Knowledge Center / NERC CIP
NERC · North America

NERC CIP (Critical Infrastructure Protection)

Mandatory cyber standards for the North American bulk power system.

Introduction: NERC CIP for the North American Bulk Electric System

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards are the mandatory, enforceable cyber and physical security requirements that protect the Bulk Electric System (BES) across the United States, Canada and portions of Baja California, Mexico. Unlike voluntary frameworks, NERC CIP carries the full weight of law: NERC is the Electric Reliability Organisation (ERO) certified by the U.S. Federal Energy Regulatory Commission (FERC) under Section 215 of the Federal Power Act, and its Reliability Standards are approved by FERC and enforced through the Regional Entities. Non-compliance can attract civil penalties of up to USD 1 million per violation, per day.

This guide is written for two audiences simultaneously: the auditor or Regional Entity assessor who must plan and execute a Compliance Audit against the Requirements and Measures, and the implementer, Compliance Officer or CIP Senior Manager who must build, evidence and sustain a defensible security programme. It enumerates every CIP standard currently in force, the associated Requirements (R), the impact-rating methodology of CIP-002, the tiered High/Medium/Low BES Cyber System classification, and the evidence auditors expect to see. It is grounded in the terminology of the NERC Glossary of Terms and the Requirements/Measures/Violation Severity Level (VSL) structure used across the standards family.

Copyright and source note
NERC CIP Reliability Standards, the NERC Glossary of Terms, Requirement/Measure text and Compliance Application Notices are copyright the North American Electric Reliability Corporation and are enforced through FERC and the Regional Entities. This guide is original explanatory and audit-preparation content authored by CyberSigma. It paraphrases obligations for educational purposes and does not reproduce the official standard text. Always work from the current enforceable version of each standard on the NERC website and confirm applicability with your Regional Entity.

What is NERC CIP

NERC CIP is a family of Reliability Standards (the CIP series, CIP-002 through CIP-014, plus CIP-003 low-impact requirements and the newer supply-chain and communications standards) that together define how Responsible Entities must identify, categorise and protect the cyber and physical assets essential to reliable operation of the Bulk Electric System. The standards operate on a risk-based, impact-tiered model: entities first identify their BES Cyber Systems, categorise them as High, Medium or Low impact using the CIP-002 criteria, and then apply a graded set of controls whose stringency scales with impact rating.

NERC CIP is legally distinct from most other cyber frameworks in three ways. First, it is mandatory and audited by government-empowered Regional Entities (such as WECC, SERC, RF, MRO, NPCC, Texas RE) with real financial penalties. Second, it uses a precise defined-term vocabulary — terms like BES Cyber System (BCS), BES Cyber Asset (BCA), Electronic Security Perimeter (ESP), Physical Security Perimeter (PSP), Electronic Access Point (EAP), Electronic Access Control or Monitoring Systems (EACMS), Physical Access Control Systems (PACS) and Protected Cyber Assets (PCA) carry legal weight. Third, each Requirement is paired with a Measure describing acceptable evidence and a Violation Severity Level table used to grade non-compliance.

Key defined terms an auditor must master

TermMeaning in the CIP context
BES Cyber Asset (BCA)A Cyber Asset that if rendered unavailable, degraded or misused would, within 15 minutes, adversely impact one or more BES Reliability Operating Services.
BES Cyber System (BCS)One or more BES Cyber Assets logically grouped to perform reliability functions; the unit of categorisation under CIP-002.
Electronic Security Perimeter (ESP)The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.
Electronic Access Point (EAP)A Cyber Asset interface on an ESP that permits routable protocol traffic in or out.
Physical Security Perimeter (PSP)The physical (six-wall) border protecting BES Cyber Systems and associated assets.
EACMSElectronic Access Control or Monitoring Systems, e.g. firewalls, intermediate systems, authentication servers, SIEM/monitoring.
PACSPhysical Access Control Systems controlling entry to a PSP, e.g. badge readers and controllers.
PCAProtected Cyber Asset — a non-BCA within an ESP that shares the perimeter and must be protected accordingly.
Interactive Remote Access (IRA)User-initiated remote access from outside an ESP; requires an Intermediate System and multi-factor authentication.
CIP Senior ManagerA single senior official with overall authority and accountability for the CIP compliance programme.

