CMEP Version 9: Maintenance on the Surface, Three Signals Underneath

Written By Patrick Miller

By Patrick Miller

The ERO Enterprise released CMEP Manual Version 9 on March 1, 2026, alongside Auditor Checklist Version 7. On the surface it is a maintenance release: logos, links, cross-references, and terminology cleanup. Underneath, three things are worth reading more carefully. Global Internal Audit Standards now sit alongside the IIA-IPPF in the authoritative guidance stack. Appendix 4C of the NERC Rules of Procedure moved, and the manual had to follow. And a decade-old CIP Version 3 artifact finally got scrubbed from the Sampling Guide. None of these redraws CMEP. All of them reinforce the direction v8 already set.

Overview

NERC posted the ERO Enterprise Compliance Monitoring and Enforcement Manual Version 9 on March 1, 2026. At the same time, the ERO Enterprise published the updated Auditor Checklist Version 7, to which many of the manual's internal references now point.

If you are looking for the v8 Manual for side-by-side comparison, it is gone. NERC has removed the previous edition from its public CMEP Resources page, and Version 9 is now the only available release. That is a real problem for anyone trying to do a clean diff. For background on what v8 did carry forward, see How CMEP Version 8 Reshapes NERC's Compliance Model.

Unlike v8, which consolidated and stabilized several years of structural change, v9 is largely editorial. The Revision History Table is short. Most entries are logo updates, hyperlink refreshes, cross-reference renumbering, and checklist synchronization. It would be easy to read the update as entirely cosmetic and move on. That would be a mistake. Three of the changes are substantive enough that registered entities and CEA staff should take note.

What v9 Actually Changed

Before getting to the signals, it is worth grounding the conversation in what the document itself says changed. The v9 Revision History, dated March 1, 2026, lists the following:

  • NERC and Regional Entity logos updated on title pages and linked to their respective websites

  • References to the Institute of Internal Auditors (IIA) updated to include the Global Internal Audit Standards (GIS) on pages 28, 109, 129, 131, and 181, along with the IIA glossary definition on page 185

  • CIP Evidence Request Tool and User Guide references updated to Version 10 on pages 2 and 190

  • Hyperlinks refreshed for the NERC Glossary of Terms (page 8), the Government Accountability Office (page 131), and Enforcement templates (page 157)

  • Language updated from Rules of Procedure Section 400, Compliance Enforcement, on page 128

  • Authoritative Guidance sections updated on page 128 to reflect Section 400 and Appendix 4C language

  • Rules of Procedure Appendix 4C section references updated across 28 additional pages

  • Auditor Checklist sections 02-0101, 02-0202, 02-0301, 02-0501, 02-0502, 02-0601, 02-0701, 03-0101, 03-0204, and 03-0301 synchronized to the approved Auditor Checklist Version 7 (pages 51-98 and 100-104)

  • Critical Cyber Assets (CCAs) changed to Cyber Assets (CAs) in the Sampling Guide

The companion Auditor Checklist v7 revision note is even shorter: "Updated with Align and SEL changes."

That is the full accounting. There are no new standards, no new audit processes, no new enforcement constructs. But three of those bullets reward a closer look.

Signal One: GIS Joins the Authoritative Guidance Stack

CMEP has always anchored itself in professional audit practice. Generally Accepted Government Auditing Standards, commonly referred to as the Yellow Book, have been foundational since the earliest versions of the manual. The Institute of Internal Auditors' International Professional Practices Framework (IIA-IPPF) has sat alongside the Yellow Book as a reference for internal audit practice.

Version 9 adds a third authoritative reference: the Global Internal Audit Standards (GIS).

The GIS replaced the IIA's prior standards architecture and is the current state of the internal audit profession globally. NERC inserting GIS into the CMEP Manual, including into the Handbook introduction, the Compliance Monitoring Competency Guide, the Certification Competency Guide, and the Glossary, keeps CMEP aligned with where professional audit practice is, rather than where it was.

This is a small change in word count and a meaningful change in direction. It continues the trajectory described in the v8 analysis: CMEP is increasingly structured like a professional audit institution, not a coordination function. When the manual leans on GIS, it is telling both CEA staff and registered entities that the terms, expectations, and methods used during compliance monitoring are the same ones used in modern audit practice across other sectors.

For registered entities, this has a practical implication. If your compliance program still speaks in CMEP process language but not in audit professional language, the translation gap will grow. Auditors applying professional judgment now have an additional reference framework to draw from when they justify scope, sampling, and conclusions. Entities that understand that language engage more effectively.

