Skip to content

NERC CIP Control Mapping

This document maps BreachSpider features to specific NERC CIP requirements. Use it to understand how BreachSpider supports your CIP compliance program and to identify which BreachSpider evidence to include in your audit documentation.

CIP-007-7 R2 - Security Patch Management

CIP-007-7 Requirement 2 mandates that responsible entities have a documented patch management process for applicable BES Cyber Systems.

R2.1 - Identify Security Patches

Requirement: "At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation."

BreachSpider evidence: BreachSpider continuously monitors NVD and multiple authoritative vulnerability feeds for new CVEs. New CVEs affecting your assets are identified within 24 hours of publication -- far exceeding the 35-day minimum. The audit log provides timestamped proof of continuous monitoring. FINDING entries with timestamps demonstrate that patch identification happens automatically and continuously.

R2.2 - Document the Assessment

Requirement: "For each patch identified as applicable, create a dated document of the assessment."

BreachSpider evidence: Every finding in BreachSpider is a dated assessment record. The finding includes the CVE ID, affected asset, severity scores, patch applicability, and SAGE analysis. When a finding is acknowledged, the acknowledgment record (with reason, notes, actor, and timestamp) constitutes the dated documentation of your assessment.

The NERC CIP Evidence Package report compiles these records into a formatted document for the compliance period.

R2.3 - Apply Security Patches

Requirement: "For applicable patches, implement the patch, create a dated mitigation plan, or revise an existing mitigation plan."

BreachSpider evidence:

  • Patch applied: TICKET_CREATED and TICKET_CLOSED (reason: patched) log entries prove a remediation action was initiated and completed.
  • Mitigation plan: FINDING_ACKNOWLEDGED (reason: compensating_control) entries with documented control descriptions serve as your dated mitigation plan. The notes field should describe the specific compensating control implemented.
  • Risk accepted: FINDING_ACKNOWLEDGED (reason: accepted_risk) entries with business justification notes document cases where risk was formally accepted.

CIP-010-4 R1 - Configuration Management

R1.1 - Baseline Configuration

Requirement: "Develop a baseline configuration for applicable BES Cyber Systems."

BreachSpider evidence: Your environment asset list is your BES Cyber Asset inventory. Each asset record includes vendor, product, version, asset type, layer, and criticality. The ASSET_ADDED log entry provides the dated baseline creation record.

R1.2 - Authorize and Document Changes

Requirement: "Authorize and document changes to the baseline configuration."

BreachSpider evidence: ASSET_ADDED, ASSET_UPDATED, and ASSET_REMOVED log entries document every change to your asset baseline with timestamp, actor, and change details. Each change creates an immutable record that auditors can review.

CIP-010-4 R3 - Vulnerability Assessments

R3.1 - Vulnerability Management Plan

Requirement: "Conduct and document paper or active vulnerability assessments."

BreachSpider evidence: BreachSpider's continuous CVE matching against your asset inventory constitutes an ongoing vulnerability assessment. The combination of finding generation, triage (acknowledgment with reasons), ticket management (remediation tracking), and audit log (activity documentation) provides the evidence framework R3 requires.

The NERC CIP Evidence Package report is specifically formatted to present this evidence in the structure CIP auditors expect.

CIP-013 - Supply Chain Risk Management

R1.1 - Supply Chain Security Plan

Requirement: "Develop a plan to address supply chain risk for BES Cyber Systems."

BreachSpider support: Use the vendor CVE history endpoint (GET /api/v1/cves/vendor/{slug}) to assess vendor security track records. A vendor with 50 critical CVEs in 2 years presents a different supply chain risk profile than a vendor with 5. Include vendor CVE analysis in your supply chain risk assessments.

Evidence Generation Workflow

For each compliance period:

  1. Generate the NERC CIP Evidence Package report for each BES Cyber System environment.
  2. Export the audit log filtered to compliance-relevant events for the period.
  3. Review for gaps: Ensure every critical and high finding has a documented position (acknowledged, ticketed, or both).
  4. Have your authorized representative review and sign the evidence package.
  5. Archive the evidence package and audit log export in your compliance document repository.

Important Disclaimer

BreachSpider is a vulnerability intelligence and management tool. It generates evidence that supports your NERC CIP compliance program. It does not replace:

  • A qualified NERC CIP compliance officer.
  • A registered entity compliance program.
  • Internal Compliance Program (ICP) processes.
  • Legal counsel for regulatory matters.

Use BreachSpider evidence as part of your comprehensive compliance program, not as the entire program.