Federal regulatory compliance obligations are complex and time-consuming. Minimize your utility’s workload and risk profile by bringing in AESI-US, Inc. to meet your obligations for NERC Critical Infrastructure Protection (CIP), NERC Operations & Planning (O&P), NIST Cybersecurity, and Privacy regulations.
Turn to AESI-US, Inc. for sustainable compliance risk management
As a regulatory compliance and cybersecurity partner of Hometown Connections, Inc., AESI provides practical, cost-effective regulatory compliance services tailored to meet your utility’s needs.
AESI compliance assurance focuses on supporting the foundation of a good compliance program, promoting a culture of compliance and managing an organization’s risk. We assist organizations by identifying risks and closing gaps in compliance processes, documenting those processes that achieve and sustain compliance, implementing internal controls to monitor compliance, and utilizing software tools to reduce risk and the compliance burden.
Like any foundation, it must be checked for gaps that can cause the structure to break down. AESI helps utilities build, maintain and assess the foundations of their reliability compliance programs. The AESI Gap Assessment identifies areas of risk along with recommendations to remedy while providing added value—actionable value. Identified risks are assigned a severity using a color-coded dashboard that enables the compliance and management team an at-a-glance review of the assessment results. We interact with compliance staff and Subject Matter Experts (SMEs) to better understand existing processes and internal controls while providing real-time feedback regarding the organization’s compliance posture.
Regulatory Compliance Programs (RCPs)
A well-designed Regulatory Compliance Program (RCP) is fundamental to achieving and maintaining compliance. It illustrates leadership, establishes governance, outlines actions, and defines accountabilities that help drive organizational acceptance of compliance obligations. Using a risk-based approach, AESI works with utilities of all sizes to design and implement their overall strategy and central tenets for an effective and sustainable RCP, establishing their organizational structure, and developing their compliance policies, procedures, internal controls, and training programs.
Policies, Plans & Procedures
A vital facet of a well-designed Regulatory Compliance Program (RCP) is the compliance documentation framework — the policies, plans, procedures and other related documents that collectively support and sustain a healthy compliance posture. AESI can create, review and update an organization’s compliance documentation framework to address the latest regulatory compliance obligations and the most current internal organizational processes to meet those obligations.
Internal Controls & Evaluation
Internal controls enable utilities to achieve a proactive compliance program by preventing, detecting, and correcting compliance-related issues. Solid internal controls improve operational and compliance performance. AESI performs Internal Control Evaluations (ICE) to assess the effectiveness of an organization’s internal controls program towards the goal of achieving reasonable assurance that meets compliance objectives. We follow the NERC ERO enterprise guide when performing ICE to ensure consistency with regional ICE activities. Although written by NERC, this guide is based on broad industry best practices and is equally applicable to other regulatory frameworks and requirements. AESI also works with organizations to design, document and integrate internal controls into their compliance programs.
Cyber Vulnerability Assessment (CVA)
Receive a thorough and accurate cyber risk profile with a prioritized list of recommendations and actions plans. The growing dependence of critical infrastructure and industrial automation on cyber-based control systems has resulted in a growing and previously unforeseen cybersecurity threat to Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS). AESI conducts Cyber Vulnerability Assessments (CVA) and penetration testing that allows utilities to identify and mitigate cyber vulnerabilities. AESI offers CVAs in alignment with industry cybersecurity standards such as NERC CIP, ISO 27001, NIST and security best practices—leveraging structured and proven assessment methodologies.
Audit Preparedness – Mock Audits & Witness Preparation
AESI has performed numerous audits of regulatory compliance programs, both as a virtual auditor on behalf of the organizations and as an actual auditor on behalf of the regulating bodies. We have audit experience in NERC Critical Infrastructure Protection (CIP) and NERC Operations & Planning (O&P) across the entire spectrum of entity types (Generators, Transmitters, Distributers and System Operators).