Who must comply / scope of applicability

NERC CIP applies to Responsible Entities that own or operate elements of the Bulk Electric System. The applicable functional entity types are enumerated in the Applicability section of each standard. An organisation is in scope if it registers with NERC in one or more functional categories and owns BES assets meeting the CIP-002 criteria.

Functional entity (Responsible Entity)Typical applicability under CIP
Balancing Authority (BA)In scope; controls generation-load balance for a Balancing Authority Area.
Transmission Operator (TOP)In scope; operates transmission facilities, often High/Medium impact control centres.
Transmission Owner (TO)In scope where it owns Transmission Facilities meeting CIP-002 criteria.
Generator Operator (GOP)In scope; operates generation resources, frequently Medium/Low impact.
Generator Owner (GO)In scope where owning generation meeting the impact thresholds.
Reliability Coordinator (RC)In scope; highest-level wide-area reliability oversight, typically High impact.
Interchange Coordinator / Interchange AuthorityIn scope per applicability where designated.
Distribution Provider (DP)In scope only for specific functions — UFLS/UVLS relays, Cranking Paths, Special Protection Systems, RAS.
Transmission Service Provider (TSP)Limited applicability; check standard-specific applicability sections.
  • Entities with NO assets meeting any CIP-002 impact criterion still register but may hold few or no CIP obligations.
  • Low impact BES Cyber Systems (e.g. many smaller generation and distribution assets) attract a reduced obligation set concentrated in CIP-003 Requirement R2 (Attachment 1).
  • Third parties (vendors, integrators, managed service providers) are drawn into scope indirectly through the supply-chain standard CIP-013 and access-management requirements.
  • Cloud and virtualisation now feature in the modernised CIP standards under development to address hosted/managed BES Cyber Systems.

Structure of NERC CIP (the standards family)

The CIP family is organised as discrete numbered standards, each addressing a control domain. Each standard contains numbered Requirements (R1, R2 …), each with associated Measures (M1, M2 …), applicable systems tables (High/Medium/Low), Violation Risk Factors (VRF) and Violation Severity Levels (VSL). The table below summarises the enforceable domains.

StandardDomain / titleCore purpose
CIP-002BES Cyber System CategorizationIdentify and categorise BES Cyber Systems as High, Medium or Low impact.
CIP-003Security Management ControlsCyber security policies, CIP Senior Manager, delegations, and low-impact protections (Attachment 1).
CIP-004Personnel & TrainingAwareness, training, personnel risk assessment (background checks) and access management/revocation.
CIP-005Electronic Security Perimeter(s)Define ESPs, control Electronic Access Points, secure Interactive Remote Access via Intermediate Systems.
CIP-006Physical Security of BES Cyber SystemsPhysical Security Perimeters, physical access controls, monitoring and logging of physical access.
CIP-007System Security ManagementPorts and services, patch management, malicious code prevention, security event monitoring, system access control.
CIP-008Incident Reporting and Response PlanningCyber Security Incident response plans, testing, and reporting including attempts to compromise.
CIP-009Recovery Plans for BES Cyber SystemsBackup, recovery and restoration planning, testing and verification of backup media.
CIP-010Configuration Change Management and Vulnerability AssessmentsBaseline configurations, change monitoring, and periodic vulnerability assessments; Transient Cyber Assets/Removable Media.
CIP-011Information ProtectionIdentify and protect BES Cyber System Information (BCSI); reuse and disposal of Cyber Assets.
CIP-012Communications between Control CentersProtect confidentiality and integrity of Real-time Assessment and monitoring data in transit between Control Centers.
CIP-013Supply Chain Risk ManagementDevelop and implement supply-chain cyber risk management plans for procurement and vendor risk.
CIP-014Physical Security (Transmission)Identify critical Transmission stations/substations and protect them against physical attack.
How the pieces fit
CIP-002 is the gateway: it drives which systems are High, Medium or Low impact, and therefore which Requirements of CIP-003 through CIP-011 apply and at what stringency. CIP-012, CIP-013 and CIP-014 are cross-cutting. Read every standard's 'Applicable Systems' column before scoping any control.

