The Anfield Group’s very poplar mappings of NERC CIP Version 3 to Version 5 and the SANS Top 20 Critical Controls have been updated into a new poster that maps NERC CIP Version 3 to Version 5, The SANS Top 20 Critical Controls, and the NIST SP 800 series publications. The idea has always been to provide our constituents with the sustainable security-focused picture that fosters our signature “compliance as a by-product of security and operational best practices” mantra as the only sustainable approach to balancing regulatory, security, and operational obligations.
With our previous mappings, we introduced many of you to the application of the SANS Top 20 Critical Controls as a NIST starting point or “Cliff’s Notes” for everyone unfamiliar with NIST. Now that many of you have become familiar with SANS Top 20 combined with the very minimal correlation of NIST to NERC CIP Version 5, TAG still believes that NIST is the only validated security framework that will sustain organizations far beyond any regulatory mandate. With that in mind, we have provided a very detailed listing of the applicable NIST 800 Series publications and guidelines as the end game for security. The idea is that NERC registered entities can start with establishing a foundation of security with NERC CIP while building their entire program to respond to an eventual full NIST implementation. This visual resource also effectively demonstrates how seamless that transition can be contrary to the misconception throughout the industry that NIST is “too granular” or that insufficient resourcing prevents the enablement of a forward-thinking strategy focused on NIST. Get your copy HERE.