A NERC expert posed 10 questions about Karta’s NERC Compliance Management Solution. Read on for the answers.
Q. Does the tool offer a comprehensive mapping of NERC CIP and O&P requirements, including the latest updates and revisions, to help utilities maintain up-to-date compliance?
A. The quarterly NERC data update includes all past, current, and future versions of NERC requirements. It also includes direct hyperlinks to the current, full text of the published standard and the most current version of the RSAW.
Q. Does the Karta NERC Compliance Solution provide features for managing and documenting policies, procedures, and risk assessments related to NERC CIP compliance?
A. Yes. The solution includes the robust capability for managing policies, procedures, and other commonly required documentation, including revision history and linkage to external repository locations. The solution includes an issues management application, and existing spreadsheet-based risk assessments can be loaded into the system via data import for online delivery to stakeholders.
Q. How does the Karta NERC Compliance Solution support the implementing and managing operational, physical, and cyber security internal controls?
A. The solution includes references to a dedicated Control Standard application. Control standards allow system users to document the ownership, testing frequency, revision history and regulatory relationships. Controls are updated via an automated review workflow and once implemented can be set to a testing frequency to ensure evidence is reviewed and gathered on a scheduled basis.
Q. How does the Karta NERC Compliance Solution facilitate generating and managing evidence required to demonstrate compliance during audits, including documentation, records, and system configurations?
A. The Karta NERC Compliance Solution provides a secure repository for uploading final versions of evidence, supporting all common file types. Once uploaded into the solution, users can provide context and metadata (descriptions, version numbers, associations to technologies, processes, facilities, etc.) and then associate the files with the related NERC requirements. If desired, evidence can pass through an approval workflow to validate that assigned users approve and attest to the accuracy of the information.
Q. Can the Karta NERC Compliance Solution facilitate collaboration and communication among different departments and stakeholders?
A. Yes. The Karta NERC Compliance Solution enables to collaborate online to review and approve evidence, report, andorganizations investigate issues on noncompliance, and partner to resolve common NERC recurring activities and other processes associated with compliance.
A. For workflow processes within the system, reminder notifications alert individuals when assigned tasks are created and as they approach the due date. For items that pass the due date, escalation individuals can be sent to listed individuals to ensure attention is focused on critical actions. Beyond notifications, the solution includes graphical dashboards that highlight items approaching (and passing) due dates so leadership can have a single pane of glass for managing responsibilities.
Q. Can the tool be easily integrated with existing systems and processes within the utility, minimizing disruption and ensuring a smooth implementation?
A. Yes. The Karta NERC Compliance Solution includes the ability to create integrations with existing systems to allow solution data to receive updates and to push data when needed. The system includes a full-service API that can be referenced to establish a wide variety of data connections.
Q. What support, training, and ongoing assistance does Karta provide to ensure successful implementation and use of the compliance management tool?
A. To ensure the successful implementation and use of the Karta NERC Compliance Solution, Karta offers a training regime starting with highly collaborative, experiential learning during the software implementation, followed by optional administrator training (provided by our platform partners Archer or Onspring) and ongoing support via access to an online training portal whereby existing and new system users can view training specific to the solution’s core workflows and processes.
Q. Can the Karta NERC Compliance Solution integrate with other compliance frameworks and regulatory standards that may apply to the organization, providing a comprehensive and unified approach to compliance management?
A. The Karta NERC Compliance Solution, when paired with our platform partner’s Policy and Compliance solutions (Archer and Onspring), offers organizations the ability to manage a unified framework for managing compliance. NERC requirements can be mapped with requirements from other disciplines, such as the NIST CSF or PCI, through common control standards. This enables organizations to “test once and apply many” the results of the ongoing compliance efforts.