NERC CIP (Critical Infrastructure Protection) standards represent the most detailed mandatory cybersecurity framework applied to any critical infrastructure sector in North America. Unlike voluntary frameworks such as NIST CSF, NERC CIP standards are enforceable regulatory requirements with penalties reaching $1 million per violation per day. For transmission operators, balancing authorities, generator operators, and distribution providers with qualifying facilities, NERC CIP compliance is not optional — it is a condition of operating on the bulk electric system (BES). The standards cover everything from how to categorize which systems are in scope, to patching windows measured in calendar days, to exactly how quickly you must notify NERC of a reportable cyber incident. This guide covers every active CIP standard from CIP-002 through CIP-014, explains how BES Cyber System categorization works, describes what NERC auditors look for, and identifies the compliance gaps that generate the most findings. It also explains how ICS-specific tabletop exercises generate direct audit evidence for CIP-008 and CIP-009 compliance.
1. What NERC CIP Is and Who Must Comply
NERC CIP standards are a suite of mandatory reliability standards developed by the North American Electric Reliability Corporation and approved by the Federal Energy Regulatory Commission (FERC) in the United States. In Canada, NERC CIP standards are enforced by the same regional entity structure in coordination with provincial regulators. Standards apply to entities that own, operate, or use BES facilities, and to their vendors and third-party service providers to the extent specified in CIP-013.
Who Is Subject to NERC CIP
- Transmission Operators (TOP): Entities that operate transmission facilities or elements of the BES.
- Balancing Authorities (BA): Entities responsible for maintaining load-resource balance within a defined area.
- Generator Operators (GOP): Entities that operate generation facilities connected to the BES.
- Distribution Providers (DP): Distribution providers with qualifying generation or protection systems that affect the BES.
- Reliability Coordinators (RC), Transmission Planners (TP), and Planning Coordinators (PC): Entities with operational planning responsibilities affecting the BES.
Enforcement Structure
NERC delegates enforcement to six Regional Entities: SERC Reliability Corporation, ReliabilityFirst, MRO (Midwest Reliability Organization), WECC (Western Electricity Coordinating Council), Texas RE (Texas Reliability Entity), and NPCC (Northeast Power Coordinating Council). Each RE conducts audits, spot checks, and compliance investigations within its footprint. NERC sets the standards; REs enforce them. Penalties are assessed under NERC’s Sanction Guidelines and can reach $1,000,000 per violation per day. NERC has levied settlements exceeding $10 million for systemic compliance failures.
Current Standards and Developments
The active NERC CIP standards as of 2026 are CIP-002-5.1a through CIP-014-3, plus CIP-003-9 which updated Low Impact BES Cyber System controls for supply chain risk management. CIP-015, covering Internal Network Security Monitoring (INSM) for High and Medium Impact BCS, is in the final stages of development and is expected to become effective in 2026–2027. Organizations planning OT security investments should factor CIP-015 INSM requirements into their roadmap now.
2. The NERC CIP Standards: CIP-002 Through CIP-014
Each CIP standard addresses a distinct security domain. Understanding what each standard actually requires — not just its title — is essential for building an evidence management program that will withstand audit scrutiny.
CIP-002: BES Cyber System Categorization
CIP-002 is the foundation of the entire NERC CIP program. It requires each responsible entity to identify its BES Cyber Systems and categorize them as High, Medium, or Low Impact using the criteria in Attachment 1. The categorization determines which subsequent standards apply and at what level of rigor. All other CIP standards reference CIP-002 impact categories. An error in CIP-002 categorization — either too narrow or too broad — creates compliance risk across the entire program.
CIP-003: Security Management Controls
CIP-003 requires each responsible entity to have documented cybersecurity policies covering each applicable CIP standard. For High and Medium Impact BCS, CIP-003 also requires a delegated senior manager with authority and responsibility for the entity’s CIP compliance program. For Low Impact BCS, CIP-003-9 added supply chain risk management requirements, electronic access controls, and physical security controls that were previously applied only to High and Medium Impact assets. The Low Impact supply chain additions are among the most recently audited areas.
