| Requirement A | Requirement B | OLIR Label | RF Predicted | AM Predicted | Summary | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| NIST-ID.SC-1 | CIP-013-2-R1 | Harmonisable | Harmonisable (100%) | Strong structural alignment | Strong structural alignment — “Organizational stakeholders must agree to and implement cybe…” ↔ “Develop and implement documented supply chain cyber security…”... | ||||||||||||||||||||||||||||||||||||
|
Strong structural alignment
A: cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
B: r1 develop one or more documented supply chain cyber security risk management plans r 1 processes in planning procurement of bes cyber systems and their associated eacms and pacs and identify/assess risks from vendor products or services r 2: processes in procuring bes cyber systems and associated e
CLAIMsecurity objectives partially overlapMED “Organizational stakeholders must agree to and implement cyber supply chain risk management processes”↔“Develop and implement documented supply chain cyber security risk management plans” GROUNDSevidence base sharedHIGH “Cyber supply chain risks must be identified and assessed”↔“Supply chain risks from vendor products or services must be identified and assessed” WARRANTrisk reasoning sharedHIGH “Unmanaged cyber supply chain risks can lead to significant organizational harm”↔“Unmanaged supply chain risks can lead to cyber security breaches and incidents” QUALIFIER The applicability scopes differ (Toulmin: Qualifier): "Applies to organizational stakeholders responsible for cyber supply chain risk management" vs "Applies to procurement of BES cyber systems and their associated EACMs and PACS". Requirements may not be co-applicable within the same control boundary.
BACKING Shared authority: NIST SP 800-161
Argument role similarities
Matched grounds
|
|||||||||||||||||||||||||||||||||||||||||
| NIST-PR.PT-2 | CIP-011-2-R2 | Not harmonisable | Harmonisable (63%) | Moderate structural alignment | Moderate structural alignment — shared grounds: “Removable media can be used to introduce malware or exfiltra…”... | ||||||||||||||||||||||||||||||||||||
|
Moderate structural alignment
A: removable media is protected and its use restricted according to policy
B: r2 implement documented processes that collectively include the applicable requirements for bes cyber asset reuse and disposal r 1 prior to reuse, take action to prevent unauthorized bcsi retrieval from data storage media r 2 prior to disposal, take action to prevent unauthorized bcsi retrieval from
CLAIMno shared security objectiveWEAK “Removable media must be protected and its use restricted”↔“Implement documented processes for BES cyber asset reuse and disposal” GROUNDSevidence bases differLOW “Removable media can be used to introduce malware or exfiltrate sensitive data”↔“Unauthorized BCSI retrieval from data storage media must be prevented” WARRANTrisk reasoning divergesLOW “Unauthorized or uncontrolled use of removable media can lead to security breaches”↔“Unauthorized access to BCSI can occur through reused or disposed cyber assets” QUALIFIER The applicability scopes differ (Toulmin: Qualifier): "Applies to all removable media used within the organization" vs "Applies to BES cyber assets prior to reuse or disposal". Requirements may not be co-applicable within the same control boundary.
Argument role similarities
Matched grounds
|
|||||||||||||||||||||||||||||||||||||||||
| NIST-PR.AC-4 | CIP-004-6-R4 | Harmonisable | Harmonisable (99%) | Moderate structural alignment | Moderate structural alignment — shared grounds: “Access to sensitive resources and data must be restricted…”... | ||||||||||||||||||||||||||||||||||||
|
Moderate structural alignment
A: access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
B: r4 implement documented access management programs r 1 process to authorize based on need electronic, physical access, and information storage r 2 verify individuals with active electronic or physical access have authorization records r 3 verify user accounts, user account groups, or user role categ
CLAIMno shared security objectiveWEAK “Access permissions and authorizations must be managed with least privilege and separation of duties”↔“Implement documented access management programs” GROUNDSevidence bases differLOW “Access to sensitive resources and data must be restricted”↔“Access to electronic, physical, and information storage must be authorized based on need” WARRANTrisk reasoning partially overlapsMED “Excessive access permissions increase the risk of unauthorized access and data breaches”↔“Unauthorized access creates security risks and potential breaches” QUALIFIER The applicability scopes differ (Toulmin: Qualifier): "Applies to all users, processes, and systems accessing sensitive resources and data" vs "Applies to electronic, physical, and information storage access". Requirements may not be co-applicable within the same control boundary.