Our Mock Audit approach emulates the “true” audit process—conducted with greater rigor and detail—than actual auditors. Similar to our Gap Assessment methodology, we utilize leading industry best practices to produce meaningful, easy to understand reports with practical and operationally viable recommendations for implementation. Areas of compliance risk are identified and assigned a severity using a color-coded dashboard. We interview compliance staff and Subject Matter Experts (SMEs) to assess their knowledge and approach to auditor questions while providing real-time feedback and guidance that prepare them to act as actual witnesses in front of real auditors.
AESI also offers standalone Witness Preparation services independent of a Mock Audit. We perform training, review actual RSAWs with staff and SMEs, pose interview questions, discuss and review responses and provide valuable guidance. It is our goal to ensure that your team is well prepared for its next audit engagement.
Compliance Management Tools
Regulatory compliance activities and obligations are tedious and time consuming for many. Utilities are struggling to achieve, sustain and monitor compliance leading to reactive compliance programs.
The AESI Compliance Management Tools Assessment involves an in-depth review of implemented software tools and systems that are used to support and facilitate an organization’s compliance activities and obligations. Compliance staff, Subject Matter Experts (SMEs), and staff in supporting roles are interviewed to identify their compliance tool needs. Spanning the most basic of spreadsheets to the more complex Compliance Management Systems (CMS), AESI identifies pain points and makes recommendations for both existing and new compliance tools that will help achieve and sustain proactive compliance programs.
We believe risk-based compliance advisory and monitoring is the primary focus in the industry; putting time and resources where the most significant risks exist. Regardless of the type of engagement, AESI assumes the role of a Virtual Auditor and Subject Matter Expert to identify any potential compliance risks or deficiencies in an unbiased and informative manner, while providing detailed recommendations for remediation and mitigation.
Ad-Hoc Advisory & Support Service
Compliance requirements can sometimes be complicated and time-consuming to interpret and address. Resource and time constraints are frequently a challenge. Imagine having additional staff and Subject Matter Experts (SMEs) on call and available when the need arises. AESI offers an Ad-Hoc Advisory & Support service to augment an organization’s compliance team. Our team will be available to respond to questions and any related compliance requests. The service is structured as a no-fee retainer with no upfront costs to the organization.
The Ad-Hoc Advisory & Support service may include, but is not limited to:
- Interpreting regulatory requirements
- Providing and/or researching information on any regulatory compliance related topic
- Creating or updating Regulatory Compliance Program (RCP) policies, procedures and plans
- Reviewing evidentiary items to demonstrate compliance
- Responding to requests from regulatory bodies and Audit Support
- Developing compliance implementation or mitigation plans
- Other ad-hoc requests mutually agreed upon
Should the need arise, our SMEs will come on-site for hands-on compliance support.
Other Advisory Services
AESI can support your organization’s compliance program and posture in many ways.
- Audit Support – respond to audit notices, review and update audit submission packages, respond to Requests for Information (RFIs), act as a member of the compliance team
- Cyber & Physical Security – advise on network configuration & segmentation, recommend systems and tools to enable compliance, design electronic & physical security perimeters, and much more
- Registration, Certification, Deregistration – confirm the requirements and need for registration, assist with certifications, build and present cases in support of deregistration
- Regulatory Compliance Committee Representation – act as an independent third party on internal committees, or represent the organization on external regulatory committees
- Self-Reporting & Mitigation Plans – confirm the need to self-report a potential violation of regulatory requirements and develop mitigations plans to prevent future violations
- Subject Matter Expert & Witness – act as an expert witness in front of regulatory bodies or in hearings
Compliance Implementation Services
Effective organizational integration is built on a foundation of internal controls that aid in managing risks. AESI has assisted numerous organizations of all sizes and operational makeup with their implementation of regulatory compliance obligations. Having staff that previously worked at utilities in various roles who implemented compliance requirements, having worked with several organizations to develop Reliability Compliance Programs (RCP), and having performed audits of regulatory requirements for organizations and for regulatory bodies, AESI has learned several insights and methods to achieve a practical and sustainable implementation of regulatory requirements.
