As commenters highlighted in response to the NOI, current CIP Standards provide responsible entities with the operational flexibility to implement security measures that they deem necessary to comply with the CIP Standards.1 Prescriptive requirements, such as those proposed in the NOI, would reduce that flexibility, burdening responsible entities with additional costs and work required to properly implement the measures. The Commission agreed with commenters, deciding that the record “does not support requiring the use of isolation or whitelisting in the CIP Reliability Standards at this time.” Despite terminating the inquiry, however, the Commission encouraged “continued information sharing and dissemination of lessons learned among stakeholders” so that “responsible entities can better implement security controls, including, when appropriate, isolation and whitelisting,” to achieve the objectives of the CIP Standards. The Commission also noted that its “staff will engage with NERC, industry, and other stakeholders to look for opportunities to explore these strategies more thoroughly and encourage their use in appropriate circumstances, seeking ways to achieve their potential benefits while addressing possible risks.”
1 See, e.g., NERC, Comments in Response to NOI, Docket No. RM16-18-000 (filed Sept. 26, 2016).