Master assessment checklist — every standard and requirement

This is the core audit section. Each subsection below corresponds to a CIP standard and its Requirements. For each, use the table of 'What to verify' against 'Typical evidence'. Do not skip any Requirement; where a Requirement is impact-conditional, verify applicability first via CIP-002.

CIP-002 — BES Cyber System Categorization

What to verifyTypical evidence
R1: Identification and categorisation of BES Cyber Systems using Attachment 1 criteria (High/Medium/Low).BCS asset inventory, impact-rating worksheets mapped to Attachment 1 criteria 1.x/2.x/3.x.
High and Medium impact BCS lists exist and are current.Categorised lists of High and Medium impact BES Cyber Systems with locations.
Low impact assets identified (list of assets containing low-impact BCS, not asset-by-asset device list).List of assets containing low-impact BCS; no individual device enumeration required.
R2: CIP Senior Manager (or delegate) reviews and approves identifications/categorisations at least once every 15 calendar months.Dated approval records signed by the CIP Senior Manager or delegate; review cadence log.

CIP-003 — Security Management Controls

What to verifyTypical evidence
R1: Documented cyber security policies covering the required topics for High/Medium and separately for Low impact.Approved policy set; version history; annual (15-month) review approvals.
R2: Low-impact entities implement Attachment 1 plans (awareness, physical/electronic access controls, incident response, TCA/Removable Media, vendor remote access).Attachment 1 implementation plans and supporting records for low-impact assets.
R3: CIP Senior Manager identified by name, title, date of designation.Signed designation document with effective date.
R4: Delegations of authority documented with name/title/specific action/date.Written delegation records; 30-day update evidence when changes occur.

CIP-004 — Personnel and Training

What to verifyTypical evidence
R1: Security awareness programme reinforced at least once each calendar quarter.Quarterly awareness communications, distribution records.
R2: Role-based cyber security training completed before granting authorised access (except CIP Exceptional Circumstances).Training content, completion records with dates, 15-month refresh evidence.
R3: Personnel Risk Assessment — identity verification and seven-year criminal history records check before access; repeated at least every 7 years.PRA records, screening completion dates, criteria for evaluating results.
R4: Access management programme — authorisation of electronic and physical access and BCSI access based on need.Access authorisation records, quarterly access verification, 15-month privilege review.
R5: Access revocation — remove access on termination within 24 hours; other reassignments handled per timelines.Termination tickets with timestamps proving 24-hour revocation; shared-account password changes.

CIP-005 — Electronic Security Perimeter(s)

What to verifyTypical evidence
R1: All applicable BCS reside within a defined ESP; external routable connectivity only through an EAP.Network diagrams showing ESPs and EAPs; firewall rule sets with deny-by-default.
R1: Inbound/outbound access permissions documented with reason; Dial-up connectivity authenticated where technically feasible.Rule-base with business justification; dial-up authentication evidence.
R1: Malicious communications detection for High impact and Medium with External Routable Connectivity (ERC).IDS/IPS deployment evidence at EAPs; alerting configuration.
R2: Interactive Remote Access routed through an Intermediate System; encryption of IRA; multi-factor authentication for IRA.IRA architecture, jump-host config, MFA enforcement records, session encryption evidence.
R2/R3: Vendor remote access — ability to determine active vendor sessions and to disable them.Session monitoring dashboards; documented disable procedure and test.

CIP-006 — Physical Security of BES Cyber Systems

What to verifyTypical evidence
R1: Physical Security Plan defining PSPs and controlling physical access to BCS, EACMS, PACS and PCAs.Physical Security Plan; PSP boundary drawings; access control design.
R1: Monitor for unauthorised access and issue alarms/alerts.Alarm logs, monitoring configuration, response records.
R1: Log physical entry and retain records at least 90 calendar days.Badge/entry logs with retention proof; visitor logs.
R2: Visitor control programme — continuous escort and visitor logging within the PSP.Visitor escort procedures and completed visitor manifests.
R3: Maintenance and testing of physical access control systems at least once every 24 calendar months.PACS maintenance/test records with dates.

