Standard CIP-003-6 requires that Responsible Entities have minimum security management controls in place to protect Critical Cyber Assets. Standard CIP-003-6 should be read as part of a group of standards numbered Standards CIP-002 through CIP-009.
ApplicabilityWithin the text of Standard CIP-003-6, “Responsible Entity” shall mean:
- Reliability Coordinator
- Balancing Authority
- Interchange Authority
- Transmission Service Provider
- Transmission Owner
- Transmission Operator
- Generator Owner
- Generator Operator
- Load Serving Entity
- Regional Entity
The following are exempt from Standard CIP-003-6:
- Facilities regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety Commission.
- Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters.
- Responsible Entities that, in compliance with Standard CIP-002-6, identify that they have no Critical Cyber Assets shall only be required to comply with CIP-003-3 Requirement R2.
See the NERC website for more details regarding Critical Infrastructure Protection Standards.