CIP-004: Personnel & Training
CIP-004 covers the human elements of BCS security. It requires security awareness training at least once every 15 calendar months for all personnel with access to BCS, plus role-specific training covering the relevant CIP requirements for each role. Personnel Risk Assessments (PRAs) — background checks covering criminal history, identity verification, and employment history for the prior 7 years — must be completed before granting access to BCS or associated Physical Security Perimeters. PRAs must be refreshed every 7 years. Access revocation within 24 hours of departure is one of the most frequently cited CIP-004 violations.
CIP-005: Electronic Security Perimeters
CIP-005 requires the definition of Electronic Security Perimeters (ESPs) that surround BCS and all associated Cyber Assets. All External Routable Connectivity (ERC) to the ESP must flow through an Electronic Access Point (EAP) with inbound and outbound access controls. Interactive Remote Access (IRA) — any remote access that provides an operator the ability to interact with BCS — requires an encrypted tunnel, multi-factor authentication (MFA), and an intermediate system (jump host) that prevents direct connectivity from the remote device to the BCS. The MFA requirement for IRA is one of the most commonly failed CIP-005 sub-requirements.
CIP-006: Physical Security of BES Cyber Systems
CIP-006 requires Physical Security Plans that define Physical Security Perimeters (PSPs) protecting High and Medium Impact BCS and their associated Physical Access Control Systems (PACS) and Electronic Access Control and Monitoring Systems (EACMS). All unauthorized access attempts must be detected and responded to. Visitor control programs must log entry and exit of visitors. Physical I&O (Input/Output) ports on BCS must be protected or disabled. PSP documentation must be kept current and reflects the actual physical layout of the facility.
CIP-007: System Security Management
CIP-007 is the most granular of the technical CIP standards and generates the highest number of audit findings. It covers: ports and services (only required ports enabled, documented rationale for enabled ports), security patch management (35-day window for High/Medium Impact BCS), malicious code prevention (anti-malware deployed or documented compensating controls), security event monitoring (security event logging enabled, 90-day log retention minimum for High/Medium), and system access controls (password management for shared/service accounts).
CIP-008: Incident Reporting and Response Planning
CIP-008 requires documented Cyber Security Incident Response Plans (CSIRP) that define Reportable Cyber Security Incidents and the process for responding. Reportable incidents must be reported to the E-ISAC and the applicable Regional Entity within one hour of determination. The CSIRP must include roles and responsibilities, communication procedures, and escalation paths. Critically, CIP-008 Requirement 3 mandates that the CSIRP be tested at least once every 15 calendar months — tabletop exercises are the most widely accepted and cost-effective method for satisfying this requirement.
CIP-009: Recovery Plans for BES Cyber Systems
CIP-009 requires documented Recovery Plans for High and Medium Impact BCS that include conditions for activating the plan, roles and responsibilities, recovery objectives, backup procedures, and validation testing. Recovery plans must be tested at least once every 15 calendar months, and backup restoration must be verified at least once every 15 calendar months under actual or representative conditions. Tests must produce documented results retained as evidence.
CIP-010: Configuration Change Management and Vulnerability Management
CIP-010 requires documented baseline configurations for all High and Medium Impact BCS, with a change management process that detects unauthorized changes within 35 days. Vulnerability assessments must be performed at least once every 15 calendar months for High Impact BCS (active scanning allowed) and every 36 months for Medium Impact BCS. Transient Cyber Assets (laptops, removable media) used with BCS must be managed under documented controls that address malware scanning, authorized software, and network connectivity restrictions.
CIP-011: Information Protection
CIP-011 requires documented information protection programs covering how BCS Information — data that could be used to gain unauthorized access to BCS — is handled, stored, transmitted, and disposed of. This includes network diagrams, configuration files, vulnerability assessment results, and similar sensitive documentation. Physical and electronic controls must protect BCS Information from unauthorized access, and procedures must address secure disposal of storage media.
CIP-013: Supply Chain Risk Management
CIP-013 requires documented supply chain cyber security risk management plans covering procurement of industrial control system hardware, software, and services. Required elements include: vendor identification and verification of authenticity of software and patches, controls for vendor remote access, procedures for addressing vulnerabilities in vendor-supplied products, and methods for detecting counterfeit components. Plans must be reviewed and approved by the senior manager at least once every 15 months. CIP-003-9 extended supply chain requirements to Low Impact BCS.
