Last year saw “significant progress” for the ERO Enterprise’s Compliance Monitoring and Enforcement Program (CMEP) and Organization Registration and Certification Program (ORCP), NERC said in the programs’ Annual Report released last month.
The annual reports, released each February, are intended to help NERC and the regional entities track their progress “aligning CMEP and ORCP activities across the ERO Enterprise,” along with identifying trends in resolving violations of NERC’s reliability standards. Starting this year, NERC plans to supplement the annual report with a mid-year report released in August.
According to the report, REs processed 383 instances of noncompliance assessed at either moderate or serious risk last year. This represents a five-year record, although it totals only six more violations than were filed the previous year.
While total noncompliances rose slightly in 2022, the number of repeat violations reported fell. Repeat noncompliance in the report was divided into incidents involving compliance history — referring to “a relevant prior violation of the same or similar reliability standard and requirement” — and aggravation history, defined as “a prior violation that stemmed from similar actions or conduct.”
The 10 standards that accounted for the highest number of noncompliances assessed as moderate or serious risk in 2022. | NERCCases with compliance history fell to 198 last year, from 216 in 2021, while the number of cases with aggravation history dropped more both proportionately and in absolute terms, declining from 83 to 54. NERC pointed out that aggravation history averaged around 19% of all moderate and serious noncompliance cases over the last five years.
NERC’s Critical Infrastructure Protection (CIP) standards accounted for seven of the top 10 most violated standards in 2022, just as they did in 2020 and 2021, according to last year’s report. CIP-007-6 (Cybersecurity — systems security management) garnered the most violations with 108, nearly twice as many as the next most cited standard, CIP-010-4 (Cybersecurity — configuration change management and vulnerability assessments). CIP-004-6 (Cybersecurity — personnel and training) came next, with 37 infringements; the same three standards, in the same order, represented the most violations in 2020 and 2021 as well.
The ERO noted that it achieved “substantial reductions” in the volume of unprocessed noncompliance issues last year, having processed “nearly 70% of its open noncompliance from 2019 and earlier and nearly 50% of its noncompliance from 2021 and earlier.” At the end of 2022, out of NERC’s 2,903 open cases, 1,608 — about 55% — were submitted in 2022; the oldest open cases were from 2017, but this represented only three of the total.
Nine in 10 noncompliance issues reported in 2022 were discovered internally, more than at any time in the last five years. The remaining 10% were found either through compliance audits or spot-checks.
Along with enforcement figures, the ERO also included other highlights from last year such as the ongoing implementation of the Align software tool for processing audits, investigations, and other compliance activities, and the ERO Secure Evidence Locker.
Release 4 of Align deployed in the second quarter of the year, with release 4.1 and 4.5 following in the third and fourth quarters respectively. The January issue of NERC’s Align newsletter said release 4.5 is “the final release planned under the current business case,” though the software will continue to be updated under a governance model adopted last year.
The report also listed the CMEP and ORCP priorities for 2023. These include continuing to deliver enhancements to Align, focusing on efficient resolution of noncompliance, tracking completion of registered entities’ compliance oversight plans, and pursuing consistency efforts on penalties, mitigation, training exercises, documentation, and risk assessments.