CIP-007 — System Security Management

What to verifyTypical evidence
R1: Only needed logical network accessible ports enabled; physical I/O ports protected where required.Port/service inventory per baseline; justification for enabled ports.
R2: Patch management — track/evaluate/install security patches; evaluate applicability within 35 days of source availability; act within 35 days or produce a mitigation plan.Patch source list, 35-day evaluation records, installation or dated mitigation plans.
R3: Malicious code prevention deployed and signatures/methods updated.Anti-malware configuration and update logs; alternative-method justification.
R4: Security event monitoring — log events, generate alerts for detected events, retain logs at least 90 days, review summaries at least every 15 days.Logging configuration, alerting rules, 90-day retention proof, 15-day review records.
R5: System access controls — enforce authentication, manage default/generic/shared accounts, enforce password parameters, limit unsuccessful login attempts.Account inventories, password policy config, lockout settings, shared-account controls.

CIP-008 — Incident Reporting and Response Planning

What to verifyTypical evidence
R1: Cyber Security Incident Response Plan(s) exist, define roles, and cover identification, classification and response to Reportable Cyber Security Incidents.Approved IR plans; classification criteria; roles/responsibilities.
R2: Plan tested at least once every 15 calendar months (exercise or actual incident); lessons learned captured; plan updated within 90 days.Exercise records, actual-incident use, after-action reviews, dated plan updates.
R3: Reporting — notify E-ISAC and CISA of Reportable Cyber Security Incidents and attempts to compromise; meet mandated timelines (initial notification within 1 hour for confirmed compromise; longer windows for attempts).Reporting logs to E-ISAC/CISA with timestamps evidencing 1-hour rule.

CIP-009 — Recovery Plans for BES Cyber Systems

What to verifyTypical evidence
R1: Recovery plan(s) specify conditions for activation, roles, backup and storage of information, and processes to preserve data for forensic analysis.Recovery plans; backup schedules; forensic-preservation procedures.
R2: Test recovery plans at least once every 15 calendar months; test backup media at least every 15 months and verify successful restoration of at least one BCS every 36 months (High impact).Test records, restoration verification logs, backup integrity checks.
R3: Update recovery plans and communicate changes within 90 days of a test or actual recovery.Post-test lessons learned; dated plan revisions; communication distribution.

CIP-010 — Configuration Change Management and Vulnerability Assessments

What to verifyTypical evidence
R1: Baseline configurations documented (OS, commercially/open-source software, custom software, logical ports, security patches); authorise and document changes that deviate; update baselines within 30 days; verify security controls not adversely affected.Baseline records, change tickets with authorisation, 30-day baseline updates, control-verification test results.
R2: Monitor for unauthorised changes to the baseline at least once every 35 calendar days (High impact).Change-detection tooling output and 35-day monitoring logs.
R3: Vulnerability assessment at least once every 15 months (paper/active); active assessment every 36 months for High impact; assess new BCS before commissioning; document and act on results.VA reports, remediation action plans, pre-commissioning assessment records.
R4: Transient Cyber Assets and Removable Media risk management (Attachment 1) — authorisation, malicious code mitigation, software update controls.TCA/Removable Media plans, scan records, authorised-use logs.

CIP-011 — Information Protection

What to verifyTypical evidence
R1: Information protection programme identifies BES Cyber System Information (BCSI) and protects it in storage, transit and use, including access controls for BCSI repositories.BCSI classification scheme, handling procedures, repository access controls (incl. cloud/third-party).
R2: Reuse and disposal — prevent unauthorised retrieval of BCSI from Cyber Assets before reuse; render BCSI unrecoverable before disposal.Media sanitisation records, certificates of destruction, chain-of-custody logs.

CIP-012 — Communications between Control Centers

What to verifyTypical evidence
R1: Plan to protect the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between Control Centers; identify security protections and responsibilities where communication crosses entity boundaries.CIP-012 plan, encryption/integrity mechanism design, inter-entity responsibility agreements.

