Project 2023-04 Modifications to CIP-003

​​​​​​​​Related Files​

The comment period and initial ballots for draft one of CIP-003-A – Cyber Security – Security Management Controls concluded 8 p.m. Eastern, Thursday, December 7​, 2023.

The supplemental nomination period for drafting team members concluded 8 p.m. Eastern, Thursday, December 7​, 2023. The Standards Committee is expected to appoint members to the drafting team in January, 2024. Nominees will be notified shortly after they have been appointed.

In light of cybersecurity events and the evolving threat landscape, the NERC Board took action at its February 4, 2021 meeting to direct NERC staff, working with stakeholders, to expeditiously complete its broader review and analysis on facilities that house low impact Bulk Electric System (BES) Cyber Assets. Specifically, the degrees of risk presented by various facilities that house the low impact BES Cyber Assets and report on whether the low impact criteria should be modified. To assist in this evaluation, NERC staff assembled a team of cybersecurity experts and compliance experts representative of a cross section of industry, called the Low Impact Criteria Review Team (LICRT). The LICRT's primary purpose was to discuss the potential threat and risk posed by a coordinated cyber attack on low impact BES Cyber Systems. In its report, the LICRT documented the results of the review and analysis of degrees of risk presented by various facilities that meet the criteria that define low impact cyber facilities and recommends actions to address those risks. The Board accepted the LICRT's report at its November 2022 meeting and asked that the recommendations in the report be initiated. The Standards Committee accepted the SAR at its March 22, 2023 meeting.

Standard Affected: CIP-003-9

Purpose/Industry Need
The LICRT report recognized that low impact BES Cyber Systems may introduce BES reliability risks of a higher impact where distributed low impact BES Cyber Systems are used for a coordinated attack. The team recommended enhancing the existing low impact category to further mitigate the coordinated attack risk. The proposed project will revise CIP-003-9 to add controls to authenticate remote users, protect the authentication information in transit, and detect malicious communications assets containing low impact BES Cyber Systems with external routable connectivity. ​

Subscribe to this project's observer mailing list 
Select "NERC Email Distribution Lists" from the "Service" drop-down menu and specify “Project 2023-04 Modifications to CIP-003 Observer List” in the Description Box.

DraftActionsDatesResultsConsideration of Comments

Draft 1

Clean | Redline to Last Approved

Implementation Plan​


Supporting Materials

Technical Rationale​​

Unofficial Comment Form

VRF/VSL Justifications


   Supplemental Drafting Team Nominations​

​Initial Ballot

Ballot Open Reminder​



11/28/23 - 12/07/23

Ballot Results


Join Ballot Pools​​

10/24/23 - 11/27/23

​​​​​Comments Received​

​Comment Period


Sub​mit Comments​

10/24/23 - 12/07/23​
Supplemental Nomination Period


Submit Nominations​​

10/24/23 - 12/07/23
​​Standard Authorization Request
Clean | Redline​
​​Accepted by the Standards Committee

Standard Authorization Request

Low Impact Criteria Review Team Report​​

Supporting Materials

Unofficial Com​ment Form (Word)

Comment Period


Submit Comments

3/31/2023 - 5/15/2023

Drafting Team Nominations

Supporting Materials

Unofficial Nomination Form (Word) 

Nomination Period


Submit Nominations​​

3/31/2023 - 5/15/2023