ging physical entry at all access points to the physical security perimeter(s) using one or more of the following logging methods or their equivalent:
1. Computerized logging. Electronic logs produced by the responsible entity’s selected access control and monitoring method.
2. Video recording. Electronic capture of video images of sufficient quality to determine identity.
3. Manual logging. A log book, sign-in sheet, or other record of physical access maintained by security or other personnel authorized to control and monitor physical access.
Access Log Retention
The responsible entity must retain physical access logs for at least 90 calendar days. Logs related to reportable incidents must be kept in accordance with the requirements of Standard CIP-008.
Maintenance and Testing
The responsible entity must implement a maintenance and testing program to ensure that all physical security systems function properly. The program must include, at a minimum, the following:
1. Testing and maintenance of all physical security mechanisms on a cycle no longer than 3 years.
2. Retention of testing and maintenance records for the proper cycle documented by the responsible entity.
3. Retention of outage records regarding access controls, logging, and monitoring for a minimum of 1 calendar year.
PERSONNEL AND TRAINING
Personnel having authorized cyber or authorized unescorted physical access to critical cyber assets, including contractors and service vendors, are required to have an appropriate level of personnel risk assessment, training, and security awareness.
The responsible entity must establish, maintain, and document a security awareness program to ensure that personnel having authorized cyber or authorized unescorted physical access receive ongoing reinforcement in sound security practices. The program must include security awareness reinforcement on at least a quarterly basis using mechanisms such as:
• Direct communications (e.g., e-mails, memos, computer based training, etc.);
• Indirect communications (e.g., posters, intranet, brochures, etc.);
• Management support and reinforcement (e.g., presentations, meetings, etc.).
The responsible entity must establish, maintain, and document an annual cyber security training program for personnel having authorized cyber or authorized unescorted physical access to critical cyber assets, and review the program annually and update as necessary.
This program will ensure that all personnel having such access to critical cyber assets, including contractors and service vendors, are trained within 90 calendar days of such authorization.
Training must cover the policies, access controls, and procedures as developed for the critical cyber assets and include, at a minimum, the following required items appropriate to personnel roles and responsibilities:
• The proper use of critical cyber assets;
• Physical and electronic access controls to critical cyber assets;
• The proper handling of critical cyber asset information; and
• Action plans and procedures to recover or re-establish critical cyber assets and access thereto following a cyber security incident.
The responsible entity must maintain documentation that training is conducted at least annually, including the date the training was completed and attendance records.
Personnel Risk Assessment
The responsible entity must have a documented personnel risk assessment program, in accordance with federal, state, provincial, and local laws, and subject to existing collective bargaining unit agreements, for personnel having authorized cyber or authorized unescorted physical access. A personnel risk assessment must be conducted pursuant to that program within 30 days of such personnel being granted such access. Such program must at a minimum include the following:
1. The responsible entity must ensure that each assessment conducted includes, at least, identity verification (e.g., Social Security number verification in the United States) and a 7-year criminal check. The responsible entity may conduct more detailed reviews, as permitted by law and subject to existing collective bargaining unit agreements, depending on the criticality of the position.