Search
March 20, 2026
FERC Approves Multiple Cyber Standards

Listen to this Story Listen to this story

Shutterstock
Mar 19, 2026 | Holden Mann
FERC approved a slate of updates to NERC's Critical Infrastructure Protection standards intended to improve grid security while enabling the use of new technologies.

FERC approved a slate of updates to nearly the entire library of NERC’s Critical Infrastructure Protection standards, with Chair Laura Swett calling the ERO’s role in maintaining reliability “important now more than ever” in the face of widespread cybersecurity threats.

The CIP updates comprised three separate items on the agenda of the commission’s monthly open meeting March 19. In the first item, it approved updates to 11 standards intended to establish a baseline of security requirements enabling utilities to use virtualization technologies safely (RM24-8). NERC submitted the standards to the commission for approval in July 2024, along with four new and 18 revised definitions for its Glossary of Terms. (See NERC Sends Virtualization Standards to FERC.)

FERC approved updates to the following standards:

    • CIP-002-7 (Cybersecurity — BES cyber system categorization)
    • CIP-003-10 (Cybersecurity — security management controls)
    • CIP-004-8 (Cybersecurity — personnel and training)
    • CIP-005-8 (Cybersecurity — electronic security perimeters)
    • CIP-006-7.1 (Cybersecurity — physical security of BES cyber systems)
    • CIP-007-7.1 (Cybersecurity — systems security management)
    • CIP-008-7.1 (Cybersecurity — incident reporting and response planning)
    • CIP-009-7.1​ (Cybersecurity — recovery plans for BES cyber systems)
    • CIP-010-5 (Cybersecurity — configuration change management and vulnerability assessments)
    • CIP-011-4.1 (Cybersecurity — information protection)
    • CIP-013-3 (Cybersecurity — supply chain risk management)​

When it submitted the standards, NERC wrote they “would allow responsible entities to fully implement virtualization and address risks associated with virtualized environments.” Virtualization constitutes “the process of creating virtual, as opposed to physical, versions of computer hardware to minimize the amount of physical hardware resources required to perform various functions,” according to the National Institute of Standards and Technology.

Among the changes to enable virtualization are revisions to language that would allow the use of more varieties of security models, permit broader change management approaches “to recognize the dynamic nature of virtualized technologies” and specify how accessibility and attack surfaces of virtualized configurations can be managed. NERC also proposed to replace the phrase “technical feasibility” with “per system capability,” which would allow entities more flexibility when applying the CIP requirements to non-physical systems.

FERC observed that comments from stakeholders on its November 2025 Notice of Proposed Rulemaking to approve the 11 standards generally supported their passage. Respondents focused on the “significant cybersecurity benefits and flexibility in responding to cyber threats” of virtualization, and on the way they allow “for the secure adoption of emerging technology.” (See ERO, Stakeholders Support Proposed Cybersecurity Standards.)

However, the commission also reiterated its concern expressed in the NOPR that the “per system capability” language could “allow responsible entities to self-implement an exception with marginal oversight and no alternative mitigation obligation.” In support of this view, it pointed to comments from the Edison Electric Institute, Pacific Gas and Electric, and MISO that suggested NERC take steps to verify exceptions, either through existing or new programs.

“We are persuaded by commenters that an exception process is still needed for existing and emerging technologies. Indeed, some existing technologies are unable to meet certain CIP requirements and would be out of compliance, with no mitigation opportunity without an exception process,” FERC wrote, adding that it was not convinced NERC’s Compliance Monitoring and Exception Program would be sufficient to catch inappropriate exceptions.

As a result, the commission directed NERC to develop a new program to track per system capability exceptions. FERC specified that the program must include the following three elements:

    • clear criteria to “ensure that responsible entities understand the parameters” for the exception, documentation requirements and the need for entities to implement alternative mitigation approaches;
    • mandatory reporting requirements to NERC, the relevant regional entity or both when the language is invoked; and
    • annual reports to the commission on how entities are using the exceptions, with data anonymized and aggregated.