Argument role similarities
Matched grounds
|
|||||||||||||||||||||||||||||||||||||||||
| NIST-PR.AT-2 | CIP-005-7-R2 | Not harmonisable | Not harmonisable (62%) | Moderate structural alignment | Moderate structural alignment — shared grounds: “Understanding roles and responsibilities is essential for se…”... | ||||||||||||||||||||||||||||||||||||
|
Moderate structural alignment
A: privileged users understand their roles and responsibilities
B: r2 implement documented processes that collectively include applicable requirements for remote access management r 1 interactive remote access use an intermediate system r 2 interactive remote access sessions utilize encryption terminating at intermediate system r 3 require multi factor authenticati
CLAIMno shared security objectiveWEAK “Privileged users must understand their roles and responsibilities”↔“Implement documented processes for remote access management” GROUNDSevidence bases differLOW “Understanding roles and responsibilities is essential for secure operations”↔“Encryption and multi-factor authentication are essential for secure remote access” WARRANTrisk reasoning partially overlapsMED “Lack of understanding can lead to unintentional security breaches or misuse of privileges”↔“Unmanaged remote access can lead to security breaches and data compromise” QUALIFIER The applicability scopes differ (Toulmin: Qualifier): "Applies to all privileged users within the organization" vs "Applies to all remote access sessions, including interactive and system-to-system access". Requirements may not be co-applicable within the same control boundary.
Argument role similarities
Matched grounds
|
|||||||||||||||||||||||||||||||||||||||||
| NIST-DE.CM-7 | CIP-003-8-R2 | Harmonisable | Not harmonisable (60%) | Moderate structural alignment | Moderate structural alignment... | ||||||||||||||||||||||||||||||||||||
|
Moderate structural alignment
A: monitoring for unauthorized personnel, connections, devices, and software is performed
B: r2 implement documented cyber security plans for its low impact bes cyber systems that include sections in attachment 1 section 5 transient cyber asset and removable media malicious code risk mitigation
CLAIMsecurity objectives differLOW “Monitoring for unauthorized entities must be performed”↔“R2 must implement documented cyber security plans for its low impact BES cyber systems” GROUNDSevidence base not extractedWEAK “—”↔“—” WARRANTrisk reasoning divergesLOW “Unauthorized access can lead to data breaches, system compromise, or other security incidents”↔“Undocumented or inadequate plans can lead to increased risk of cyber security breaches” QUALIFIER The applicability scopes differ (Toulmin: Qualifier): "Applies to all personnel, connections, devices, and software within the monitored environment" vs "Applies to low impact BES cyber systems". Requirements may not be co-applicable within the same control boundary.
Argument role similarities
|
|||||||||||||||||||||||||||||||||||||||||
| NIST-PR.AT-4 | CIP-003-8-R4 | Harmonisable | Not harmonisable (87%) | Moderate structural alignment | Moderate structural alignment — shared grounds: “Senior executives have specific roles and responsibilities…”... | ||||||||||||||||||||||||||||||||||||
|
Moderate structural alignment
A: senior executives understand their roles and responsibilities
B: r4 process to approve and document delegation of authority including, specific actions delegated, name or title of delegate, date of delegation, and update for any change
CLAIMsecurity objectives differLOW “Senior executives must understand their roles and responsibilities”↔“Delegation of authority must be approved and documented through a formal process” GROUNDSevidence bases differLOW “Senior executives have specific roles and responsibilities”↔“Specific details of delegation must be recorded, including actions, delegate, and date” WARRANTrisk reasoning divergesLOW “Lack of understanding can lead to ineffective decision-making and governance”↔“Informal or undocumented delegation can lead to confusion, errors, or unauthorized actions” QUALIFIER The applicability scopes differ (Toulmin: Qualifier): "Applies to senior executives" vs "Applies to all delegations of authority within the organization". Requirements may not be co-applicable within the same control boundary.
Argument role similarities
Matched grounds
|
|||||||||||||||||||||||||||||||||||||||||
| NIST-PR.IP-10 | CIP-008-6-R2 | Harmonisable | Harmonisable (96%) | Partial structural alignment | Partial structural alignment — shared grounds: “Response and recovery plans are critical to maintaining busi…”... | ||||||||||||||||||||||||||||||||||||
|
Partial structural alignment
A: response and recovery plans are tested
B: r2 implement documented cyber security incident response plans that collectively include applicable requirements for cyber security incident response plan implementation and testing r 1 test plans by responding to an actual reportable cyber security incident, paper drill or tabletop exercise, or an
CLAIMsecurity objectives differLOW “Response and recovery plans must be tested”↔“Implement documented cyber security incident response plans” GROUNDSevidence bases differLOW “Response and recovery plans are critical to maintaining business continuity”↔“Cyber security incident response plans are necessary for effective response” QUALIFIER The applicability scopes differ (Toulmin: Qualifier): "Applies to all response and recovery plans" vs "Applies to collective plans that include applicable requirements for implementation and testing". Requirements may not be co-applicable within the same control boundary.
