The proposed revision expands R1 applicability to high and medium impact BES Cyber Systems and their associated EACMS, PACS, PCAs, and SCI.
The driver is FERC Order No. 912, which directs the application of SCRM protections to Protected Cyber Assets associated with medium-and high-impact BES Cyber Systems. SCI was already pulled in under the prior virtualization revision, so for most entities, the practical net-new asset class is PCAs: cyber assets inside an Electronic Security Perimeter that share the trust zone but are not part of the BES Cyber System itself.
These assets were previously outside the scope of CIP-013. Now they are in it.
Examples of PCAs to account for:
Re-run the risk assessment before deploying products or services, including spare equipment and emergency repairs, when the most recent assessment is older than 24 months for high-impact systems or 36 months for medium-impact systems.
Periodically reassess vendors, products, and services procured under existing contracts, capturing supply chain risks that develop or change after the contract commences.
Document, track, and respond to every supply chain risk identified through the Part 1.1, 1.3, and 1.4 assessments. The response trail becomes auditable evidence.
Fortress lets regulated utilities operationalize CIP-013-4 readiness inside one platform:
The result is documented supply chain risk reduction, mapped to the assets that keep the grid running, ready for audit.