CIP-010 - Configuration change management: Each system change must be documented with affected work items. Here, the change request must be connected to associated risks, approval, and validation.
CIP-013 - Supply chain risk management: In power and utility systems, third-party risks must be assessed and managed according to CIP-013. Traceability helps here to connect vendors to systems, identified risks, and mitigation actions.
Also, key standards, such as security management Controls (CIP-00