Skip to content

NERC CIP Evidence Package

The NERC CIP Evidence Package is a compliance report formatted specifically for electric utilities subject to NERC CIP standards. It provides the documentation that auditors require to verify your patch management, configuration monitoring, and vulnerability assessment processes under CIP-007 and CIP-010.

Who Needs This Report

Electric utilities and power system operators subject to NERC Critical Infrastructure Protection (CIP) standards. Specifically, organizations that must demonstrate compliance with:

  • CIP-007-7 R2: Security Patch Management
  • CIP-010-4 R1: Configuration Management
  • CIP-010-4 R3: Vulnerability Assessments

If your organization operates BES (Bulk Electric System) Cyber Assets or Protected Cyber Assets, this report supports your compliance documentation.

What the Package Contains

1. Asset Inventory

Your environment's asset list, formatted as a BES Cyber Asset inventory:

  • Asset name, vendor, product, version.
  • Asset type and layer classification.
  • Criticality designation.
  • Date added to the environment.

This maps to CIP-010-4 R1.1 (baseline configuration documentation).

2. CVE Assessment Log

Every CVE evaluated during the reporting period:

  • CVE ID, BSID, severity, and BCS score.
  • Affected vendor and product.
  • Patch applicability determination: applicable, not applicable, or pending evaluation.
  • For applicable patches: patch version and status (applied, scheduled, compensating control).
  • Date of evaluation.

This maps to CIP-007-7 R2.1 (identify security patches at least every 35 days) and R2.2 (create a dated document of the assessment).

3. Patch Applicability Determinations

A detailed section showing how each CVE was evaluated for applicability to your BES Cyber Assets:

  • Why applicable: the CVE affects a product and version present in your environment.
  • Why not applicable: the CVE affects a product or version not present, or the affected feature is disabled.
  • Pending: evaluation is in progress.

4. Acknowledged Findings with Documented Reasons

Every acknowledged finding during the reporting period:

  • CVE ID and affected asset.
  • Acknowledgment reason: patched, compensating_control, not_applicable, accepted_risk, false_match, escalated.
  • Detailed notes provided at acknowledgment time.
  • Actor and timestamp.

This maps to CIP-007-7 R2.3 (apply security patches or document compensating measures).

5. Compensating Controls Documented

A dedicated section extracting all findings acknowledged with reason: compensating_control:

  • CVE ID and affected asset.
  • Description of the compensating control.
  • Who documented it and when.

This is the evidence that demonstrates your team implemented alternative mitigations where patching was not feasible.

6. Audit Log Excerpt

The audit log for the reporting period, filtered to compliance-relevant events:

  • FINDING_ACKNOWLEDGED
  • TICKET_CREATED
  • TICKET_CLOSED
  • ASSET_ADDED, ASSET_UPDATED, ASSET_REMOVED
  • REPORT_GENERATED

7. Signature Block

The final page includes a signature block for your authorized representative:

  • Name and title.
  • Date signed.
  • Organization name.
  • Statement: "I certify that this evidence package accurately represents our security patch management and vulnerability assessment activities for the reporting period."

How to Use It

  1. Generate the report before each compliance period (typically quarterly or annually).
  2. Review the contents. Ensure every critical finding has a documented position. Address any gaps -- findings without acknowledgment or tickets without closure weaken your evidence.
  3. Download the PDF.
  4. Have your authorized representative review and sign page 1.
  5. Submit to your auditor as part of your CIP-007 and CIP-010 evidence package.

Important Disclaimer

BreachSpider generates the evidence package. It provides the data, the documentation, and the formatted evidence. Your authorized representative must review and sign it. The package supports your compliance program -- it does not replace a qualified compliance professional, registered entity compliance program, or legal counsel.

Generating the Report

  1. Navigate to Reports > Generate Report.
  2. Select NERC CIP Evidence Package.
  3. Select the environment (one per report -- one per BES Cyber System).
  4. Set the reporting period (e.g., Q2 2026: 2026-04-01 to 2026-06-30).
  5. Click Generate.

The report may take 45-60 seconds due to the comprehensive data compilation and SAGE narration for each section.