The Bulk Power System of the United States must comply with NERC standards CIP-002 through CIP-009.

The standards are setup so that CIP-002 has a significant influence over the need for standards CIP-003 through CIP-009. It requires a regulated entity to use a risk-based assessment methodology (RBAM) to identify critical assets. In other words, a RBAM is meant to set how much of an environment is within scope of review.

This is not a unique approach. If you are familiar with PCI this is like saying a regulated entity has to determine the systems that process, transmit or store cardholder data to set the scope.

Unfortunately NERC, in their December 2010 Sufficiency Review, says entities are failing to properly identify and document their critical assets.

As a result of audits conducted over the past couple of years through the CIP compliance monitoring program, NERC has found instances where entity methodologies are not sufficiently comprehensive to produce a complete and accurate list of critical assets. This suggests greater clarity is needed in either NERC standards or industry guidelines to provide a more accurate identification of entity critical assets. While in many cases, functional entities had similar methodologies, substantial differences were evident even amongst entities within the same registered function. In certain cases, this has led to audit findings of non-compliance.