AICPA SOC Service Organizations - Certrec
NERC CIP Standards

Protected Through NERC CIP Standards & Compliance

Cyberattacks Are on the Rise and the Power Grid and Utilities Are Attractive Targets.

Certrec has helped

generating facilities with NERC compliance, and we manage the entire NERC compliance program for
0 +
registered sites in the US, Canada, and Mexico.
0 +

Audit Support

We offer a multitude of options to support your entity in planning for your next audit.

Program Management

NERC compliance is complex. Gain access to our subject matter experts on demand.

Inverter-Based Resources

Changes are coming that will force many owners of inverter-based resources to register with NERC for the first time.

Trusted By

NERC CIP Standards & Compliance

NERC CIP Standards

The NERC CIP standards were first released in 2006 and approved by the Federal Energy Regulatory Commission in 2008. Since that time, they have gone through several major and minor revisions, and continue to be revised to better meet the risk from evolving cyber and physical threats to the Bulk Electric System (BES).

Each new revision either expands, contracts, or consolidates the requirements for compliance.

Without a thorough understanding of exactly what is required, you run the risk of doing more that what’s necessary—costing valuable man-hours.

On the other hand, not doing enough can result in violations, leading to large fines and lost productivity due to extensive remediation work to bring systems back into compliance. Violations also cause damage to the reputation of your business, lost revenues, and can negatively affect the inherent acquisition value of the facility.

What categories are covered by NERC CIP Standards?

The following is a list of standards that are active and subject to enforcement.

  • CIP-002-5.1a Cyber Security — BES Cyber System Categorization
  • CIP-003-8 Cyber Security — Security Management Controls
  • CIP-004-6 Cyber Security — Personnel & Training
  • CIP-005-6 Cyber Security — Electronic Security Perimeter(s)
  • CIP-006-6 Cyber Security — Physical Security of BES Cyber Systems
  • CIP-007-6 Cyber Security — System Security Management
  • CIP-008-6 Cyber Security — Incident Reporting and Response Planning
  • CIP-009-6 Cyber Security — Recovery Plans for BES Cyber Systems
  • CIP-010-3 Cyber Security — Configuration Change Management and Vulnerability Assessments
  • CIP-011-2 Cyber Security — Information Protection
  • CIP-012-1 Cyber Security — Communications between Control Centers
  • CIP-013-1 Cyber Security — Supply Chain Risk Management
  • CIP-014-2 Physical Security

CIP-002-5.1a

According to NERC documentation, the purpose of CIP-002-5.1a is:

To identify and categorize BES Cyber Systems and their associated BES Cyber Assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES.

CIP-003-8

NERC states the purpose of CIP-003-8 is:

To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).

White Paper

Tips for Complying with Low-Impact CIP

Effective Compliance with Low-Impact CIP: Discover how Certrec’s specialized services guide and support your organization in meeting the less intensive but crucial NERC CIP requirements for low-impact facilities. Our approach balances regulatory mandates with practical, tailored strategies.

What is the significance of the impact level?

CIP-002-5.1a and CIP-003-8 require the entity to define their systems and assets as having Low, Medium, or High potential impact on the power grid (or BES) according to the prescriptive guidelines provided by NERC.

The requirements are much greater for High and Medium impact assets than for Low impact assets. Therefore, it is extremely important to comprehensively identify all of your entity’s assets and then accurately categorize them as Low, Medium, or High impact so you can be certain you are meeting the correct level of requirements for successful compliance.

Why would you want help for NERC CIP compliance?

NERC CIP compliance demands a certain level of very specific knowledge and experience to make sure you meet all the appropriate requirements without wasting time and costly resources on unnecessary tasks.

This kind of knowledge is only gained by doing something over and over.

If CIP compliance isn’t your main job, it will be difficult to get enough repetition to obtain that familiarity.

There are companies that offer compliance as a very cheap, or even free, add-on to their other services. However, many entities have found out the hard way that the costs of a violation far exceed any initial savings.

NERC compliance is our focus. It’s not an ancillary service—it’s the core of what we do.

  • We have helped over 120 generating plants establish and maintain NERC compliance programs
  • Over 45 registered sites depend on us to manage their entire NERC compliance program
  • 75% of our NERC compliance consultants have more than 30 years of plant operations and compliance experience
certrec-zone-of-compliance.png
NERC CIP Health Check

How can I measure my plant's well-being?

Take the NERC CIP Health Check to assess the robustness of your plant's physical and cyber security measures. Find out where you are now, then take advantage of the free 20-minute call if you have any concerns about your score.

Need Help?

Speak with Our Experts