AWS Config adds new conformance pack template for North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) BES Cyber System Information (BCSI)

AWS Config now offers a new conformance pack that helps utilities using AWS for BES Cyber System Information (BCSI) to manage configuration compliance of their AWS resources at scale – from policy definition to auditing and aggregated reporting – using a common framework and packaging model.

The Operational Best Practices for NERC CIP BCSI conformance pack can help utilities monitor and assess security and governance controls associated with CIP-004-7 Requirement 6 – Access Management for BES Cyber System Information (BCSI) & CIP-011-3 Requirement 1 – Information Protection Program for NERC CIP BCSI. In December 2021, FERC approved revisions to CIP-004 and CIP-011 that clarify the requirements for using third-party solutions such as cloud services.

Conformance packs are a collection of AWS Config rules and remediation actions that can be grouped and deployed together as a package across an entire organization. This is particularly useful to quickly establish a common baseline for resource configuration policies and best practices across multiple accounts in your organization in a scalable and efficient way. The conformance pack can continually run to identify changes or deviations that can be assessed by customers to determine if remediation is necessary.

The conformance pack includes more than 60 AWS Config rules that can help to ensure that access control best practices and data protection controls are implemented including encrypting data at rest and in transit, and protection against exposure of data.

For example, to support data protection, the conformance pack identifies unencrypted storage volumes or publicly exposed Amazon Simple Storage Service (Amazon S3) buckets. Utilities can create Amazon CloudWatch and Amazon Simple Notification Service (Amazon SNS) notifications to receive a text or email notification about changes in their environment that do not align with the controls in the conformance pack so that they can assess them and determine if remediation is necessary.

Disclaimer: Customers are responsible for making their own independent assessment of conformance pack templates, and the AWS Config rules and remediation actions included in any such template, in connection with assessing compliance with any governance framework or standard. Conformance packs provide a general-purpose compliance framework to help you create security, operational or cost-optimization governance checks using managed or custom AWS Config rules and Automation documents.

The conformance pack sample templates provided by AWS are intended to give you a head start in creating your own conformance packs with different or additional rules, input parameters and remediation actions that suit your environment. Sample templates, including those related to compliance standards and industry benchmarks, are not designed to ensure your compliance with a specific governance standard and can neither replace your internal efforts nor guarantee that you will pass a compliance assessment.