CIP-014: Physical Security for Transmission Stations
CIP-014 applies to transmission stations and substations that, if rendered inoperable or damaged, could result in widespread instability, uncontrolled separation, or cascading within an Interconnection. It requires an initial risk assessment to identify applicable facilities, a vulnerability assessment of identified facilities, and implementation of a documented physical security plan to address unacceptable risks identified. The vulnerability assessment must be performed by an unaffiliated third party with experience in physical security.
3. BES Cyber System Categorization: The Critical First Step
BES Cyber System (BCS) categorization under CIP-002 is the most consequential step in building a NERC CIP compliance program. Every subsequent compliance obligation — patch windows, access controls, monitoring requirements, testing frequency — flows from the impact category assigned to each BCS. Getting categorization wrong is the single most common root cause of systemic CIP compliance failures.
High Impact BES Cyber Systems
High Impact BCS includes BCS used by and located at control centers that perform the functional obligations of a Reliability Coordinator, Balancing Authority, or Transmission Operator that operationally controls the BES. In practice, this means Energy Management Systems (EMS) and SCADA systems at transmission control centers are almost always High Impact. High Impact BCS face the most rigorous requirements across all standards and require the most extensive evidence packages.
Medium Impact BES Cyber Systems
Medium Impact BCS includes BCS at generation facilities meeting specific capacity thresholds (typically 1,500 MW or greater for certain facility types), transmission substations meeting voltage and configuration criteria in CIP-002 Attachment 1, and control centers not qualifying as High Impact but still performing BES reliability functions. The criteria are detailed and facility-specific — consulting the actual Attachment 1 criteria is essential, as the thresholds vary by facility type.
Low Impact BES Cyber Systems
Low Impact BCS encompasses all remaining BCS at facilities subject to CIP that do not meet High or Medium Impact criteria. Low Impact requires a documented cyber security plan under CIP-003, but does not require the individual system-level documentation and controls demanded by CIP-005 through CIP-011. However, CIP-003-9 added meaningful requirements to Low Impact programs: electronic access controls, physical security controls, incident response planning, and supply chain risk management provisions.
Why Categorization Errors Are the Number One Audit Finding
Categorization errors fall into two failure modes. Under-scoping — failing to identify qualifying assets as High or Medium Impact — results in direct CIP standard violations because required controls were not applied to applicable systems. Over-scoping does not create violations but imposes unnecessary compliance burden and cost. The annual review requirement under CIP-002 exists specifically to address changes in facility configuration, capacity, or connectivity that could change a BCS’s impact categorization. Facilities that have undergone expansion, interconnection changes, or control system upgrades without re-evaluating CIP-002 categorization are at high audit risk.
4. The NERC CIP Audit Process
NERC compliance monitoring is not limited to formal audits. The compliance monitoring and enforcement program includes multiple mechanisms, each with different notice periods, scope, and implications.
Types of NERC Compliance Monitoring
- Compliance Audits: The most comprehensive form. Typically on a 3-6 year cycle for larger entities. Auditors review a 3-year lookback period for all applicable standards. Conducted either on-site or remotely.
- Spot Checks: Targeted reviews of specific standards or requirements, often triggered by a specific concern. Shorter notice period than a full audit.
- Compliance Investigations: Triggered by a reported incident, self-report, or complaint. Can result in findings and penalties.
- Self-Certifications: Annual or periodic certifications by the entity that certain standards are being met. Self-certification errors that auditors later discover are treated as violations.
- Self-Reports: Voluntary disclosure of a potential violation. Self-reporting is a significant mitigating factor in penalty determination and is strongly encouraged.
Audit Timeline
A comprehensive NERC CIP audit typically spans 6 to 18 months from initial notification through final audit report and close-out. The process includes pre-audit data requests (document collection), an on-site or remote audit period (1–2 weeks for the active review), preliminary findings discussion, draft audit report, entity response, and final audit report. Evidence packages must be organized and ready to produce on request — auditors work from a structured data request list and will note evidence gaps as potential violations.