CIP-013 — Supply Chain Risk Management

What to verifyTypical evidence
R1: Supply-chain cyber security risk management plan(s) address procurement risk, including vendor notification of incidents, coordinated response, disclosure of vulnerabilities, verification of software integrity/authenticity, and vendor remote access controls.Documented SCRM plan; procurement language templates; vendor security requirements.
R2: Implement the plan(s) for High and Medium impact BCS procurements.Procurement records applying the plan; vendor risk assessments; contract clauses.
R3: CIP Senior Manager approves the plan(s) at least once every 15 calendar months.Dated CIP Senior Manager approval of the SCRM plan.

CIP-014 — Physical Security (critical Transmission stations and substations)

What to verifyTypical evidence
R1: Risk assessment to identify Transmission stations/substations that, if rendered inoperable, could cause instability, uncontrolled separation or Cascading.Risk assessment methodology and results; 30-month re-assessment cadence.
R2: Unaffiliated third-party verification of the R1 risk assessment.Independent verifier report; documentation of resolved disagreements.
R3: Notify the primary control centre Transmission Operator for identified stations.Notification records.
R4: Evaluate potential physical threats and vulnerabilities to identified facilities.Threat/vulnerability evaluation reports.
R5: Develop and implement physical security plans to address the threats.Physical security plans, timelines for execution.
R6: Unaffiliated third-party review of the evaluation (R4) and security plan (R5).Independent review report; resolution of recommendations.

Scoping, materiality and impact tiering (CIP-002 Attachment 1)

CIP-002 Attachment 1 provides the bright-line criteria that determine impact rating. Scoping errors here cascade across the entire programme, so auditors probe categorisation rigorously. The three tiers and representative criteria are summarised below.

Impact tierRepresentative CIP-002 Attachment 1 criteria (paraphrased)Consequence for control set
High impact (Criteria 1.x)BES Cyber Systems at large Control Centres and backup Control Centres performing functional obligations of a Reliability Coordinator, Balancing Authority for large areas, Transmission Operator for major systems, or Generator Operator for the largest resources.Full application of all applicable CIP Requirements at highest stringency.
Medium impact (Criteria 2.x)BCS associated with generation aggregations above defined MW thresholds, Transmission Facilities at/above defined kV thresholds (e.g. certain 500 kV and 200-499 kV weighted-value facilities), critical substations, blackstart resources and Cranking Paths.Most CIP Requirements apply; some are conditioned on External Routable Connectivity (ERC).
Low impact (Criteria 3.x)All other BES assets containing BES Cyber Systems not meeting High or Medium criteria.Reduced obligation focused on CIP-003 R2 Attachment 1 (policies, awareness, physical/electronic access, incident response, TCA/Removable Media, vendor remote access).
  • External Routable Connectivity (ERC) is a pivotal modifier: many Medium-impact obligations (e.g. parts of CIP-005 and CIP-007) apply only where ERC exists.
  • The 15-minute adverse-impact test defines whether a Cyber Asset is a BCA — document the reliability-function analysis behind each inclusion/exclusion.
  • Categorisation must be reviewed and approved at least every 15 calendar months (CIP-002 R2) and whenever the BES footprint materially changes.
  • Under-scoping (missing an asset) and over-scoping (needless burden) are both risks; maintain a defensible, criteria-mapped rationale for every decision.

Implementation approach (phased)

A defensible CIP programme is built in disciplined phases. Each phase below lists key activities and the deliverables an auditor will later expect.

Phase 1 — Registration, scoping and categorisation

  • Activities: confirm NERC functional registration; inventory all BES assets and Cyber Assets; apply the 15-minute test; categorise BCS per CIP-002 Attachment 1; identify EACMS, PACS, PCA, TCA and Removable Media.
  • Deliverables: High/Medium impact BCS lists, list of assets containing low-impact BCS, categorisation rationale, CIP Senior Manager approval.

Phase 2 — Governance and personnel foundations

  • Activities: designate CIP Senior Manager and delegations; write CIP-003 policies; stand up CIP-004 awareness, training, PRA and access-management programmes.
  • Deliverables: approved policy suite, designation/delegation records, training curriculum, PRA procedure, access authorisation register.

