2. The responsible entity must update each personnel risk assessment at least every 7 years after the initial personnel risk assessment or for cause.

3. The responsible entity must document the results of personnel risk assessments of its personnel having authorized cyber or authorized unescorted physical access to critical cyber assets, and must document that personnel risk assessments of contractor and service vendor personnel with such access are conducted pursuant to Standard CIP-004.


The responsible entity must maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to critical cyber assets, including their specific electronic and physical access rights to critical cyber assets.

•   The responsible entity must review quarterly the list(s) of its personnel who have such access to critical cyber assets, and update the list(s) within 7 calendar days of any change of personnel with such access to critical cyber assets, or any change in the access rights of such personnel. The responsible entity must ensure that access list(s) for contractors and service vendors are properly maintained.

•   The responsible entity must revoke such access to critical cyber assets within 24 hours for personnel terminated for cause and within 7 calendar days for personnel who no longer require such access to critical cyber assets.


Recovery plan(s) must be in place for critical cyber assets, and these plans must follow established business continuity and disaster recovery techniques and practices. The responsible entity must comply with the following requirements.

Recovery Plans

The responsible entity must create and annually review recovery plan(s) for critical cyber assets. The recovery plan(s) must address at a minimum the following:

1. Specify the required actions in response to events or conditions of varying duration and severity that would activate the recovery plan(s).

2. Define the roles and responsibilities of responders.


The recovery plan(s) must be exercised at least annually. An exercise of the recovery plan(s) can range from a paper drill, to a full operational exercise, to recovery from an actual incident.

Change Control

Recovery plan(s) must be updated to reflect any changes or lessons learned as a result of an exercise or the recovery from an actual incident. Updates must be communicated to personnel responsible for the activation and implementation of the recovery plan(s) within 90 calendar days of the change.

Backup and Restore

The recovery plan(s) must include processes and procedures for the backup and storage of information required to successfully restore critical cyber assets. For example, backups may include spare electronic components or equipment, written documentation of configuration settings, tape backup, etc.

Testing Backup Media

Information essential to recovery that is stored on backup media must be tested at least annually to ensure that the information is available. Testing can be completed off-site.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement