Closing the Gaps: FERC Order 912 and the Future of Supply Chain Risk Management
By Patrick Miller
FERC Order 912 marks a shift in supply chain cybersecurity for the Bulk Power System. It directs NERC to strengthen supply chain protections by closing gaps in risk identification, reassessment, and response, and by extending coverage to Protected Cyber Assets. Vendor data validation is encouraged but not mandated, and NERC has 18 months to deliver new or revised standards.
Overview
On September 18, 2025, the Federal Energy Regulatory Commission (FERC) issued Order No. 912, a final rule that directs the North American Electric Reliability Corporation (NERC) to strengthen and expand the Critical Infrastructure Protection (CIP) Supply Chain Risk Management (SCRM) Reliability Standards. This order is more than an incremental update. It closes what FERC has considered longstanding gaps, adds coverage for previously unprotected assets, and redefines how the electric sector must approach vendor and equipment risk.
Why It Matters
Supply chain attacks are not theoretical. They are active, evolving, and happen across all boundaries whether digital or physical. From counterfeit hardware to embedded spyware, adversaries have demonstrated their ability to leverage the supply chain as an attack vector. The existing CIP supply chain standards (currently, CIP-005-7, CIP-010-4, CIP-013-2) provide some fundamental risk management approaches, but FERC believes there are shortcomings:
Gaps in how entities identify, assess, and respond to supply chain risks.
Exclusion of Protected Cyber Assets (PCAs), which sit inside electronic security perimeters but outside the scope of protections.
Lack of accountability in tracking and documenting risk responses.
With Order 912, the Commission is making it clear: the previous approach is no longer enough.
Key Directives in Order 912
1. Strengthen Supply Chain Plans
Entities must move beyond paper plans and into actionable frameworks. NERC is directed to develop standards that:
Establish a maximum time frame between when an entity performs its initial risk assessment during the procurement process and when it installs the equipment.
Mandate periodic and event-driven reassessments of vendor and product risks.
Ensure entities document, track, and respond to all identified risks, not just acknowledge them.
Note that FERC specifically declined to mandate any decision-making criteria to guide entities in determining how to respond to identified risks (but left the door open for NERC to do so).
2. Extend Protections to PCAs
Protected Cyber Assets (PCAs), systems within an Electronic Security Perimeter but not classified as high/medium BES Cyber Systems, have been deemed a blind spot. Order 912 brings PCAs under SCRM protections, closing a potential loophole where compromised ancillary devices could serve as stepping stones into critical systems.
3. Vendor Data Validation: Encouraged, Not Required
FERC backed away from mandating vendor data validation after industry pushback over cost, practicality, and auditability. Instead, entities are encouraged to adopt risk-based, voluntary validation practices, and FERC signaled clear interest in centralized information-sharing solutions (e.g., supply chain libraries).
4. 18-Month Development Timeline
NERC now has 18 months (instead of the originally proposed 12) to submit new or modified standards. This extension reflects the complexity of the changes and the need for broad (asset owner and vendor) industry input.
Industry Feedback and Workshop Takeaways
Risk Assessments
Industry stance: Favor risk-based or event-driven reassessments over rigid timelines.
FERC’s response: Both approaches are needed. Entities can define triggers, but a maximum time-based backstop will be established.
Vendor Validation
Consensus: One-size-fits-all validation is impractical. Many supported centralized or shared data repositories instead of entity-by-entity validation.
Outcome: Validation requirement dropped, but guidance and voluntary adoption encouraged.
Response to Risks
Broad support for requiring entities to document and track their risk responses.
FERC’s direction: Flexible, non-prescriptive requirements. Entities can choose their own frameworks, but must show traceability and action.
PCAs
No opposition to including PCAs.
Some stakeholders pushed to expand protections to all imported equipment or low-impact assets.
FERC’s decision: Limit scope to PCAs tied to medium/high impact BES Cyber Systems.
Federal Harmonization and International Context
Order 912 doesn’t exist in a vacuum. Stakeholders urged FERC to align with:
NIST guidance and CISA frameworks under recent Executive Orders.
DOE Supply Chain Cybersecurity Principles.
International standards like ISA/IEC 62443.
FERC acknowledged the need for harmonization and collaboration but avoided mandating country-of-origin restrictions or broad bans on foreign-sourced equipment. Calls for mandatory testing of Chinese imports, for example, were noted but not adopted.
One area not covered in the order, commentary, or workshops… We (Ampyx Cyber) recommend harmonizing with the European Cyber Resilience Act (CRA). The North American electric industry shares many vendors with European asset owners. Those vendors required to comply with the CRA will likely be better/easier choices to demonstrate compliance to the new NERC CIP SCRM requirements.
Termination of the Huawei/ZTE Inquiry
The order also closes out the 2020 Notice of Inquiry on risks posed by equipment and services from Huawei, ZTE, and other foreign entities. Rather than running parallel tracks, FERC has folded these concerns into the broader supply chain reliability framework.
What Comes Next
The ball is now in NERC’s court. Over the next 18 months, industry participants will shape how these directives are translated into enforceable standards. Expect debates over:
How to define “maximum timeframes” for risk reassessments.
What qualifies as sufficient documentation and tracking.
How to balance flexibility with enforceability when protecting PCAs.
For utilities, vendors, and regulators alike, this is the moment to prepare:
Review existing supply chain plans for gaps in identification, reassessment, and response.
Inventory PCAs and understand their exposure, or get them out of the ESP altogether.
Engage in the NERC standards development process. This is where the operational details will be set.
Seek harmonization with other established supply chain security risk management regulations, standards, and frameworks (such as the European CRA)
Final Thoughts
Order 912 signals a shift in how FERC expects the industry to manage supply chain risk. The previous version was drafted quickly and, while it moved the needle and provided a minimum bar, it was only marginally effective at managing supply chain risk to the Bulk Power System. By strengthening SCRM plans, closing the PCA gap, and requiring better documentation, the Commission is attempting to address threats that adversaries have already shown they can exploit. While FERC avoided overreaching several areas, the message is clear: they are taking supply chain security risk management more seriously and the expectations are higher. What hasn’t changed is the responsibility. That’s still on the Registered Entities and not directly on their vendors.