Phase 3 — Perimeter and system hardening

  • Activities: define ESPs and EAPs (CIP-005); deploy Intermediate Systems and MFA for IRA; establish PSPs and physical controls (CIP-006); harden systems, patch, anti-malware and logging (CIP-007); baseline configurations (CIP-010).
  • Deliverables: network/ESP diagrams, firewall rule-bases, physical security plan, baseline configuration records, patch-management process.

Phase 4 — Resilience, information protection and supply chain

  • Activities: build incident response and reporting (CIP-008); recovery and backup (CIP-009); BCSI protection and disposal (CIP-011); Control Center comms protection (CIP-012); SCRM plan and vendor controls (CIP-013); physical security for critical Transmission (CIP-014).
  • Deliverables: IR plan, recovery plan, BCSI programme, CIP-012 plan, SCRM plan, CIP-014 risk assessment and physical plan.

Phase 5 — Evidence, internal controls and audit readiness

  • Activities: implement an Internal Controls programme; automate evidence collection; conduct mock audits; remediate gaps; establish self-report and mitigation processes.
  • Deliverables: evidence repository, internal controls narratives, mock-audit findings, mitigation plans, self-certification records.

Maturity / internal-controls capability model

While NERC CIP compliance is binary at the Requirement level, Regional Entities increasingly assess the strength of an entity's Internal Controls (via the Internal Controls Evaluation, ICE) to set audit scope and frequency. The maturity model below helps entities self-assess.

LevelCharacteristicsAudit posture
1 — Initial / reactiveCompliance activities ad hoc; evidence assembled at audit time; frequent self-reports of missed deadlines.High audit scrutiny; likely expanded sampling.
2 — DefinedDocumented procedures for each Requirement; owners assigned; manual tracking of deadlines.Standard audit scope; some reliance on documentation.
3 — ManagedCentralised evidence repository; calendar-driven controls for 15-month/quarterly/35-day cadences; periodic self-assessment.Reduced sampling where internal controls demonstrated.
4 — Controlled (strong internal controls)Preventive and detective controls with automated alerts; independent internal review; timely self-identification and correction.Favourable ICE outcome; potential for reduced audit frequency/scope.
5 — OptimisedContinuous monitoring, metrics-driven improvement, integrated GRC tooling, near-real-time compliance posture.Highest assurance; enterprise treated as low compliance risk.

Assessment and audit approach

  1. Confirm the audit scope: which registered functions, which standards/Requirements, and the audit period (typically since the last audit, on a 3-year cycle for High/Medium impact entities).
  2. Validate CIP-002 categorisation first — verify the BCS lists, impact ratings and CIP Senior Manager approvals; scoping errors invalidate downstream conclusions.
  3. Request and review the Reliability Standard Audit Worksheets (RSAWs) and supporting evidence for each in-scope Requirement.
  4. Test governance: CIP Senior Manager designation, delegations, and policy approvals within 15 months.
  5. Sample personnel records for CIP-004: training completion before access, PRAs, quarterly access verification, and 24-hour revocation.
  6. Inspect technical controls: ESP/EAP configurations, IRA/MFA, physical access logs (90-day retention), baselines, patch evidence (35-day rule), log review (15-day) and monitoring.
  7. Test resilience: IR plan tests (15-month), reporting to E-ISAC/CISA (1-hour rule), recovery-plan tests and backup restoration verification.
  8. Examine cross-cutting standards: CIP-011 BCSI handling, CIP-012 comms protection, CIP-013 SCRM implementation, CIP-014 assessments and third-party reviews.
  9. Evaluate internal controls (ICE) to gauge sustainability and calibrate sampling depth.
  10. Document Areas of Concern, Potential Non-Compliance (PNC) and Positive Observations; agree mitigation plans and, where applicable, self-logging or Find, Fix, Track and Report (FFT) dispositions.

