Framework · Utilities & energy

NERC CIP — categorise the assets, prove the controls, build the audit pack.

FERC-approved Reliability Standards for the Bulk Electric System. Apply across the United States, parts of Canada, and one Mexican Baja control area. Currently CIP-002 through CIP-014, with CIP-003 having a low-impact extension and CIP-013 covering supply-chain risk.

The standards, by purpose

• CIP-002 — BES Cyber System categorisation (high, medium, low).
• CIP-003 — security management controls.
• CIP-004 — personnel and training.
• CIP-005 — electronic security perimeters.
• CIP-006 — physical security of BES Cyber Systems.
• CIP-007 — system security management.
• CIP-008 — incident reporting and response planning.
• CIP-009 — recovery plans.
• CIP-010 — configuration change management and vulnerability assessments.
• CIP-011 — information protection.
• CIP-013 — supply chain risk management.
• CIP-014 — physical security (substations, control centres).

The five-phase workflow

For a utility preparing for a CIP audit, the five-phase Sia RegAI workflow:

1. BES Cyber System categorisation — CIP-002 R1 ratings, with rationale documented.
2. Requirement mapping — every CIP-003-to-014 requirement mapped to applicable assets at each impact level.
3. Evidence inventory — collected, dated, and tied back to specific requirements and assets.
4. Policy drafting — CIP-required documentation generated in your house template, version-controlled.
5. Audit-pack assembly — Reliability Standard Audit Worksheets (RSAWs) populated, evidence cross-linked, narrative drafted.

Common audit findings

• CIP-007 patch-management evidence missing for some applicable assets between scheduled assessment dates.
• CIP-004 access reviews completed but the evidence record can't prove the review covered all required identifiers.
• CIP-010 baseline-deviation logs lack the rationale the auditor expects for low-significance changes.
• CIP-013 supply-chain procurement language updated but legacy contracts not re-papered within the agreed phase-in.

Where Sia RegAI fits

Sia RegAI ingests the standards, the FERC orders, the regional-entity (RE) interpretations (NPCC, RF, SERC, MRO, Texas RE, WECC), and your asset register. The obligation tree is normalised across the standards, indexed against your impact-level ratings, and mapped to your control library. RSAW narratives and evidence cross-references are drafted automatically.

Related guides

• NERC CIP compliance with AI — from CIP-002 asset inventory to audit-ready evidence
• Regulatory change management software — a buyer's guide

Industry pages

• Sia RegAI for utilities & energy