What CIP-013-4 Changes
The proposed revision expands R1 applicability to high and medium impact BES Cyber Systems and their associated EACMS, PACS, PCAs, and SCI.
The driver is FERC Order No. 912, which directs the application of SCRM protections to Protected Cyber Assets associated with medium-and high-impact BES Cyber Systems. SCI was already pulled in under the prior virtualization revision, so for most entities, the practical net-new asset class is PCAs: cyber assets inside an Electronic Security Perimeter that share the trust zone but are not part of the BES Cyber System itself.
These assets were previously outside the scope of CIP-013. Now they are in it.
Examples of PCAs to account for:
- Engineering workstations and maintenance laptops used inside the ESP
- Jump hosts, terminal servers, and remote-access gateways
- Antivirus and patch management servers, such as a WSUS server
- Logging and monitoring systems, including syslog servers and SIEM collectors
- File, backup, and print servers within the ESP
- Domain controllers, DNS, and NTP servers inside the ESP
The Three R1 Changes That Carry Operational Weight
Pre-deployment assessment refresh (R1.3)
Re-run the risk assessment before deploying products or services, including spare equipment and emergency repairs, when the most recent assessment is older than 24 months for high-impact systems or 36 months for medium-impact systems.
Post-deployment reassessment (R1.3)
Periodically reassess vendors, products, and services procured under existing contracts, capturing supply chain risks that develop or change after the contract commences.
Document, track, respond (R1.5)
Document, track, and respond to every supply chain risk identified through the Part 1.1, 1.3, and 1.4 assessments. The response trail becomes auditable evidence.
How Fortress Helps You Get Ahead of CIP-013-4
Fortress lets regulated utilities operationalize CIP-013-4 readiness inside one platform:
- Automated assessment triggers when a vendor's last-assessed date crosses the 24 or 36 month line, so no deployment relies on a stale assessment
- A recurring reassessment cadence tied to contract milestones, capturing post-deployment risk as it emerges
- A Risk Register that consolidates findings from Parts 1.1, 1.3, and 1.4 into a single, audit-ready record
The result is documented supply chain risk reduction, mapped to the assets that keep the grid running, ready for audit.