Evidence request list (categorised)

  • Governance: CIP Senior Manager designation, delegations, approved cyber security policies with review dates.
  • Categorisation: High/Medium BCS lists, list of assets with low-impact BCS, CIP-002 Attachment 1 mapping worksheets, R2 approvals.
  • Personnel: training records with dates, PRA/background-check records, access authorisation and quarterly verification, 24-hour revocation tickets.
  • Electronic security: network/ESP diagrams, EAP firewall rule-bases with justifications, IRA architecture, MFA enforcement, IDS/IPS at EAPs.
  • Physical security: Physical Security Plan, PSP drawings, entry logs (90-day retention), visitor logs, PACS maintenance/test records.
  • System management: port/service inventories, baseline configurations, patch evaluation and installation logs (35-day), anti-malware update logs, security-event logs and 15-day reviews.
  • Change and vulnerability: change tickets, 30-day baseline updates, 35-day change monitoring, vulnerability assessment reports and remediation.
  • Incident and recovery: IR plans and test records, E-ISAC/CISA reporting logs, recovery plans, backup and restoration verification.
  • Information protection: BCSI classification and handling, repository access controls, media sanitisation/destruction certificates.
  • Supply chain and comms: CIP-013 SCRM plan and procurement records, vendor risk assessments, CIP-012 plan and inter-entity agreements.
  • Critical Transmission: CIP-014 risk assessments, third-party verification/review reports, physical security plans.

Roles and responsibilities

RoleCIP responsibilities
CIP Senior ManagerSingle point of overall authority and accountability; approves categorisations, policies and SCRM plan on the 15-month cadence; authorises delegations.
Delegate(s)Perform specified approval/authorisation actions under written delegation from the CIP Senior Manager.
Compliance Officer / CIP Compliance LeadOwns the compliance programme, RSAW preparation, evidence repository, self-reporting and mitigation plans.
System / Network EngineersImplement and evidence CIP-005/006/007/010 technical controls (ESP, PSP, hardening, baselines).
Security Operations / SOCLog monitoring, event alerting, incident detection and response support (CIP-007 R4, CIP-008).
HR / Personnel SecurityExecute PRAs, training assignment and timely access revocation (CIP-004).
Physical Security teamMaintain PSPs, PACS, visitor control and CIP-014 physical protections.
Procurement / Supply ChainApply CIP-013 requirements in vendor selection and contracting.
Internal Audit / Internal ControlsIndependent verification, ICE support, and continuous-monitoring assurance.

KPIs and metrics to track

  • Percentage of BES Cyber Systems with current, approved CIP-002 categorisation (target 100%).
  • Patch evaluation and remediation completed within the 35-day window (percentage and ageing).
  • Security-event log reviews completed within 15 days (on-time rate).
  • Access revocations completed within 24 hours of termination (on-time rate).
  • Quarterly access verifications and awareness reinforcements completed on schedule.
  • Incident response and recovery plan tests completed within 15 months; mean time to report Reportable Cyber Security Incidents versus the 1-hour target.
  • Baseline change authorisation compliance and 35-day change-monitoring coverage.
  • Number of self-identified versus auditor-identified potential non-compliances (higher self-identification indicates strong internal controls).
  • Open mitigation plans, ageing and overdue count.
  • Vendor/SCRM assessments completed for in-scope procurements; backup restoration verification success rate.

Readiness checklist

  • NERC functional registration confirmed and BES asset inventory complete.
  • CIP-002 categorisation done, mapped to Attachment 1, approved within 15 months.
  • CIP Senior Manager designated and delegations documented.
  • Full CIP-003 policy suite approved and within review cadence.
  • CIP-004 training, PRA, access authorisation and 24-hour revocation processes operating with evidence.
  • ESPs/EAPs defined, IRA via Intermediate System with MFA, malicious-communications detection where required.
  • PSPs established, 90-day physical entry logs retained, visitor control operating.
  • Ports/services controlled, 35-day patch process, anti-malware, 90-day log retention and 15-day reviews in place.
  • IR plan tested within 15 months and E-ISAC/CISA reporting path validated against the 1-hour rule.
  • Recovery plans and backup restoration tested and verified.
  • Baselines documented, changes authorised, 35-day monitoring, and vulnerability assessments current.
  • BCSI protection, CIP-012 comms plan, CIP-013 SCRM plan and CIP-014 assessments complete with third-party reviews.
  • Evidence repository and internal controls programme audit-ready; mock audit conducted.

