CIP-010-4 R1.6

Applicable Systems:

High Impact BES Cyber Systems and their associated:

1. EACMS; and

2. PACS

Medium Impact BES Cyber Systems and their associated:

1. EACMS; and

2. PACS

Note: Implementation does not require the Responsible Entity to renegotiate or abrogate existing contracts (including amendments to master agreements and purchase orders). Additionally, the following issues are beyond the scope of Part 1.6: (1) the actual terms and conditions of a procurement contract; and (2) vendor performance and adherence to a contract.

Requirements:

R1.6 Prior to a change that deviates from the existing baseline configuration associated with baseline items in Parts 1.1.1, 1.1.2, and 1.1.5, and when the method to do so is available to the Responsible Entity from the software source:

1.6.1. Verify the identity of the software source; and

1.6.2. Verify the integrity of the software obtained from the software source.

Measures:

An example of evidence may include, but is not limited to a change request record that demonstrates the verification of identity of the software source and integrity of the software was performed prior to the baseline change or a process which documents the mechanisms in place that would automatically ensure the identity of the software source and integrity of the software.

Parent Requirement and Measures:

R1. Each Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-010-4 Table R1 – Configuration Change Management. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning].

M1. Evidence must include each of the applicable documented processes that collectively include each of the applicable requirement parts in CIP-010-4 Table R1 – Configuration Change Management and additional evidence to demonstrate implementation as described in the Measures column of the table.