Cip 009-3

S ta n d a rd CIP –009–4 — Cyb e r S e c u rity — Re c o ve ry P la n s fo r Critic a l Cyb e r As s e ts

A. Introduction 1. 2. 3. Title: Number: Cyber Security — Recovery Plans for Critical Cyber Assets CIP-009-4

Purpose: Standard CIP-009-4 ensures that recovery plan(s) are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices. Standard CIP-009-4 should be read as part of a group of standards numbered Standards CIP-002-4 through CIP-009-4. Applicability: 4.1. Within the text of Standard CIP-009-3, “Responsible Entity” shall mean: 4.1.1 4.1.2 4.1.3 4.1.4 4.1.5 4.1.6 4.1.7 4.1.8 4.1.9 Reliability Coordinator Balancing Authority Interchange Authority Transmission Service Provider Transmission Owner Transmission Operator Generator Owner Generator Operator Load Serving Entity

4.

4.1.10 NERC 4.1.11 Regional Entity 4.2. The following are exempt from Standard CIP-009-4: 4.2.1 4.2.2 4.2.3 Facilities regulated by the Canadian Nuclear Safety Commission. Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters. In nuclear plants, the systems, structures, and components that are regulated by the Nuclear Regulatory Commission under a cyber security plan pursuant to 10 C.F. R. Section 73.54 Responsible Entities that, in compliance with Standard CIP-002-4, identify that they have no Critical Cyber Assets.

4.2.4 5.

Effective Date: The first day of the eighth calendar quarter after applicable regulatory approvals have been received (or the Reliability Standard otherwise becomes effective the first day of the ninth calendar quarter after BOT adoption in those jurisdictions where regulatory approval is not required).

B. Requirements R1. Recovery Plans — The Responsible Entity shall create and annually review recovery plan(s) for Critical Cyber Assets. The recovery plan(s) shall address at a minimum the...