Two important factors contribute to cybersecurity requirements for the Bulk Electric System (BES): operations and regulation. The Critical Infrastructure Protection (CIP) standards from the North American Electric Reliability Corporation (NERC) try to balance both these factors. There are two significant CIP standard updates to be implemented in 2026:
- CIP-003-9: Addresses the application and monitoring of security management controls, focusing on lower-risk environments.
- CIP-012-2: Focuses on protecting real-time operational data that’s exchanged between control centers. It strengthens the rules for confidentiality and data handling.
Both updates will improve the placement of controls, compliance tracking, and the overall state of cybersecurity readiness.
CIP-003-9: Cyber Security – Security Management Controls
CIP-003-9 is all about how security management controls are managed and maintained. It outlines the expectations for planning and oversight for registered entities. It was developed as part of the Supply Chain Low-Impact Revisions effort, recognizing that even lower-risk environments still come with real cybersecurity risks and need stronger, clearer controls.
In the United States, CIP-003-9 is listed with an effective date of April 1, 2026. CIP-003-9 refines existing compliance expectations without disrupting ongoing compliance cycles under the prior version. The standard ensures that existing compliance cycles under CIP-003-8 continue without interruption, even as new requirements are introduced.
The key exception is Requirement R1, Part 1.2.6, which addresses documented vendor electronic remote access security controls for Low Impact BES Cyber Systems. This requirement must be fully implemented on day one, while the rest of the periodic actions can continue on their regular schedule.
CIP-012-2: Cyber Security – Communications Between Control Centers
CIP-012-2 is a NERC CIP standard focused on securing real-time assessment and monitoring data while it is transmitted between control centers. The objective is to protect the confidentiality, integrity, and availability of that data in transit. According to the Reliability Standards Development Plan for 2026-2028, CIP-012-2 will become effective on July 1, 2026.
It applies to responsible entities that own or operate a control center, including roles like Balancing Authorities, Reliability Coordinators, Transmission Operators, Transmission Owners, Generator Owners, and Generator Operators.
CIP-012-2 centers on Requirement R1: implement one or more documented plan(s) to mitigate risks of:
- Unauthorized disclosure – someone reading the data.
- Unauthorized modification – someone altering the data.
- Loss of availability – data not being delivered when needed.
Your plan must cover five specific items:
- Methods to mitigate unauthorized disclosure and modification in transit (confidentiality and integrity).
- Methods to mitigate the loss of ability to communicate between control centers (availability).
- Methods to initiate recovery of communication links.
- Where those methods are implemented in the infrastructure.
- Responsibility for specific components when control centers are owned or operated by different entities.
While CIP-015-1 becomes effective September 2, 2025, the phased compliance deadline is not expected to begin until October 1, 2028. However, many proactive teams are already keeping an eye on it. The standard tackles a crucial issue that perimeter controls can’t handle on their own: understanding what is happening inside the network. If an attacker gets past the edge, the ability to spot unusual behavior early can make the difference between a contained issue and a long recovery. CIP-015-1 requires entities to establish visibility through defined monitoring practices and clear data protection expectations in high and medium-impact environments.
While these CIP updates affect daily compliance, the CIP projects NERC is working on in 2026 are also of high value, as they are likely to shape the next set of finalized requirements.
CIP Standards in the 2026 Development Pipeline
Based on the Reliability Standards Development Plan for 2026-2028, submitted by NERC on December 4, 2025, the following is a list of NERC CIP projects, prioritized by significance, expected to be finalized in 2026.
| Project/Standard | Title |
| Project 2023-06 CIP-014 | Risk Assessment Refinement |
| Internal Network Security Monitoring | |
| Project 2023-04 CIP-003-11 (Modifications) | Cyber Security – Security Management Controls |
| Project 2021-03 CIP-002 (Phase 2) | Transmission Owner Control Centers |
| Project 2022-05 CIP-008-8 | Cyber Security – Incident Reporting and Response Planning |
NERC CIP projects under development for 2026.
Conclusion
The CIP updates taking effect in 2026 highlight a steady shift toward security controls that reflect how the grid is actually operated. CIP-003-9 reinforces stronger governance, even in lower-impact environments, while CIP-012-2 addresses the real risk of losing visibility when control centers cannot securely exchange data. Alongside these enforceable changes, the CIP projects moving through NERC’s 2026 development pipeline offer an early view into where compliance expectations are heading, giving entities a chance to prepare rather than react.
FAQs
1. What is the new NERC CIP standard?
2. What are the trends for cybersecurity in 2026?
3. What is the main objective of NERC-CIP-014?
4. What is NERC-CIP-13?
5. How many CIP standards are there?
Disclaimer: Any opinions expressed in this blog do not necessarily reflect the opinions of Certrec. This content is meant for informational purposes only.
