The Department of Energy, in collaboration with the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC), has released a second draft of the Electricity Subsector Cybersecurity Risk Management Process (RMP) guideline for public comment. This new draft, which will be the last opportunity for public comment prior to final publication, incorporates input submitted by the electric sector during the first public comment period.
Many of the submitted comments suggested that the guideline:
- Clarify the relationship of the RMP guideline to other cybersecurity guidance, including the NERC Critical Infrastructure Protection (CIP) standards;
- Recognize organizational constraints to include personnel, competing priorities, and budget; and
- Discuss third-party risk, including how the risk impacts the organization and how to better manage the risk.
Based on input received during the first public comment period as well as one-on-one conversations and discussions held during several outreach events, the document has been significantly revised to better meet the industry’s needs. While the overall process and process elements have remained the same, some sections were rewritten significantly. Comments deemed to be outside the scope of the RMP document or to have sufficient existing independent guidance (e.g., NIST, NERC, ISO, ISA, etc.) were not addressed. Changes were also made to improve overall readability.
It is important to note that the RMP guideline is designed to provide a consistent, repeatable, and adaptable process for the electric sector that will help organizations proactively manage cybersecurity risk. It is not associated with any regulatory standard and is not intended to be an all-encompassing document for managing cybersecurity risk.
To submit comments, please complete the RMP Comment Submission Form and send via email to RMPguideline@hq.doe.gov or by U.S. mail to:
Office of Electricity Delivery and Energy Reliability, OE-20
U.S. Department of Energy
1000 Independence Avenue SW.
Washington, DC 20585
Comments must be received on or before Thursday, April 5, 2012.