What Auditors Examine
NERC auditors evaluate operating effectiveness over the lookback period. Evidence must demonstrate that required controls were operating continuously — not just that they were configured at the time of the audit. Auditors will request: patch management logs showing 35-day windows were met for each patch, access review records showing timely revocation, change management logs for each BCS change, training completion records for all personnel with BCS access, incident response test documentation, and vulnerability assessment reports. Missing, incomplete, or undated evidence packages are the most common driver of findings.
Penalty Determination
Penalties are determined under NERC’s Sanction Guidelines. Each violation carries a base penalty determined by the violation risk factor (VRF: lower, medium, high) and the violation severity level (VSL: lower, moderate, high, severe). Aggravating factors (repeated violations, lack of remediation, concealment) can increase penalties substantially. Mitigating factors (self-reporting, prompt remediation, management commitment to compliance, no harm to reliability) reduce penalties. The maximum penalty under FERC-approved Sanction Guidelines is $1 million per violation per day.
Run a NERC CIP Tabletop Exercise
Validate your CIP-008 incident response plan with an ICS-specific tabletop exercise. Generates direct audit evidence for your next NERC compliance review — no setup required.
5. The 10 Most Common NERC CIP Audit Findings
CIP-007 patch management, CIP-004 access revocation, and CIP-010 change management account for over 50% of all NERC CIP violation findings across Regional Entity audit programs.
Source: CyberICS Solutions Research — Analysis of NERC public penalty orders and RE audit findings, 2023–2026
- Patch management SLAs missed (CIP-007-6 R2): The 35-calendar-day window for applying security patches to High and Medium Impact BCS is strict. Missed patches require documented mitigation plans, but missing both the patch window and the mitigation plan documentation is the most common CIP-007 finding.
- Access not revoked within 24 hours of personnel departure (CIP-004): CIP-004 Requirement 5 mandates revocation of physical and electronic access within 24 hours of a termination. Organizations with manual de-provisioning workflows routinely miss this window.
- Change management process not followed for BCS modifications (CIP-010): Undocumented changes to BCS configurations — even minor updates applied by operations staff — violate CIP-010 Requirement 1. Changes without baseline deviation documentation are a consistent finding.
- Interactive Remote Access (IRA) controls insufficient (CIP-005): Organizations that provide vendor remote access through encrypted tunnels but without MFA or without an intermediate system (jump host) fail CIP-005 R2. Vendor remote access is a high-priority audit focus area.
- Incident response plan not tested annually with documented lessons learned (CIP-008): CIP-008 R3 requires testing at least once every 15 calendar months and documentation of the test, including lessons learned and any updates made to the CSIRP as a result. Missing test documentation is cited in nearly every NERC audit.
- Vendor risk program does not cover all CIP-013 categories: Many entities have procurement controls but lack the specific CIP-013 elements: software authenticity verification, patch authenticity verification, controls for vendor remote access to BCS, and procedures for addressing disclosed vulnerabilities in vendor products.
- Physical security perimeter documentation outdated (CIP-006): PSP documentation that does not reflect actual physical modifications to protected facilities — expansions, new equipment installations, changed access points — results in documentation violations even if the physical controls themselves are adequate.
- Transient devices used in BCS environments without CIP-010 controls: Laptops and USB drives brought into BCS environments by contractors or operations staff without going through the documented transient device management program are a frequent source of CIP-010 findings.
- BCS categorization scope too narrow: Newly added generation units, interconnected substations, or updated control systems that have not been evaluated under CIP-002 for impact categorization represent scoping violations that can cascade across all applicable standards.
- Recovery plan never tested under simulated outage conditions (CIP-009): CIP-009 R2 requires testing at least once every 15 calendar months, including backup restoration verification. Organizations that document a plan but never test recovery procedures fail the operating-effectiveness standard auditors apply.
6. NERC CIP and OT/ICS Security Frameworks
NERC CIP does not exist in isolation. Utilities that operate across multiple jurisdictions or pursue multiple certifications benefit from understanding how NERC CIP relates to adjacent OT/ICS security frameworks.