Signal Two: The Appendix 4C Refresh

NERC's Rules of Procedure Appendix 4C is the CMEP itself. It is the authoritative text from which the ERO Enterprise derives its compliance monitoring and enforcement authority. The manual we all read, the 205-page reference document, is a working explanation of Appendix 4C, not a substitute for it.

Version 9 updates Appendix 4C section references across 28 pages of the manual, along with supporting language changes on page 128. This tells you that Appendix 4C itself moved. Either sections were renumbered, new sections were added, language was tightened, or all of the above. The manual had to chase the underlying rule.

This matters for two reasons.

First, if you are a compliance program manager and you still maintain internal training decks, audit response playbooks, or evidence mapping documents that cite specific Appendix 4C sections, those citations now need to be checked. A quote from Appendix 4C on page 80 of the v8 manual may point to a different section number in the v9 manual, and more importantly, in the current Rules of Procedure.

Second, the underlying question is what changed in Appendix 4C itself. The manual's cross-reference refresh is downstream of whatever NERC did upstream in the Rules of Procedure. That is a separate document to track, and for compliance programs with regulatory watch responsibilities, it is the more important one. The manual tells you how CMEP is executed. Appendix 4C tells you why CMEP has the authority to be executed that way.

We are still running that upstream comparison, and will come back to it in a follow-up post once the review is complete.

Signal Three: CCAs Leave the Sampling Guide

The Version 9 revision note reads: "Updated Critical Cyber Assets (CCAs) to Cyber Assets (CAs) in the Sample Guide."

Critical Cyber Asset was a CIP Version 3 construct. It was replaced by BES Cyber System and BES Cyber Asset when CIP Version 5 became enforceable on July 1, 2016. That is nearly ten years ago. The Sampling Guide has been carrying stale CIP v3 language this entire time.

The cleanup itself is unremarkable. What it reveals is more interesting. The Sampling Guide, the document that defines how audit samples are constructed and how representative populations are derived, apparently was not a priority for revision through multiple manual versions. That is worth pausing on. Sampling drives audit scope depth. Sampling methodology is how auditors move from a population of thousands of cyber assets to a defensible test set. If the Sampling Guide has been maintained only lightly, it suggests that sampling practice across the Regions has been driven more by professional judgment and internal Regional procedures than by the official CMEP Sampling Guide.

There are two takeaways. For registered entities, check your own internal documents. If your CIP program documentation, evidence response templates, or audit playbooks still reference Critical Cyber Assets, that is a signal that your compliance content has not been refreshed in years. Auditors noticing CCA language in your materials will read it the same way the manual's editors finally did: as an artifact that needed cleaning up a long time ago.

For the ERO Enterprise, the update is welcome but it underscores that the Sampling Guide deserves a more substantive review. The trajectory of CMEP is toward risk-based, structured, and defensible sampling. The Sampling Guide should be leading that conversation, not trailing it with terminology decades behind the standards.

The Auditor Checklist v7 Synchronization

Ten Auditor Checklist sections were updated in the manual to match Checklist v7. Those sections cover: preliminary documentation review, additional documentation requests, the final planning meeting, SME interviews, internal controls assessment, documenting results, documenting findings, workpaper review, the NERC Internal Control Template, and draft report compilation.

The Checklist v7 revision note is unusually terse: "Updated with Align and SEL changes."

Align is the ERO Enterprise's compliance monitoring and enforcement platform. SEL, in this context, is the Secure Evidence Locker used with Align. Updating the checklist to reflect Align and SEL workflow changes means that audit execution is now more tightly tied to specific tooling steps. For entities, this translates into practical reality: evidence submission, internal control documentation, and working paper references all flow through Align in ways the checklist is now more prescriptive about.

This is consistent with the continuous oversight direction described in From Spot Evaluations to Continuous Oversight: NERC's New Internal Controls Model. Tooling is becoming part of the audit process itself, not just a delivery mechanism.

What This Means for Registered Entities

Version 9 introduces no new compliance obligations. The Reliability Standards are unchanged. The risk-based oversight model described in v8 still governs. The continuous internal controls model from the December 2025 ERO Enterprise Guide for Internal Controls still defines how trust is measured.

That said, there are four practical items worth addressing:

  1. Scrub CCA language from your internal CIP documentation if it still exists. Not because the standards require it, but because it is a tell.

