North American Electric Reliability Corporation Critical Infrastructure Protection
Mandatory cybersecurity standards protecting the North American power grid
What are the current NERC CIP requirements?
NERC CIP sets mandatory cybersecurity standards for entities operating the North American bulk electric system, enforced by FERC with penalties up to $1 million per violation per day. The framework runs from CIP-002 (asset categorization) through CIP-014 (physical security), with controls scaled to each facility's High, Medium, or Low impact rating. Two major additions are now in effect. CIP-015-1, approved by FERC Order 907 (Federal Register July 2, 2025; Doc 2025-12309), requires Internal Network Security Monitoring (INSM) for applicable Control Centers by September 2, 2028 and other entities by September 2, 2030. FERC Order 919 (Federal Register March 24, 2026; Doc 2026-05716) approved 11 updated CIP standards (CIP-002-7 through CIP-013-3) covering virtualized environments, effective May 26, 2026, with mandatory compliance by July 1, 2028.
// What is NERC CIP?
NERC CIP standards are mandatory cybersecurity requirements for entities operating the North American bulk electric system. Unlike voluntary frameworks, CIP compliance is legally required, enforced by NERC under authority delegated by the Federal Energy Regulatory Commission (FERC) in the US and equivalent authorities in Canada.
The standards apply to Bulk Electric System (BES) Cyber Systems based on impact ratings (High, Medium, Low) that determine the rigor of required controls. High and Medium impact systems face the most stringent requirements, including personnel training, physical security, and layered access controls.
CIP standards have expanded significantly in 2025 and 2026. CIP-015-1, covering Internal Network Security Monitoring (INSM), was approved by FERC Order 907 (Federal Register July 2, 2025; Doc 2025-12309). Control Centers must comply by September 2, 2028; other applicable entities by September 2, 2030. FERC Order 919 (Federal Register March 24, 2026; Doc 2026-05716) approved 11 updated CIP standards (CIP-002-7 through CIP-013-3) plus four new glossary terms addressing virtualization. Order 919 standards take effect May 26, 2026, with mandatory compliance by July 1, 2028.
// Inside the Regulation
NERC CIP comprises multiple standards (CIP-002 through CIP-014), each addressing specific security domains. Entities must comply with requirements based on their BES Cyber System impact categorization.
BES Cyber System Categorization
CIP-002-5.1aThe foundation of CIP compliance: categorizing systems based on their impact on reliable grid operation.
High Impact Rating
Control centers controlling 3,000 MW+ generation or operating the integrity of interconnections. Most stringent requirements apply.
Medium Impact Rating
Transmission stations 500kV+, generation resources 1,500 MW+, and control centers not meeting High criteria.
Low Impact Rating
BES Cyber Systems not meeting High or Medium criteria. Reduced but still mandatory requirements.
BES Cyber Asset Identification
Identify all Cyber Assets essential to reliable operation of categorized BES Cyber Systems.
Security Management Controls
CIP-003-8 through CIP-006-6Foundational security management, personnel, and physical security requirements.
Security Management Controls (CIP-003)
Documented cybersecurity policies, assign security responsibility, and establish security awareness programs.
Personnel and Training (CIP-004)
Personnel risk assessment, cybersecurity training, and access management. Background checks for personnel with cyber or physical access.
Electronic Security Perimeter (CIP-005)
Define Electronic Security Perimeters, control access points, monitor unauthorized access, and manage remote access securely.
Physical Security (CIP-006)
Physical Security Plans for locations housing High/Medium impact BES Cyber Systems including access controls and monitoring.
Systems Security Management
CIP-007-6 through CIP-010-4Technical controls for system hardening, incident response, recovery, and configuration management.
System Security Management (CIP-007)
Ports and services management, security patch management, malicious code prevention, security event monitoring.
Incident Reporting and Response (CIP-008)
Cyber Security Incident response plan, testing, and reporting requirements. Incidents reported to E-ISAC within timeframes.
Recovery Plans (CIP-009)
Recovery plans for BES Cyber Systems, backup/recovery procedures, and annual testing of recovery plans.
Configuration and Vulnerability (CIP-010)
Baseline configurations, configuration change management, vulnerability assessments at least every 35 months.
Supply Chain, Physical Security, and Emerging Standards
CIP-013-3, CIP-014-3, CIP-015-1Standards addressing supply chain risk, physical security, internal network monitoring, and virtualization (Order 919).
Supply Chain Risk Management (CIP-013)
Develop plans addressing supply chain risks for High/Medium impact BES Cyber Systems. CIP-013-3 (Order 919) effective May 26, 2026; mandatory July 1, 2028.
Physical Security (CIP-014)
Risk assessment and security plans for transmission stations and control centers critical to grid reliability.
Internal Network Security Monitoring (CIP-015-1)
FERC Order 907 (Federal Register July 2, 2025; Doc 2025-12309) approved CIP-015-1 requiring INSM for applicable BES Cyber Systems. Control Centers must comply by September 2, 2028; other entities by September 2, 2030.
Virtualization Package (Order 919)
FERC Order 919 (Federal Register March 24, 2026; Doc 2026-05716) approved 11 updated CIP standards (CIP-002-7 through CIP-013-3) and four new glossary terms covering virtualized environments. Standards effective May 26, 2026; mandatory compliance July 1, 2028.
Note: CIP compliance is verified through NERC Regional Entity audits. Self-reports and periodic data submittals are required. The CIP enforcement process includes compliance monitoring, violation investigation, and penalty determination with FERC oversight.
// Who Must Comply
- 1 Balancing Authorities managing electric grid balance
- 2 Generation Owners and Operators above thresholds
- 3 Transmission Owners and Operators
- 4 Reliability Coordinators
- 5 Distribution Providers with certain facilities
- 6 Regional Transmission Organizations and Independent System Operators
// Key Requirements
Asset Categorization
Identify and categorize all BES Cyber Systems by impact rating (High, Medium, Low)
Electronic Security Perimeter
Define and protect electronic access points to BES Cyber Systems
Personnel Training
Conduct cybersecurity training and background checks for personnel with access
Configuration Management
Maintain baseline configurations and manage changes through documented processes
Incident Response
Maintain and test incident response plans with required reporting to E-ISAC
Recovery Planning
Develop, maintain, and annually test recovery plans for BES Cyber Systems
// Enforcement & Penalties
NERC CIP violations can result in substantial daily penalties, with FERC having authority to impose penalties up to $1 million per day per violation. Penalty amounts depend on violation severity, risk to grid reliability, and compliance history.
$1 million per violation per day
Examples:
- Duke Energy - $10 million penalty for 127 violations across CIP standards (2019)
- Unidentified entity - $2.7 million for electronic access control violations (2018)
- Pacific Gas & Electric - $2.7 million for physical and electronic security violations (2017)
- Multiple entities - Penalties for supply chain security and access management failures
// Cyber Insurance Impact
Cyber insurers for critical infrastructure operators require evidence of CIP compliance. Given the mandatory nature and significant penalties, coverage often depends on demonstrated compliance status. Policies may include specific exclusions for penalties arising from willful CIP violations.
// How Breach Craft Helps
We help organizations achieve NERC CIP compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of NERC CIP.
// Industries That Need NERC CIP
These industries commonly require NERC CIP compliance as part of their regulatory obligations.
Guide last reviewed: June 15, 2026
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873