The document discusses the requirements for CIP training under CIP-004 R2. It states that simply having staff read a short document and sign it does not meet the standard for training set by NERC. A proper training program involves live instruction or other programs like CBT to thoroughly train individuals and answer questions. Abidance Consulting, authorized by NERC to provide training credits, can help organizations design training programs that meet the CIP requirements.

1. Abidance Technology Solutions
Information
Consulting
Newsletter — February 2010
Who Is Affected?
What Constitutes CIP Training
With 2010 being the beginning of the CIP audits, are your staff fully trained un-
der the requirements of CIP-004 R2? Many organizations are having their staff
read a one or two page document and then sign it. This, according to NERC
and the eight regions, does not constitute a training program. A training pro-
gram is one that allows for either a live instructor or other type of program (CBE,
CBT, WebEx etc) to thoroughly train an individual or group and to answer any
questions that they may have.
Abidance Consulting, who is authorized by NERC to provide CE credit courses
for CIP, Reliability and Sabotage Reporting training, has addressed what should
be considered when creating and implementing a training program.
CIP-004 requires that personnel having authorized cyber or authorized unescorted physical access to Critical
Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assess-
ment, training, and security awareness.
The CIP-004 training program must address not only what the acceptable uses are of the critical and non-
critical assets, but also what the unacceptable uses are. This training is to be provided to all contractors who
are either on-site or, in some cases, off-site; service vendors that could include maintenance and cleaning
crews, network technicians, hardware maintenance personnel etc; and, facility staff who have authorized cyber
or authorized unescorted physical access to Critical Cyber Assets.
The training program(s) must be updated to address any changes to the CIP rules and requirements. As a side
note, there will be at least three different versions of the CIP rules this year alone. The training updates need
to made within ninety days of the CIP changes. The initial or updated training then needs to be conducted
within ninety days of the update(s). The training program(s) must also be reviewed and approved at least an-
nually. If there are any changes to your training programs(s), it is advised that the program(s) be reviewed and
approved within a short period of time (30-45 days is recommended by Abidance Consulting).
Documentation that the training program(s) have been conducted on at least an annual basis is paramount to
complying with CIP-004. The documentation evidence of training can include, but is not limited to, a sign-in log
with signature or a completion of training certificate.
For more information on this or other NERC requirements, please contact James Holler at
james.holler@abidanceconsulting.com or at 713.253.8820.
Abidance Consulting A Veteran Owned Company