  2. Confirm your Appendix 4C citations are current. Any internal training, response playbook, or executive briefing that quotes specific section numbers of the Rules of Procedure should be checked against the current version, not against what the section number was under v8.

  3. Align your evidence flows to the Auditor Checklist v7 workflow. If your compliance team understands the ten updated action items well, interactions with the audit team during fieldwork move faster and with less friction.

  4. Get comfortable with GIS references. Auditors applying professional judgment under the GIS framework will use language your compliance leadership should recognize, not treat as foreign.

What This Means for NERC and the Regions

For the ERO Enterprise, v9 is quiet continuity. GIS joining the authoritative stack keeps CMEP aligned with current professional audit practice. The Appendix 4C refresh tightens the relationship between the manual and the Rules of Procedure. The Sampling Guide cleanup removes an embarrassing artifact that should have been addressed years ago.

What is worth watching is the pattern. When the Auditor Checklist drives manual updates (v9 synchronizing to Checklist v7, rather than the other way around), it suggests that the checklist, not the manual, is the operational source of truth for audit execution. That is a small but telling shift. The manual explains. The checklist directs.

If that pattern continues, future CMEP changes may show up in the checklist first and the manual second. Compliance programs that only track the manual will be a release behind.

Bottom Line

CMEP Version 9 is not CMEP Version 8. But also, don’t read it as a structural update, because it isn’t.

Do read the three signals inside the housekeeping. Global Internal Audit Standards joining the authoritative guidance stack continues the professionalization of CMEP. The Appendix 4C refresh means the Rules of Procedure moved, and the real question is what changed upstream. The Sampling Guide cleanup, ten years overdue, is a reminder to check your own documents for similar legacy language.

The v8 and December 2025 Internal Controls updates still carry the weight. Version 9 simply reinforces the direction those changes set.

 

Featured Posts

Featured
CMEP Version 9: Maintenance on the Surface, Three Signals Underneath
CMEP Version 9: Maintenance on the Surface, Three Signals Underneath

NERC released CMEP Manual Version 9 on March 1, 2026. On the surface it is a maintenance release. Underneath, three signals matter: the Global Internal Audit Standards join the authoritative guidance stack, Rules of Procedure Appendix 4C moved, and a decade-old CIP Version 3 artifact got scrubbed from the Sampling Guide. None of it redraws CMEP. All of it reinforces v8's direction.

Read More →
CIP-003 Low Impact Vendor Remote Access: Expert Audit Questions
CIP-003 Low Impact Vendor Remote Access: Expert Audit Questions

A deep dive into NERC’s Currently Compliant Podcast Episode 8, extracting every key question being asked about CIP-003-9 vendor remote access. These questions provide a clear view into audit expectations across the ERO Enterprise and highlight where entities are struggling with visibility, control validation, and monitoring of vendor access.

Read More →
Claude Mythos and the OT Threat Horizon: What Utility Operators Need to Know Now
Claude Mythos and the OT Threat Horizon: What Utility Operators Need to Know Now

Anthropic's Claude Mythos can autonomously discover zero-day vulnerabilities across every major OS and browser, and the same codebases run in OT/SCADA environments. This post breaks down why Mythos-class AI exploitation tools directly implicate utility operators, which NERC CIP obligations are already in play, and what actions defenders should take before the patch window closes.

Read More →
FERC Issues Orders on Virtualization and Low Impact: What Changed and What You Need to Do
FERC Issues Orders on Virtualization and Low Impact: What Changed and What You Need to Do

FERC unanimously approved Order Nos. 918 and 919 on March 19, 2026, finalizing CIP virtualization standards and new low-impact BES Cyber System controls, plus an updated "Control Center" definition. All CIP-registered entities are affected. Implementation windows are 24 and 36 months respectively. Compliance programs should begin gap assessments now.

Read More →
The E-ISAC's 2025 Report: Real Progress, Remaining Constraints
The E-ISAC's 2025 Report: Real Progress, Remaining Constraints

The E-ISAC's 2025 End-of-Year Report shows real growth in membership, engagement, and threat intelligence output. But a structural challenge rooted in its funding and governance relationship with NERC continues to limit the incident sharing that collective defense depends on. Comparing E-ISAC's reported numbers against peer ISACs in health and financial services reveals how much ground remains.

Read More →
Patrick Miller https://www.patrickcmiller.com
Next

CIP-003 Low Impact Vendor Remote Access: Expert Audit Questions