Common gaps and findings

  • Incomplete or unjustified CIP-002 categorisation — missing assets or absent 15-minute-impact rationale.
  • Access revocation exceeding the 24-hour window, or shared-account passwords not changed on personnel departure.
  • Missed 35-day patch evaluation/installation deadlines without a documented mitigation plan.
  • Security-event logs not reviewed within 15 days, or retention short of 90 days.
  • Interactive Remote Access without a compliant Intermediate System or without enforced multi-factor authentication.
  • Baseline configurations out of date, or changes made without authorisation and 30-day baseline updates.
  • Physical access logs not retained for 90 days; visitor escort lapses inside PSPs.
  • Incident response or recovery plans not tested within 15 months, or lessons-learned updates not made within 90 days.
  • CIP-013 SCRM plan documented but not evidenced in actual procurements; vendor remote-access controls unproven.
  • BCSI stored in cloud/third-party repositories without adequate access controls (CIP-011); weak media disposal.
  • CIP-014 risk assessments lacking unaffiliated third-party verification/review.

NERC CIP mapped to other frameworks

NERC CIP domainNIST CSF 2.0 functionISO/IEC 27001:2022 (Annex A)NIST SP 800-53
CIP-002 categorisationIdentify (Asset Management)A.5.9 inventory of assetsCM-8, RA-2, PM-5
CIP-003 security managementGovernA.5.1 policies for information securityPM-1, PL-1
CIP-004 personnel and trainingProtect (Awareness & Training)A.6.1-6.3 screening, terms, awarenessPS-3, AT-2, PS-4/PS-5
CIP-005 electronic security perimeterProtect (Identity & Access)A.8.20-8.22 network security/segregationSC-7, AC-17, IA-2
CIP-006 physical securityProtectA.7.x physical and environmental securityPE-2, PE-3, PE-6
CIP-007 system security managementProtect / DetectA.8.7-8.9, A.8.15-8.16SI-2, SI-3, AU-6, AC-7
CIP-008 incident reporting/responseRespondA.5.24-5.28 incident managementIR-4, IR-6, IR-8
CIP-009 recovery plansRecoverA.5.29-5.30, A.8.13 backupCP-9, CP-10, CP-4
CIP-010 change and vulnerability managementIdentify / ProtectA.8.8, A.8.9, A.8.32CM-2, CM-3, RA-5
CIP-011 information protectionProtectA.5.12-5.14, A.8.10-8.11MP-6, SC-28, MP-2
CIP-013 supply chainIdentify (Supply Chain Risk)A.5.19-5.23 supplier relationshipsSR-3, SR-5, SR-11
How CyberSigma helps
CyberSigma partners with Responsible Entities across the North American Bulk Electric System to build, evidence and sustain defensible NERC CIP programmes. Our CERT-In empanelled and PCI QSA-qualified assessors deliver end-to-end support: CIP-002 scoping and impact categorisation, gap assessments across CIP-003 to CIP-014, RSAW preparation, mock Regional Entity audits, Internal Controls Evaluation readiness, and remediation of common findings such as the 35-day patch, 24-hour revocation and 15-day log-review deadlines. We architect ESP/PSP designs, IRA/MFA and Intermediate Systems, BCSI protection (including cloud repositories), CIP-013 supply-chain plans and CIP-014 physical security programmes with third-party verification. Through our GRC tooling we automate evidence capture against every 15-month, quarterly, 35-day and 90-day cadence, mapping CIP controls to NIST CSF, ISO 27001 and 800-53 so your electric-sector compliance investment strengthens your wider security posture. Talk to CyberSigma to move from reactive compliance to a metrics-driven, audit-ready programme.

Frequently asked questions

Who must comply with NERC CIP?
Registered entities operating the North American bulk power system, including generation, transmission and balancing authorities.
Official documents

Need help with NERC CIP?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.