Argument role similarities
Matched grounds
|
|||||||||||||||||||||||||||||||||||||||||
| NIST-RS.CO-1 | CIP-004-7-R2 | Harmonisable | Harmonisable (61%) | Partial structural alignment | Partial structural alignment — shared grounds: “A defined order of operations is necessary for effective res…”... | ||||||||||||||||||||||||||||||||||||
|
Partial structural alignment
A: personnel know their roles and order of operations when a response is needed
B: r2 implement cyber security training programs for individual roles, functions, or responsibilities r 1 collectively includes cyber/physical security policies, physical/electronic access controls, visitor controls, handling and storage of system information, incident response and reporting, recovery
CLAIMno shared security objectiveWEAK “Personnel must know their roles and order of operations during a response”↔“Implement cyber security training programs for individual roles, functions, or responsibilities” GROUNDSevidence bases differLOW “A defined order of operations is necessary for effective response”↔“Cyber security training is necessary for protecting cyber assets and preventing security breaches” WARRANTrisk reasoning divergesLOW “Lack of role clarity and operational order can lead to confusion and ineffective response”↔“Inadequate training can lead to human error and increased vulnerability to cyber threats” QUALIFIER The applicability scopes differ (Toulmin: Qualifier): "Applies to personnel involved in incident response" vs "Applies to individual roles, functions, or responsibilities". Requirements may not be co-applicable within the same control boundary.
Argument role similarities
Matched grounds
|
|||||||||||||||||||||||||||||||||||||||||
| NIST-PR.AT-4 | CIP-008-6-R4 | Not harmonisable | Not harmonisable (91%) | Partial structural alignment | Partial structural alignment — shared grounds: “Senior executives have specific roles and responsibilities…”... | ||||||||||||||||||||||||||||||||||||
|
Partial structural alignment
A: senior executives understand their roles and responsibilities
B: r4 notify national organizations in accordance with applicable requirements for notifications and reporting for cyber security incidents r 1 initial notifications and updates to include, at a minimum: the functional impact 2 the attack vector used 3 the level of intrusion achieved or attempted
CLAIMno shared security objectiveWEAK “Senior executives must understand their roles and responsibilities”↔“National organizations must be notified in accordance with applicable requirements for cybersecurity incident notifications and reporting” GROUNDSevidence bases differLOW “Senior executives have specific roles and responsibilities”↔“Initial notifications and updates must include specific details about the incident” WARRANTrisk reasoning divergesLOW “Lack of understanding can lead to ineffective decision-making and governance”↔“Timely and accurate notification enables effective response and mitigation of cybersecurity incidents” QUALIFIER The applicability scopes differ (Toulmin: Qualifier): "Applies to senior executives" vs "Applies to cybersecurity incidents requiring notification and reporting". Requirements may not be co-applicable within the same control boundary.
Argument role similarities
Matched grounds
|
|||||||||||||||||||||||||||||||||||||||||
| NIST-PR.DS-2 | CIP-005-7-R2 | Harmonisable | Harmonisable (51%) | Partial structural alignment | Partial structural alignment — shared grounds: “Protection of data in transit is necessary to prevent unauth…”... | ||||||||||||||||||||||||||||||||||||
|
Partial structural alignment
A: data in transit is protected
B: r2 implement documented processes that collectively include applicable requirements for remote access management r 2 interactive remote access sessions utilize encryption terminating at intermediate system
CLAIMno shared security objectiveWEAK “Data in transit must be protected”↔“Implement documented processes for remote access management that include encryption for interactive remote access sessions” GROUNDSevidence base partially overlapsMED “Protection of data in transit is necessary to prevent unauthorized access”↔“Encryption is necessary to protect data transmitted during interactive remote access sessions” WARRANTrisk reasoning divergesLOW “Unprotected data in transit can be intercepted, read, or modified by unauthorized parties”↔“Unencrypted remote access sessions can be intercepted and exploited by adversaries” QUALIFIER The applicability scopes differ (Toulmin: Qualifier): "Applies to all data in transit, regardless of the transport method or protocol" vs "Applies to interactive remote access sessions". Requirements may not be co-applicable within the same control boundary.
Argument role similarities
Matched grounds
|
|||||||||||||||||||||||||||||||||||||||||
| NIST-PR.AC-5 | CIP-011-3-R1 | Not harmonisable | Harmonisable (57%) | Partial structural alignment | Partial structural alignment — shared grounds: “Network segregation and segmentation are effective methods f…”... | ||||||||||||||||||||||||||||||||||||
|
Partial structural alignment
A: network integrity is protected ( , network segregation, network segmentation)
B: r1 implement documented information protection programs that collectively includes each applicable requirements for information protection r 1 methods to identify information r 2 methods to protect and secure system information confidentiality
CLAIMno shared security objectiveWEAK “Network integrity must be protected”↔“Implement documented information protection programs” GROUNDSevidence bases differLOW “Network segregation and segmentation are effective methods for protecting network integrity”↔“A documented program is necessary for effective information protection” WARRANTrisk reasoning divergesLOW “Unauthorized access to networks can lead to data breaches and system compromise”↔“Undocumented or ad-hoc information protection methods can lead to security breaches” QUALIFIER The applicability scopes differ (Toulmin: Qualifier): "Applies to all networks" vs "Applies to information that requires protection". Requirements may not be co-applicable within the same control boundary.
