AICPA SOC Service Organizations

NERC CIP Standards

Cyberattacks are on the rise and the power grid and utilities are attractive targets.

Are you in compliance?

Find out now

Certrec’s free NERC CIP Health Check will give you a grade from A to F.

Afterwards you are eligible for a free 30-minute call with a Certrec NERC expert to help you understand your grade.

NERC CIP Standards

The NERC CIP standards were first released in 2006 and approved by the Federal Energy Regulatory Commission in 2008. Since that time, they have gone through several major and minor revisions, and continue to be revised to better meet the risk from evolving cyber and physical threats to the Bulk Electric System (BES).

Each new revision either expands, contracts, or consolidates the requirements for compliance.

Without a thorough understanding of exactly what is required, you run the risk of doing more that what’s necessary—costing valuable man-hours.

On the other hand, not doing enough can result in violations, leading to large fines and lost productivity due to extensive remediation work to bring systems back into compliance. Violations also cause damage to the reputation of your business, lost revenues, and can negatively affect the inherent acquisition value of the facility.

What categories are covered by NERC CIP Standards?

Other than CIP-001, which was retired, the following standards are subject to enforcement.

  • CIP-002-5.1a Cyber Security—BES Cyber System Categorization
  • CIP-003-8 Cyber Security—Security Management Controls
  • CIP-004-6 Cyber Security—Personnel & Training
  • CIP-005-6 Cyber Security—Electronic Security Perimeter(s)
  • CIP-006-6 Cyber Security—Physical Security of BES Cyber Systems
  • CIP-007-6 Cyber Security—System Security Management
  • CIP-008-6 Cyber Security—Incident Reporting and Response Planning
  • CIP-009-6 Cyber Security—Recovery Plans for BES Cyber Systems
  • CIP-010-3 Cyber Security—Configuration Change Management and Vulnerability Assessments
  • CIP-011-2 Cyber Security—Information Protection
  • CIP-012-1 Cyber Security—Communications between Control Centers
  • CIP-013-1 Cyber Security—Supply Chain Risk Management
  • CIP-014-2 Physical Security


According to NERC documentation, the purpose of CIP-002-5.1a is:

To identify and categorize BES Cyber Systems and their associated BES Cyber Assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Identification and categorization of BES Cyber Systems support appropriate protection against compromises that could lead to misoperation or instability in the BES.


NERC states the purpose of CIP-003-8 is:

To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the Bulk Electric System (BES).

What is the significance of the impact level?

CIP-002-5.1a and CIP-003-8 require the entity to define their systems and assets as having Low, Medium, or High potential impact on the power grid (or BES) according to the prescriptive guidelines provided by NERC.

The requirements are much greater for High and Medium impact assets than for Low impact assets. Therefore, it is extremely important to comprehensively identify all of your entity’s assets and then accurately categorize them as Low, Medium, or High impact so you can be certain you are meeting the correct level of requirements for successful compliance.

Why would you want help for NERC CIP compliance?

NERC CIP compliance demands a certain level of very specific knowledge and experience to make sure you meet all the appropriate requirements without wasting time and costly resources on unnecessary tasks.

This kind of knowledge is only gained by doing something over and over.

If CIP compliance isn’t your main job, it will be difficult to get enough repetition to obtain that familiarity.

There are companies that offer compliance as a very cheap, or even free, add-on to their other services. However, many entities have found out the hard way that the costs of a violation far exceed any initial savings.

NERC compliance is our focus. It’s not an ancillary service—it’s the core of what we do.

  • We have helped over 120 generating plants establish and maintain NERC compliance programs
  • Over 45 registered sites depend on us to manage their entire NERC compliance program
  • 75% of our NERC compliance consultants have more than 30 years of plant operations and compliance experience
Certrec Zone Of Compliance

How can I measure my plant’s well-being?

Take the NERC CIP Health Check to asses the robustness of your plant’s physical and cyber security measures. Find out where you are now, then take advantage of the free 20-minute call if you have any concerns about your score.

Speak with our Experts

“Certrec understands exactly what needs to be done so I don’t have to. I can focus on my job.”
~ Plant Manager