NERC CIP and NIST SP 800-82
NIST SP 800-82 Revision 3, “Guide to Operational Technology (OT) Security,” provides detailed technical implementation guidance for industrial control system security. NERC CIP sets the mandatory requirements; 800-82 Rev. 3 describes how to implement them. Organizations that use 800-82 as the technical implementation guide for NERC CIP controls benefit from NIST’s detailed coverage of SCADA, DCS, PLC, and RTU security that NERC CIP references but does not fully elaborate. The two frameworks are highly complementary.
NERC CIP and IEC 62443
European utilities and multinational energy operators pursuing IEC 62443 certification find approximately 70% control overlap with NERC CIP High and Medium Impact requirements. IEC 62443’s zone-and-conduit model maps to NERC CIP’s ESP and EAP concepts. IEC 62443’s Security Level (SL) targets map to NERC CIP impact categories. Organizations pursuing both frameworks can design unified control sets that satisfy both, reducing duplication. The primary differences are in audit methodology and third-party verification requirements.
NERC CIP and NIST CSF
The NIST Cybersecurity Framework’s five functions — Identify, Protect, Detect, Respond, and Recover — map cleanly to the NERC CIP standard suite. CIP-002 supports Identify; CIP-004 through CIP-011 support Protect and Detect; CIP-008 and CIP-009 support Respond and Recover. Organizations using NIST CSF as a risk management overlay can use it to identify security investment priorities beyond the minimum NERC CIP requirements, supporting a more comprehensive OT security posture than compliance alone provides.
NERC CIP and NIS2
US utilities with European operations — or European utilities with US BES participation — face potential dual obligations under NERC CIP and NIS2. A key operational difference is incident reporting timelines: NERC CIP requires notification of reportable incidents to the E-ISAC and the applicable Regional Entity within one hour of determination. NIS2 requires an early warning within 24 hours and a detailed notification within 72 hours. Organizations subject to both must maintain separate notification procedures and workflows for each regulatory requirement, as the determination thresholds, recipients, and content requirements also differ.
Tabletop Exercises for NERC CIP Compliance
Tabletop exercises serve multiple NERC CIP compliance functions simultaneously. CIP-008-6 Requirement 3 requires annual incident response plan testing — tabletop exercises are explicitly recognized as an acceptable testing method. CIP-009 Requirement 2 requires annual recovery plan testing — scenario-based exercises that simulate loss of BCS and test recovery procedures satisfy this requirement when properly documented. CIP-004 training requirements can be supported by exercise participation records demonstrating that personnel have practiced their roles in a simulated incident scenario. A single well-designed tabletop exercise can generate evidence for CIP-008, CIP-009, and CIP-004 simultaneously.
7. Preparing for Your Next NERC Audit
Audit readiness is not something to build in the months before an audit notice arrives — it must be maintained continuously. The 3-year lookback period means that evidence gaps from two years ago are as relevant to auditors as gaps from last month.
Building an Evidence Management Program
The most effective NERC CIP compliance programs maintain auditor-ready evidence packages for every applicable standard on a continuous basis. For each CIP requirement, this means: dated evidence of each required activity, organized by requirement number and sub-requirement, stored in a retrievable format, with clear identification of the system, the responsible individual, and the date the activity was performed. Patch management logs, access review records, change management documentation, and training completion records are the most frequently requested evidence categories. Gaps in the continuous record — months without patch management documentation, for example — are treated as violations even if controls were technically in place.
Gap Analysis Checklist by Standard
- CIP-002: Annual BCS categorization review completed with documented rationale. All new or modified facilities evaluated for impact category changes.
- CIP-003: Documented security policies covering each applicable CIP standard, approved by senior manager, reviewed within last 15 months.
- CIP-004: Current personnel access list with PRA dates. Access revocation procedures with 24-hour compliance evidence. Training completion records for all BCS-access personnel within last 15 months.
- CIP-005: ESP diagrams current and accurate. All IRA sessions documented with MFA and intermediate system evidence. All vendor remote access logged.
- CIP-007: 35-day patch management log for all High/Medium BCS. Open ports documented with business rationale. Anti-malware current on all applicable systems.
- CIP-008: CSIRP tested within last 15 months with documented lessons learned. Reportable incident determination criteria documented and understood by all relevant personnel.
