U.S. Department of Energy
This risk management process (RMP) guideline was developed by the Department of Energy (DOE), in collaboration with the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC). Members of industry (utilities and vendors) and utility-specific trade groups were included in authoring guidance that would be meaningful and reflect industry advice. The primary goal of this guideline is to describe an RMP that is tuned to the specific needs of Electricity Sector organizations. The NIST Special Publication (SP) 800-39, Managing Information Security Risk, provides the foundational methodology for this document. The NIST Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security, and NERC critical infrastructure cyber security standards provide a strong foundation for the development of cybersecurity guidelines that will further refine the definition and application of effective cybersecurity for all organizations in the Electricity Sector. The NERC Critical Infrastructure Protection (CIP) cybersecurity standards are outside the scope of this guideline.