Argument role similarities
Matched grounds
|
|||||||||||||||||||||||||||||||||||||||||
| NIST-DE.CM-6 | CIP-005-7-R3 | Harmonisable | Harmonisable (83%) | Partial structural alignment | Partial structural alignment — shared grounds: “External service providers have access to internal systems a…”... | ||||||||||||||||||||||||||||||||||||
|
Partial structural alignment
A: external service provider activity is monitored to detect potential cybersecurity events
B: r3 implement documented processes that collectively include applicable requirements for vendor remote access management for eacms and pacs r 1 methods to determine authenticated vendor initiated remote connections r 2 methods to terminate vendor initiated remote connections and control reconnection
CLAIMno shared security objectiveWEAK “External service provider activity must be monitored to detect potential cybersecurity events”↔“Implement documented processes for vendor remote access management” GROUNDSevidence base partially overlapsMED “External service providers have access to internal systems and data”↔“Vendor remote access to EACMS and PACS systems requires management” QUALIFIER The applicability scopes differ (Toulmin: Qualifier): "Applies to all external service providers with access to internal systems and data" vs "Applies to EACMS and PACS systems". Requirements may not be co-applicable within the same control boundary.
Argument role similarities
Matched grounds
|
|||||||||||||||||||||||||||||||||||||||||
| NIST-ID.BE-1 | CIP-002-5.1a-R1 | Not harmonisable | Not harmonisable (85%) | Minimal structural alignment | Minimal structural alignment — shared grounds: “Supply chain roles and responsibilities must be clearly defi…”... | ||||||||||||||||||||||||||||||||||||
|
Minimal structural alignment
A: the organizations role in the supply chain is identified and communicated
B: r1 implement a process that considers these assets for parts 1 through 3 control centers and backup control centers i transmission stations and substations ii generation resources i systems for restoration, including blackstart and cranking paths special protection systems v specifically identified
CLAIMno shared security objectiveWEAK “Organization's role in the supply chain must be identified and communicated”↔“Implement a process to identify and consider high, medium, and low impact BES cyber systems” GROUNDSevidence bases differLOW “Supply chain roles and responsibilities must be clearly defined”↔“Generation resources and special protection systems must be considered for BES cyber system identification” Argument role similarities
Matched grounds
|
|||||||||||||||||||||||||||||||||||||||||
| NIST-ID.AM-2 | CIP-010-4-R1 | Harmonisable | Not harmonisable (57%) | Minimal structural alignment | Minimal structural alignment... | ||||||||||||||||||||||||||||||||||||
|
Minimal structural alignment
A: software platforms and applications within the organization are inventoried
B: r1 implement documented processes that collectively include the applicable requirements for configuration change management r 1 develop a baseline configuration, which include: operating system or firmware commercial or open source software installed 3 custom software logical network accessible port
CLAIMno shared security objectiveWEAK “The organization must inventory software platforms and applications”↔“Implement documented processes for configuration change management” GROUNDSevidence base not extractedWEAK “—”↔“—” QUALIFIER The applicability scopes differ (Toulmin: Qualifier): "Applies to software platforms and applications within the organization" vs "Applies to applicable systems and configurations". Requirements may not be co-applicable within the same control boundary.
Argument role similarities
|
|||||||||||||||||||||||||||||||||||||||||
| NIST-ID.RA-2 | CIP-008-6-R4 | Not harmonisable | Harmonisable (54%) | Minimal structural alignment | Minimal structural alignment... | ||||||||||||||||||||||||||||||||||||
|
Minimal structural alignment
A: cyber threat intelligence is received from information sharing forums and sources
B: r4 notify national organizations in accordance with applicable requirements for notifications and reporting for cyber security incidents r 1 initial notifications and updates to include, at a minimum: the functional impact 2 the attack vector used 3 the level of intrusion achieved or attempted
CLAIMsecurity objectives differLOW “Cyber threat intelligence must be received from information sharing forums and sources”↔“National organizations must be notified in accordance with applicable requirements for cybersecurity incident notifications and reporting” GROUNDSevidence base not extractedWEAK “—”↔“—” QUALIFIER The applicability scopes differ (Toulmin: Qualifier): "Applies to cyber threat intelligence relevant to the organization's systems and assets" vs "Applies to cybersecurity incidents requiring notification and reporting". Requirements may not be co-applicable within the same control boundary.
Argument role similarities
|
|||||||||||||||||||||||||||||||||||||||||
Generated by NeSy-AM • 2026-05-19 02:04 UTC