AICPA SOC Service Organizations - Certrec

Top Ten Practices to Ensure Your Utility Is Compliant with NERC CIP

Top Ten Practices to Ensure Your Utility Is Compliant with NERC CIP - Certrec

Maintaining compliance with North American Electric Reliability Corporation Critical Infrastructure Protection (NERC – CIP) regulations is of utmost importance for electric power utilities to avoid fines, penalties (see Certrec’s NERC Penalties page), and potential risks to the reliability and security of the bulk electric supply. Not only does this compliance safeguard your organization and leadership from reputational damage, but it also upholds the overall security of the North American bulk power system. 

At Certrec, our team of regulatory and compliance professionals boasts decades of experience within the utility sector. Drawing from this expertise, we have compiled some best practices to empower your electric power utility in significantly reducing the risk of non-compliance fines or penalties and bolstering the security and reliability of your operations.

Here are a few best practices to maintain compliance and minimize the risk of fines or penalties:

1. It’s a Moving Target.

Stay Informed: Keep up with the latest NERC CIP requirements, guidelines, and changes as they are constantly evolving. To stay informed about updates or new compliance expectations, it’s essential to regularly review NERC publications and announcements. Certrec’s RegSource GRC, which can be found at, ensures you stay in the loop effectively.

Moving Target - Certrec
2.  Commit People, Time, and Resources to Ensure Compliance.

Establish a Compliance Program: Establish a comprehensive compliance program that encompasses all NERC CIP regulations. This program should consist of clear policies, procedures, and controls to guarantee strict adherence to the standards. You have the option to run the compliance program internally or engage an external compliance services organization such as Certrec, or even opt for a hybrid approach. Consider reviewing this analysis, which illustrates how Certrec’s NERC Compliance Program Management can often cost only half or even one-third of an internal Full Time Equivalent position.

3.  Put someone in Charge to Lead It.

Designate a Compliance Officer: It is essential to appoint a dedicated compliance officer or team to oversee and implement the compliance program. This individual or team must possess a thorough understanding of NERC CIP requirements and be proactive in identifying and addressing potential compliance gaps. If you need assistance in finding the right resource, Certrec can help, or alternatively, we can assign one of our experienced program managers to support your needs. For more information, please reach out to us at

Put someone in Charge to Lead It - Certrec
4. Keep a Check on Status and Progress.

Perform Regular Risk Assessments: Conduct regular risk assessments to identify potential vulnerabilities in your infrastructure. This process helps you pinpoint areas where compliance may be at risk and enables you to take appropriate corrective actions. Certrec can perform gap analyses and also mock audits to help you stay with the latest developments in NERC CIP requirements.

Keep a Check on Status and Progress - Certrec
5. Create a Culture of Compliance.

Develop and Implement Training Programs: Educate your staff about NERC CIP regulations, their importance, and their role in compliance. Provide targeted training to employees who manage critical assets, ensuring they understand their responsibilities in maintaining compliance. Ensure that the whole team realizes that NERC CIP compliance is not an option but a foundation of behavior, and reward behaviors that exhibit the right culture. Certrec has senior NERC compliance leaders who can coach your organization to develop a strong culture of compliance. if compliance is part of the cultural fabric, it will be much easier to stay compliant.

6. Regular Self-Testing Is Required.

erform Self-Audits: Conduct regular internal audits to assess your utility’s compliance status. These self-audits are crucial in identifying areas for improvement and addressing issues proactively before they escalate into larger problems. Additionally, the knowledge gained from these audits will jumpstart the organization’s compliance efforts.

7. Save the Evidence

Maintain Documentation: Keep detailed records and documentation of all compliance activities, risk assessments, audits, and training programs. Meticu- lous documentation serves as irrefutable evidence of your commitment to meeting NERC CIP requirements.

8.  Mock Audits Ensure Compliance.

Engage in External Audits: Consider involving external auditors to conduct independent evaluations of your compliance program. Such audits offer an unbiased assessment of your utility’s adherence to NERC CIP regula- tions and can effectively pinpoint any potential weaknesses.

Mock Audits Ensure Compliance - Certrec
9. Ensure You Are Vigilant, and Monitor and Report Breaches.

Incident Response and Reporting: Enhance your security measures with a comprehensive Incident Response and Reporting plan. This plan should outline the necessary steps to be taken in the event of a security breach or violation. Make sure that all incidents are promptly reported to the appropriate authorities, as mandated by NERC CIP regulations. This approach will help you establish a strong and efficient response system, ensuring security is upheld.

Ensure You Are Vigilant, and Monitor - Certrec
10. Even Your Vendors Must Be Compliant.

Monitor Third-Party Compliance: In cases where your utility depends on third-party vendors or contractors, it is imperative to ensure their adherence to NERC CIP regulations. Regularly reviewing their compliance status and verifying their adherence to the necessary standards is essential.

And here is a bonus activity:

11.     Collaborate and Network in the Industry.

Participate in Industry Sharing and Collaboration: Connect with fellow electric power utilities and organizations to exchange best practices and experiences. This collaborative approach offers valuable insights that can significantly improve your compliance measures. We highly recommend engaging with renowned organizations such as the North American Generator Forum (NAGF) or participating in meetings held by regional entities like WECC or SERC. These interactions will prove instrumental in achieving your compliance goals.

Improve your electric power utility’s compliance with NERC CIP regulations and strengthen the security and reliability of your operations. These best practices can significantly reduce the risk of fines or penalties for non-compliance.

Remember, NERC CIP compliance isn’t just about ticking boxes; it’s about cultivating a culture of compliance that ensures your grid remains reliable and secure. By embracing these practices, you’ll safeguard your organization’s reputation and your team’s integrity, including its leadership.

Have questions or need guidance? Reach out to our experts at

Our experts are here to help you navigate the challenges of NERC CIP compliance effectively. Let’s work together to secure your energy infrastructure for a safer and more reliable future.