You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-government/documentation-government-overview-nerc.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -80,7 +80,7 @@ As stated by NERC, CIP standards don't apply to distribution, that is, non-BES,
80
80
- Includes rooms and equipment where power system operators sit and rooms and equipment containing the “back office” servers, databases, telecommunications equipment, and so on.
81
81
- They may all be in the same room or be in different buildings or in different cities.
82
82
83
-
As stated by NERC, BES Cyber Assets perform real-time functions of monitoring or controlling the BES. There's heavy emphasis in the current definition on physical assets within the Electronic Security Perimeter, for example, the specific term *“in those devices”* referring to BES Cyber Assets. There are no provisions for key cloud concepts such as virtualization and multi-tenancy. To accommodate properly BES Cyber Assets and Protected Cyber Assets in a cloud environment, existing definitions in NERC CIP standards would [need to be revised](https://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx). However, there are many workloads that deal with CIP sensitive data and don't fall under the 15-minute rule. More detailed discussion was provided by NERC in November 2016 at the [Emerging Technology Roundtable on Cloud Computing](https://www.nerc.com/pa/CI/Documents/roundtable%20-%20cloud%20computing%20slides%20%20(20161116).pdf).
83
+
As stated by NERC, BES Cyber Assets perform real-time functions of monitoring or controlling the BES. There's heavy emphasis in the current definition on physical assets within the Electronic Security Perimeter, for example, the specific term *“in those devices”* referring to BES Cyber Assets. There are no provisions for key cloud concepts such as virtualization and multi-tenancy. To accommodate properly BES Cyber Assets and Protected Cyber Assets in a cloud environment, existing definitions in NERC CIP standards would [need to be revised](https://www.nerc.com/standards). However, there are many workloads that deal with CIP sensitive data and don't fall under the 15-minute rule.
84
84
85
85
Depending on registered entity’s implementation, some of the following workloads may not be considered a BES Cyber System (BCS) or placed within the Electronic Security Perimeter (ESP):
86
86
@@ -267,7 +267,7 @@ Microsoft Azure and Azure Government are multi-tenant cloud services platforms a
267
267
| Microsoft cloud background check |✅|✅|
268
268
| Require US persons for operations personnel |❌|✅|
269
269
270
-
Current NERC CIP definitions place heavy emphasis on physical assets within the Electronic Security Perimeter (for example, the specific term *“in those devices”* referring to BES Cyber Assets), and make no provisions for key cloud concepts such as virtualization and multi-tenancy. To properly accommodate BES Cyber Assets and Protected Cyber Assets in cloud computing, existing definitions in NERC CIP standards would [need to be revised](https://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx). However, there are many workloads that deal with CIP sensitive data and don't fall under the 15-minute rule pertaining to BES Cyber Asset impact on the Bulk Electric System reliable operation. One such broad category of data includes BES Cyber System Information (BCSI) if proper security controls are in place to safeguard BCSI.
270
+
Current NERC CIP definitions place heavy emphasis on physical assets within the Electronic Security Perimeter (for example, the specific term *“in those devices”* referring to BES Cyber Assets), and make no provisions for key cloud concepts such as virtualization and multi-tenancy. To properly accommodate BES Cyber Assets and Protected Cyber Assets in cloud computing, existing definitions in NERC CIP standards would [need to be revised](https://www.nerc.com/standards). However, there are many workloads that deal with CIP sensitive data and don't fall under the 15-minute rule pertaining to BES Cyber Asset impact on the Bulk Electric System reliable operation. One such broad category of data includes BES Cyber System Information (BCSI) if proper security controls are in place to safeguard BCSI.
271
271
272
272
The NERC ERO Enterprise [released](https://www.nerc.com/pa/comp/guidance/Pages/default.aspx) a Compliance Monitoring and Enforcement Program (CMEP) [practice guide](https://www.nerc.com/pa/comp/guidance/CMEPPracticeGuidesDL/ERO%20Enterprise%20CMEP%20Practice%20Guide%20_%20BCSI%20-%20v0.2%20CLEAN.pdf) to provide guidance to ERO Enterprise CMEP staff when assessing a registered entity’s process to authorize access to designated BCSI storage locations and any access controls the registered entity implemented. Moreover, NERC reviewed Azure control implementation details and FedRAMP audit evidence related to NERC CIP-004-6 and CIP-011-2 standards that are applicable to BCSI. Based on the ERO Enterprise issued CMEP practice guide and reviewed FedRAMP controls to ensure registered entities encrypt their data, no extra guidance or clarification is needed to deploy BCSI and associated workloads in the cloud. However, registered entities are ultimately responsible for compliance with NERC CIP standards according to their own facts and circumstances. Registered entities should review the [Cloud implementation guide for NERC audits](https://aka.ms/AzureNERCGuide) for help with documenting their processes and evidence used to authorize electronic access to BCSI storage locations, including encryption key management used for BCSI encryption in Azure and Azure Government.
273
273
@@ -295,6 +295,6 @@ If you're a registered entities subject to compliance with NERC CIP standards, y
295
295
-[NIST SP 800-53](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53)*Security and Privacy Controls for Information Systems and Organizations*
296
296
-[North American Electric Reliability Corporation](https://www.nerc.com/) (NERC)
0 commit comments