The annual reports must categorize active exceptions by applicable CIP requirements; include the total number of entities with active exceptions, the total number of reported exceptions that are still in effect and comparisons to the previous reporting period; and discuss the types of assets and systems for which new exceptions are claimed, and the types of mitigation measures employed.

NERC must file the first report with the commission 12 months after the standards become enforceable on the first day of the first calendar quarter that falls 24 months after the effective date of FERC’s order.

Cyber Asset Identification, Low-impact Mitigation

The remaining CIP standards approved at the meeting further modify two of the standards that were part of the virtualization slate.

First was CIP-002-8 (RD24-8), which is intended to “identify and categorize [grid] cyber systems and their associated … cyber assets for the application of cybersecurity requirements.” In its petition for approval, NERC told the commission the major changes from the previous versions of the standard involved updating the definition of “control center” to include transmission facilities controlled by transmission owners and updating language to reflect this change. The new standard will replace CIP-002-7 on the effective date of that standard.

Finally, FERC approved CIP-003-11 (RM25-8), meant to address the risk of a coordinated attack using low-impact cyber systems. NERC filed the new standard in December 2024; in the filing, the ERO outlined three categories of controls that would mitigate this risk: authentication of remote users, in-transit protection of authentication information, and detection of malicious communications to or between low-impact grid cyber systems with external routable connectivity.

FERC mentioned in its approval order that its NOPR proposing acceptance of the standard asked respondents whether the commission should direct NERC to perform a study “on evolving threats as they relate to the potential exploitation of low-impact … cyber systems.” Commenters differed on this point, FERC observed.

NERC and a group of trade associations including the American Public Power Association, EEI and the Electric Power Supply Association replied that “NERC already has multiple initiatives underway” to examine this risk, and a new study would duplicate existing efforts.

But attorneys Tammer Haddad and Michael Ravnitzky supported the study. Ravnitzky recommended that NERC be directed to map out “plausible attack chains from low-impact compromises to system effects,” while Haddad urged the commission to go even further and “establish a federal task force for ‘small utility cybersecurity’” to include representatives from FERC, the Department of Energy, NERC and the Cybersecurity and Infrastructure Security Agency.

The commission wrote that it was “persuaded” by NERC’s discussion of its ongoing efforts and observed that the ERO’s recently released CIP Roadmap incorporates an analysis of the danger from aggregated low-impact compromises. FERC concluded on this basis that an additional study would not be necessary but encouraged NERC to look for further “efficiencies in effort and time” to meet the recommendations of the road map.

CIPFERC & Federal
KeywordsCIP-002CIP-003critical infrastructure protection (CIP)cybersecurityFederal Energy Regulatory Commission (FERC)North American Electric Reliability Corp. (NERC)RD25-8RM24-8RM25-8virtualization
Holden Mann
NERC to Trial MSPPTF Recommendations in Large Loads Project
More From This Author

We Recommend

1
FERC Approves Multiple Cyber Standards
Mar 19, 2026FERC & FederalHolden Mann
2
NERC to Trial MSPPTF Recommendations in Large Loads Project
Mar 18, 2026NERC & CommitteesHolden Mann
3
NERC: Large Load Responses Show Action Needed from ERO
Mar 17, 2026NERC & CommitteesHolden Mann
4
House Energy Committee Probes Grid’s Performance During Winter Storm
Mar 17, 2026Resource AdequacyJames Downing
5
Transform the Physical Energy System to Unleash its Digital Transition
Mar 17, 2026FERC & FederalDej Knuckey

Popular Stories

1
AES Indiana to Pay $90K for NERC Violations
Mar 4, 2026NERC & CommitteesHolden Mann
2
MISO-SPP Conference Eyes Future Generation Trends
Mar 1, 2026Regional EntitiesAmanda Durish Cook
3
AI’s Rapid Growth Increases Risks to U.S. Grid
Mar 11, 2026Regional EntitiesTom Kleckner
4
House Energy Committee Probes Grid’s Performance During Winter Storm
Mar 17, 2026Resource AdequacyJames Downing
5
AI Has to be Reliable Before We Trust it with our Grid
Mar 2, 2026Standards/ProgramsDej Knuckey

Industry Gatherings


Upcoming Event

Upcoming Event

Upcoming Event