC CIP standards; however, the CIP standards include goals that should be considered when Registered Entities use vendors in the operation of the Bulk Electric System (BES). Microsoft customers operating Bulk Electric Systems are wholly responsible for ensuring their own compliance with NERC CIP standards.
As stated by NERC in the current set of CIP standards and NERC’s Glossary of Terms, BES Cyber Assets perform real-time functions of monitoring or controlling the BES and would affect the reliable operation of the BES within 15 minutes of being impaired. To properly accommodate BES Cyber Assets and Protected Cyber Assets in cloud computing, existing definitions in NERC CIP standards would need to be revised. However, there are many workloads that deal with CIP sensitive data and do not fall under the 15-minute rule, including the broad category of BES Cyber System Information (BCSI).
Using Azure and Azure Government for workloads subject to NERC CIP standards
Neither Azure nor Azure Government constitutes a BES or BES Cyber Asset, however both Azure and Azure Government are suitable for Registered Entities deploying certain workloads subject to NERC CIP standards, including BCSI workloads.
Microsoft makes the following documents available to Registered Entities interested in deploying data and workloads subject to NERC CIP compliance obligations in Azure or Azure Government:
- NERC CIP Standards and Cloud Computing is a white paper that discusses compliance considerations for NERC CIP requirements based on established third-party audits that are applicable to cloud service providers such as FedRAMP. It covers background screening for cloud operations personnel and answers common question about logical isolation and multi-tenancy that are of interest to Registered Entities. It also addresses security considerations for on-premises vs. cloud deployment.
- Cloud Implementation Guide for NERC Audits is a guidance document that provides control mapping between the current set of NERC CIP standards requirements and NIST SP 800-53 Rev 4 control set that forms the basis for FedRAMP. It is designed as a technical how-to guidance to help Registered Entities address NERC CIP compliance requirements for assets deployed in the cloud. The document contains pre-filled Reliability Standard Audit Worksheets (RSAWs) narratives that help explain how Azure controls address NERC CIP requirements, as well as guidance for Registered Entities on how to use Azure services to implement controls that they own.
Additional resources for NERC CIP compliance
The NERC ERO Enterprise released a Compliance Monitoring and Enforcement Program (CMEP) practice guide to provide guidance to ERO Enterprise CMEP staff when assessing a Registered Entity’s process to authorize access to designated BCSI storage locations and any access controls the Registered Entity implemented. Moreover, NERC reviewed Azure control implementation details and FedRAMP audit evidence related to NERC CIP-004-6 and CIP-011-2 standards that are applicable to BCSI.
Based on the ERO issued practice guide and reviewed FedRAMP controls to ensure Registered Entities encrypt their data, no additional guidance or clarification is needed for Registered Entities to deploy BCSI and associated workloads in the cloud; however, Registered Entities are ultimately responsible for compliance with NERC CIP standards according to their own facts and circumstances. Registered Entities should review the Cloud Implementation Guide for NERC Audits for help with documenting their processes and evidence used to authorize electronic access to BCSI storage locations, including encryption key management used for BCSI encryption in Azure and Azure Government.
For more information about Azure and Azure Government support for NERC CIP standards, see the Microsoft Trust Center NERC coverage. To learn more about how Microsoft helps customers meet their own compliance obligations across regulated industries and markets worldwide, see Microsoft Azure Compliance Offerings.