CIP-002-8, Decoded: Who’s In, Who’s Out Under the New 2.12
By Patrick Miller
Upcoming CIP-002-8 grid rules change which control centers fall under stricter cybersecurity protections. This post explains the new test in plain language, who is likely covered, and when local, load-serving areas can qualify for an exception. We also share a quick checklist to help utilities document what they have today and avoid surprises later.
Overview
CIP-002-8 keeps the familiar BES Cyber System categorization structure, but it rewrites the playbook for Transmission Owner/Transmission Operator (TO/TOP) Control Centers via a new Attachment 1, Criterion 2.12. If you monitor and control BES Transmission Lines from a Control Center, you’ll now compute an Aggregated Weighted Value (AWV); hit ≥ 6,000 and you’re in Medium Impact territory (with one carefully constrained path to exclude a local, load-serving “bubble”). The parameters outlined herein are subject to an evolving compliance delta.
What Changed from CIP-002-5.1a to CIP-002-8
See the redline of the changes here.
New/updated Control Center definition (explicitly covering TOs with SCADA): A Control Center now explicitly includes “one or more facilities of a Transmission Owner that have the capability to control transmission Facilities at two or more locations in real-time using SCADA,” including associated data centers (telemetry-only field devices excluded). This closes long-standing ambiguity about TO Dispatch/Operations rooms that can operate BES devices even if a third-party TOP holds authority.
New Criterion 2.12 (Medium Impact): Adds the AWV threshold to determine whether TO/TOP Control Centers are Medium Impact (details below).
Virtualization changes folded in: CIP-002-8 packages the TOCC updates on top of the previously developed virtualization modifications (Project 2016-02), so you’ll see both sets of edits in the redline.
Tip: Why 6,000? The drafting team doubled the 3,000 AWV used in Criterion 2.5 for stations/substations to create a Control Center threshold and then validated that range in the TOCC field test population (AWVs from ~500 to 11,300) without identifying reliability risks from the smaller operators.
Impactful Changes to Criterion 2.12
You’ll sum weight values per BES Transmission Line that your Control Center monitors and controls, by voltage class:
< 100 kV = 100 (applies only if the line is BES via the formal BES Exception process; most < 100 kV lines are not BES)
100–199 kV = 250
200–299 kV = 700
300–499 kV = 1,300
≥ 500 kV = 0 (N/A), because any Control Center that monitors/controls ≥ 500 kV is already High Impact under 1.3.
Counting rules that can trip folks up:
Tapped / loop-in-loop-out implementations on one line count once for that line’s voltage class.
Parallel lines between the same two stations count multiple times (one weight per physical line).
The GCE Exclusion (for “Local Load-serving Bubbles”)
If your initial AWV < 12,000, you may re-calculate after excluding BES Transmission Lines that sit entirely inside one “group of contiguous Elements” (GCE), if you meet all of the following:
Your defined GCE is ≥ 69 kV and < 300 kV (by design, it’s a local, load-serving transmission network; ≥ 300 kV is not allowed).
Over the preceding 12 months, the hourly integrated gross export from the GCE is ≤ 75 MWh during non-Energy Emergency Alert (EEA) conditions (exports in EEA may exceed 75 MWh with no compliance penalty).
You document how you calculate the hourly integrated value and keep evidence (metering not required; SCADA data is acceptable).
You clearly define the boundary and monitor flows across the interfacing equipment you’ve identified for that GCE. Interfacing equipment is any boundary point used to measure flow, not limited to lines (e.g., transformer terminals, tie points).
Important constraints
Only one GCE can be used for the exclusion (no slicing your footprint into many bubbles).
The 12,000 AWV cap prevents big control areas from using the exclusion. The cap equates to roughly four medium-impact stations’ worth of controlled lines (by Criterion 2.5 logic).
Tip: Why 75 MWh? It was chosen to align conservatively with existing thresholds (e.g., DP/GO registration, EOP-004 reportability) and to reflect energy over time, not an instantaneous MW. The team explicitly rejected MVA ratings for this purpose.
Worked examples from the Technical Rationale
Initial AWV = 10,000; exclude a sub-300 kV GCE with ≤ 75 MWh hourly exports; revised AWV = 6,500 → still Medium (≥ 6,000).
Scenario with many 100–199 kV lines: exclusion can remove a large 138 kV “bubble” if it truly serves local load with minimal export; if the revised AWV drops < 6,000, you fall out of Criterion 2.12 scope. (See Example 3 narrative.)
Note: The exclusion does not let you “exclude the Control Center.” It only allows removing specific lines from the calculation, if you meet the GCE rules above.