- CIP-009: Recovery plan tested within last 15 months. Backup restoration verified under actual or representative conditions with documented results.
- CIP-010: Documented baseline configurations for all High/Medium BCS. Change management log covering all BCS modifications. Transient device procedures documented and followed.
- CIP-013: Supply chain risk management plan reviewed and approved by senior manager within last 15 months. Vendor software authenticity verification procedures documented.
- CIP-014: Vulnerability assessment current (every 5-6 years per RE guidance). Physical security plan implemented and documented for all qualifying transmission facilities.
Leveraging Tabletop Exercises as Compliance Evidence
ICS-specific tabletop exercises are the most cost-effective method for generating CIP-008 and CIP-009 compliance evidence on an annual basis. A well-structured exercise should: simulate a realistic BES cyber incident scenario, walk participants through the CSIRP including the one-hour notification determination workflow, test recovery procedures for affected BCS, document participant roles and decisions, and capture lessons learned that drive CSIRP or recovery plan updates. The CyberICS Solutions platform includes NERC CIP-mapped scenarios designed specifically to test the notification and recovery procedures required by CIP-008 and CIP-009 — generating directly auditable exercise documentation.
Prepare Your Team for NERC CIP Audits
ICS-specific tabletop exercises mapped to NERC CIP standards. Run exercises that generate direct CIP-008 and CIP-009 compliance evidence — start free.
Frequently Asked Questions
What is the difference between High, Medium, and Low Impact BES Cyber Systems?
Categorization is determined by CIP-002 Attachment 1 criteria. High Impact BCS includes control centers that operationally control the bulk electric system, typically hosting EMS and SCADA systems. Medium Impact includes generation facilities meeting specific capacity thresholds (typically 1,500 MW or more for certain facility types) and qualifying transmission substations. Low Impact includes all remaining BCS at facilities subject to NERC CIP standards. Impact category determines which specific CIP standards apply and at what level of rigor.
How large are NERC CIP fines?
NERC CIP fines can reach up to $1,000,000 per violation per day under FERC-approved Sanction Guidelines. Penalties are calculated based on a base amount determined by the violation risk factor (VRF) and violation severity level (VSL), adjusted by aggravating and mitigating factors. NERC has levied penalties exceeding $10 million in individual enforcement actions. Prompt self-reporting and demonstrated remediation are the most significant mitigating factors available to entities.
What is the patch management window under NERC CIP?
CIP-007-6 Requirement 2 requires that security patches for High and Medium Impact BES Cyber Systems be applied within 35 calendar days of the patch being released by the vendor. Patches that cannot be applied within 35 days must have a documented mitigation plan. The 35-day clock runs from the date the vendor releases the patch, not from when the entity becomes aware of it. Patch management records must be retained as evidence of compliance.
Is NERC CIP compliance required in Canada?
Yes. NERC CIP standards apply in Canada through the same regional entity enforcement structure used in the United States. WECC, NPCC, MRO, and SERC all have Canadian members. Provincial regulators participate in the NERC compliance monitoring framework. Canadian bulk electric system operators are subject to the same CIP standards, audit processes, and penalty structures as their US counterparts.
How do tabletop exercises satisfy NERC CIP requirements?
CIP-008-6 Requirement 3 mandates annual testing of the Cyber Security Incident Response Plan (CSIRP) at least once every 15 calendar months. Tabletop exercises are the most widely accepted method for satisfying this requirement. The exercise must be documented, and the documentation must capture the test date, participants, scenario used, decisions made, and lessons learned. Any updates to the CSIRP resulting from the exercise must also be documented. CIP-009 recovery plan testing can be satisfied by exercises that simulate loss of BCS and test recovery procedures.
Next Steps & Related Resources
The most effective preparation for a NERC CIP audit is continuous evidence management combined with regular tabletop exercises that practice the exact notification and recovery workflows auditors will evaluate. The CyberICS Solutions platform includes NERC CIP-specific scenarios for electric utility, transmission, and generation environments, designed to produce auditable CIP-008 and CIP-009 compliance documentation. Start with the NERC CIP toolkit to explore available scenarios, then use the exercise runner to generate your first CIP-008-compliant test record.