NERC CIP Framework Mapping

The NERC CIP Standards and Requirements can be daunting to tackle.  At first glance they might seem as though they are an insurmountable mountain of cybersecurity dos and don’ts.  But have no fear, if you are familiar with any other cybersecurity framework, you’re already most of the way there.  While some of the verbiage might be different across the different frameworks most of the details are the same.  Take NIST CSF (Cybersecurity Framework) and NERC CIP as examples.  Both frameworks address supply chain risk management: NIST CSF with the Identify domain and its Supply Chain Risk Management categories and subcategories and NERC CIP with CIP-013-2 Supply Chain Risk Management.  And it doesn’t stop with just supply chain (obviously).  Most of the NERC CIP requirements map to the NIST CSF domain categories and subcategories in one way or another.

Often the best place to start is with a framework that you’re familiar with, one that you’ve worked with.  Few analysts have the time to do a full mapping while juggling their day jobs.  If you’re familiar with the NIST CSF but not NERC CIP, then you’re in luck.  NIST has a wonderful resource called the National Online Informative References Program (OLIR) that provides mappings across different cybersecurity frameworks.  In 2023, the project to map NERC CIP to the NIST CSF was completed and a full mapping document is available to reference.  It is safe to assume (in this case anyway) that the NERC CIP Standards will be mapped to other NIST requirements (how about 800-53 or 800-171).  A word to the wise, however, this project is ongoing and not all frameworks have been mapped.   

https://csrc.nist.gov/projects/olir/informative-reference-catalog/details?referenceId=90#/