|    Account Log-In/Register    |    Contact Us
CIP Compliance
In 2007, FERC designated NERC the ERO in accordance with Section 215 of the Federal Power Act, enacted by the Energy Policy Act of 2005. Upon FERC’s approval, NERC’s Reliability Standards became mandatory within the United States. These mandatory Reliability Standards include CIP standards 001 through 009, which address the security of cyber assets essential to the reliable operation of the electric grid. To date, these standards (and those promulgated by the Nuclear Regulatory Commission) are the only mandatory cybersecurity standards in place across the critical infrastructures of the United States. Subject to FERC oversight, NERC and its Regional Entity partners enforce these standards, which are developed with substantial input from industry and approved by FERC, to accomplish NERC's mission of ensuring the security and reliability of the electric grid.
NERC’s nine mandatory CIP standards address the following areas:
  • CIP-001: Covers sabotage reporting;
  • CIP-002: Requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets that support the reliable operation of the Bulk Electric System;
  • CIP-003: Requires that responsible entities have minimum security management controls in place to protect Critical Cyber Assets;
  •  CIP-004: Requires that personnel with authorized cyber or unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness;
  • CIP-005: Requires the identification and protection of the Electronic Security Perimeters inside which all Critical Cyber Assets reside, as well as all access points on the perimeter;
  • CIP-006: Addresses implementation of a physical security program for the protection of Critical Cyber Assets;
  • CIP-007: Requires responsible entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the other (non-critical) Cyber Assets within the Electronic Security Perimeters;
  • CIP-008: Ensures the identification, classification, response, and reporting of cybersecurity incidents related to Critical Cyber Assets; and
  • CIP-009: Ensures that recovery plans are put in place for Critical Cyber Assets and that these plans follow established business continuity and disaster recovery techniques and practices.
In December 2010, NERC approved an enhancement to its Critical Cyber Asset Identification standard (CIP-002 Version 4) that establishes bright-line criteria for the identification of critical assets. This enhanced standard, which was filed with FERC in February 2011, was approved on April 19, 2012. The implementation of the CIP standards under the bright-line approach is currently underway.

home | account log-in/register | legal and privacy/trademark policy | site map | careers | contact us

Atlanta Office | 3353 Peachtree Road, NE Suite 600 North Tower, Atlanta, GA 30326 | 404-446-2560
Washington Office | 1325 G Street, NW Suite 600, Washington, DC 20005| 202-400-3000

Copyright 2016 North American Electric Reliability Corporation. All rights reserved.