AESI can provide implementation assistance in the following areas:
NERC Cybersecurity Standards (CIP)
- Cyber Impact Rating Methodology & Determination (CIP-002)
- Cybersecurity Tools & Systems (CIP-003 to 014)
- Supply Chain Risk Management (CIP-013)
- Internal Response Planning and Communications
NERC Operations & Planning Standards (O&P)
- Loss of Control Center Functionality (EOP-008)
- Facility Ratings Methodology & Establishment (FAC-008)
- Systematic Approach to Training Programs (PER-005)
- Protection System Maintenance Programs (PRC-005)
- Relay Loadability Evaluations (PRC-023/025)
NIST Cybersecurity Framework
Hire AESI as your resource for meeting the compliance requirements in a timely and more cost-efficient manner or receive a security strategy with prioritized recommendations aligned with the NIST Cybersecurity Framework.
Managed Compliance Services
Performing and tracking compliance obligations is time-consuming. Time and resources are limited. AESI can lead and manage one or more compliance activities on behalf of an organization.
Quarterly Compliance Briefings
The quarterly Regulatory Compliance Briefing keeps you informed of what’s happening in the regulatory landscape. The briefing provides a summary and analysis of information that is important to your organization, as well as a summary of actions to take as a result of the impending changes. AESI hosts a quarterly conference call to walk your team through the essential items in the briefing, answer any questions, and assign resulting tasks as necessary.
The Regulatory Compliance Briefing summarizes and prioritizes important and relevant regulatory information for the following events and items:
- Important Dates: Lists applicable requirements coming into force with their effective dates or related implementation plan dates, as well other upcoming important dates
- Reliability Requirement Changes: Summarizes changes to regulatory requirements, advising you of their implication to existing and new compliance documentation
- Regulatory Environment Changes: Apprises you of changes to the governance of the regulatory environment, and to the monitoring and enforcement processes
- Industry Alerts:Interprets industry alerts and advisories on your behalf and provides you with an analysis of the identified issues in plain English along with recommendations to mitigate
- Workshops, Conferences & Webinars: Provides information on upcoming events that may be of interest to your organization
- Information Postings: Provides intelligence on Lessons Learned, Compliance Guidelines, FAQs or other postings that provide guidance on how your organization can and should achieve compliance with regulatory requirements
AESI performs a thorough assessment of compliance concerning the applicable requirements for the self-certification filing, drafts up the self-certification response, and if desired, AESI will submit the self-certification and any supporting documentation to the regulating body on your behalf.
Periodic Data Submittals
For periodic data filings, AESI Compliance SMEs gather the required information from your staff and complete the data submittal forms.
Audit & RFI Submissions
AESI manages the organization’s response to an actual regulatory audit by working with compliance staff and SMEs to coordinate and prepare the audit submission packages, and by responding to audit notifications and Requests for Information (RFIs).
NERC Alert Interpretation & Responses
Take timely and appropriate action utilizing AESI’s Compliance SMEs for interpretations, analyses, and recommendations shortly after a NERC Alert or issued advisory. On your behalf, AESI develops and submits the acknowledgments and any follow-up submittals required by the NERC Alert.
Virtual NERC Compliance Manager(s)
AESI’s Virtual Compliance Manager for NERC compliance is a cost-effective solution for managing your NERC compliance requirements. Along with developing and maintaining your Compliance Calendar, the Virtual NERC Compliance Manager service takes the responsibility of providing YOU with a Regulatory Compliance Briefing, Compliance Monitoring and Reporting, as well the availability to receive SME regulatory assistance on a remote or virtual Ad-Hoc basis. The scope of this service can be custom tailored to your needs and can incorporate any of AESI’s other regulatory services if needed.
Cybersecurity Patch Management
Streamline your patch management tasks with the support of AESI specialists who actively and collectively remain aware of updates for current utility sector applications and software tools. AESI can perform the patch management obligations of NERC CIP-007 R2, tracking, evaluating, and even applying applicable cybersecurity patches. AESI can create and implement plans to mitigate the risks of identified cybersecurity vulnerabilities.
For More Information
To learn more about the compliance risk management services from AESI-US, Inc., send an email to email@example.com