CONTACT

Free Resource · Splunk & Cribl

Data Onboarding Checklist for NERC CIP Environments

A one-page field checklist for onboarding any new data source into a Splunk or Cribl pipeline that touches BES Cyber Systems. Clean parsing and right-sized volume, with the logging and audit evidence that CIP asks for, built into every stage.

Arcus Data — Data Onboarding Checklist for NERC CIP-Regulated Environments

What's inside

Six stages, from first request to production hand-off, with the NERC CIP control mapped to the step where it applies:

  1. Intake & scoping · capture source facts, verify volume, define the use case, classify the asset (CIP-002).
  2. Authorization & change control · need-to-know access, baseline, dev-first, keep the path inside the ESP (CIP-004, 005, 010, 011).
  3. Source type config: the “Great Eight” · the props.conf settings that get event breaking and timestamps right the first time.
  4. Validation · format, completeness, standards, CIM mapping, required security events (CIP-007 R4.1).
  5. Retention, alerting & audit · 90-day retention, real-time alerts, 15-day review, version control (CIP-007 R4, CIP-010).
  6. Communicate & hand off · publish the details, update the catalog, close the change record.

Go deeper: the data onboarding series

Configuration practices per Splunk Lantern. Reference aid only, not legal advice. Validate against your registered entity's compliance program and Regional Entity guidance.