When should BPS or BES be used?
A description of the affected BES Cyber System(s), Transmission Facility or equipment, impacted personnel or department, etc.
The description of the root cause should not simply be a restatement of the noncompliance:
The root cause must be addressed by at least one of the mitigation steps.
Include planned or actual completion dates for each mitigation step that stopped the noncompliance.
Was an "extent of condition" investigation performed (may not be necessary, especially if the noncompliance was caught by an internal control)?
If additional instances were found, were they mitigated? Include dates.
Were additional mitigation steps taken to prevent reoccurrence?
Formal mitigation plans are not required for minimal risk noncompliances.
The entity provides a statement of its assessment of the risk resulting from the noncompliance. MRO may contact the Registered Entity for clarification.
Identify any actual impact that occurred as a result of the noncompliance (e.g., "Two persons entered the control center without proper authorization" or "The facility was operated above its maximum seasonal rating").
Internal controls can be risk reducers; take credit for any internal controls that limited the duration or the effects of the noncompliance.
If there are characteristics or circumstances that reduce risk of the issue, describe them (e.g., "No Interactive Remote Access is possible to the affected BES Cyber System." or "The System Operator had completed all of the required training hours, but had not formally renewed her NERC Certification").