Who’s Likely Included Now
You should expect to be Medium Impact (2.12) if any of these sound like you:
You’re a TO or TOP Control Center with the capability (not just the authority) to operate BES Elements via SCADA, and your controlled line set pushes the AWV ≥ 6,000.
You have multiple 200–299 kV and 300–499 kV circuits under control (each line adds 700 or 1,300 respectively).
Who’s Likely Excluded (Eligible for the GCE Exclusion)
Small TO/TOPs whose control footprint is primarily 100–199 kV and < 300 kV lines serving local load, with limited hourly energy export across their boundary (≤ 75 MWh), and initial AWV < 12,000.
Evidence You Will Want Ready on Day One
AWV workbook: List each BES Transmission Line, its nominal voltage, and the weight you applied; show the sum. Include your counting decisions (taps vs. parallel lines).
GCE dossier (if used):
Boundary one-pager with a single GCE map and boundary interfacing equipment list.
Method to compute hourly integrated gross export (SCADA or meters) and 12-month dataset showing compliance outside EEA hours.
Glossary alignment: If you’re a TO with SCADA capability to operate BES Elements at ≥ 2 locations, assume the Control Center definition applies to you, even if you rely on a third-party TOP for authority. Document the capability.
Key Dates & What to do Next
Where we are now
The industry has completed the drafting, commenting, balloting, and voting stages. NERC has filed it with FERC and now we are all waiting to see if/when FERC will approve it. Below is the official timeline:
NERC Board adoption: The NERC Board of Trustees adopted CIP-002-8 on December 10, 2024.
Filed with FERC: NERC submitted the petition to FERC on December 20, 2024 (Docket RD25-8-000).
Docket status: FERC’s Combined Notice of Filings confirms the 12/20/24 filing (Accession 20241220-5509).
What to plan for once FERC issues an order
FERC’s approval order will set the clock using the Implementation Plan that accompanies CIP-002-8. Until then, treat the following as a readiness sprint so you can execute quickly when the effective dates are finalized:
Lock your scope math
Finalize your AWV workbook (every BES Transmission Line, voltage class, weighting, and the total). Preserve the counting assumptions (e.g., tapped vs. parallel lines).
Produce a one-page decision memo: “Are we ≥ the medium-impact threshold?” If your initial total is below the exclusion cap, note whether you intend to pursue the GCE exclusion and why.
Pre-build your GCE evidence (if applicable)
Draw a single GCE boundary (≥69 kV and <300 kV) and list interfacing equipment used to measure boundary flows.
Draft your hourly integrated gross-export method (SCADA or metering), run the 12-month backtest, and snapshot non-EEA hours. Keep raw data and a clean summary figure ready.
Harden the Control Center record
Update your Control Center definition file (especially for TOs with SCADA capability at two or more locations). Clarify “capability to control” vs. “authority to control,” and name associated data centers.
Map any virtualization/hosting implications already carried into the CIP-002-8 baseline so stakeholders aren’t surprised.
Stand up internal milestones keyed to “Order Day (T0)”
T0–30 days: Freeze line inventory, finalize AWV, publish leadership brief.
T0–60 days: Complete GCE boundary evidence package (if using the exclusion).
T0–90 days: Update procedures, artifacts, and attestations aligned to the Implementation Plan’s first deadline(s).
Budget & communications
Align budget scenarios to two cases: “no exclusion (Medium)” and “exclusion applied (potentially out of 2.12 scope).”
Prepare an external coordination plan (TOP/TO neighbors) if your exclusion relies on tie-flow data or shared telemetry.
Tracking the order
Bookmark the FERC docket (RD25-8-000) and NERC’s filings page; when the approval order posts, verify the effective date(s) and any directives before locking your internal timeline. If you’ve done the homework now, FERC’s order becomes an administrative trigger, not a fire drill. Of course, we will post about it when it happens so check back here regularly.
Quick Self-Check
Can we enumerate every BES Transmission Line our Control Center monitors/controls and assign the right weight?
Are we ≥ 6,000? If yes, are we also < 12,000 (to even consider the GCE exclusion)?
If considering the exclusion, can we credibly prove ≤ 75 MWh hourly gross export from one sub-300 kV GCE over the last 12 months, excluding EEA?
Final Thought
CIP-002-8 aims for right-sized risk categorization: it brings smaller, but meaningful TO/TOP control footprints into scope while giving true local load-serving areas a data-driven off-ramp. Do the math early, decide if the GCE exclusion is worth the operational discipline it demands, and line up your evidence so there are no surprises when the Implementation Plan clock starts.
