FERC Quietly Closes The Books on RM20-12-000
By Patrick Miller
FERC has officially closed Docket RM20-12-000, ending a five-year inquiry into potential gaps in the CIP Reliability Standards. While the docket is withdrawn, the underlying concerns—data security, anomaly detection, and coordinated cyberattacks—are being addressed through recent standards like CIP-015-1 (INSM) and proposed updates to CIP-003.
Overview
On June 26, 2025, the Federal Energy Regulatory Commission (FERC) officially withdrew Docket No. RM20-12-000, a Notice of Inquiry (NOI), part of the rulemaking process that began in 2020 with a broad inquiry into potential gaps in the NERC Critical Infrastructure Protection (CIP) Reliability Standards. At the heart of the inquiry were questions about how well the CIP Standards addressed data security, anomaly detection, event mitigation, and protections against coordinated cyberattacks on distributed infrastructure. Five years later, with new standards in place and several regulatory efforts underway, FERC has decided the inquiry has served its purpose and is no longer needed.
RM20-12-000: A Look Back at the Original Questions
Back in June 2020, FERC issued a Notice of Inquiry (NOI) that challenged whether the then-current CIP Reliability Standards were sufficient for a threat landscape that had rapidly evolved. The NOI raised concerns across three technical domains drawn from the NIST Cybersecurity Framework:
Data Security – Were controls in place to protect data at rest and in transit? Did standards account for availability as well as confidentiality and integrity?
Anomaly and Event Detection – Were systems in place to baseline network activity and detect and respond to anomalies?
Cyber Event Mitigation – Were there structured, enforceable requirements to contain, mitigate, and recover from cyber incidents?
FERC also expressed concern over coordinated cyberattacks on geographically distributed targets, particularly as more DERs and low-impact assets entered the grid. Would existing impact rating thresholds leave significant swaths of infrastructure unprotected?
Industry Response: Mixed Agreement with a Dose of Caution
FERC received 24 sets of public comments from a cross-section of the energy sector — including utilities, vendors, industry associations, and even individual experts. While the feedback varied, several core themes emerged:
General Support for Existing Standards: Many stakeholders, including NERC, EEI, and regional transmission organizations, asserted that the existing and developing Reliability Standards already addressed the topics in the NOI, or would soon.
Framework Mismatch: Commenters repeatedly cautioned against a one-to-one comparison between the NIST Cybersecurity Framework and the CIP standards. The NIST Framework is voluntary and flexible, while CIP is mandatory and enforceable. This apples-to-oranges mismatch, they argued, made direct alignment problematic.
Constructive Suggestions: A few commenters, including smaller consultancies and independent experts, identified real opportunities for improvement. These included expanding detection and response requirements to low-impact assets, enhancing controls for data availability, and improving remote access protections.
Call for Risk-Based Enhancements: On the topic of coordinated cyberattacks, many commenters pointed to existing NERC programs, voluntary information sharing, and industry-led drills as useful, but stopped short of endorsing sweeping regulatory changes. Several urged more attention to low-impact BES Cyber Systems with external connectivity.
Overall, the response showed that while the industry was not unified in urging change, it wasn’t opposed to targeted enhancements, especially if driven through the existing NERC standards development process.
Why FERC Is Withdrawing the Inquiry in 2025
After five years of public comments, regulatory developments, and real-world events, FERC has determined that the original goals of RM20-12-000 have largely been addressed through other channels.
Here's how:
CIP-012 (Control Center Communications)
Initially approved in 2020 and revised in 2024, this standard now explicitly requires protections for the availability, confidentiality, and integrity of real-time monitoring and assessment data between control centers, a direct response to gaps identified in the NOI.
CIP-015-1 (Internal Network Security Monitoring)
Perhaps the most significant response, INSM requirements mandated under Order 887 in 2023 and approved this month require anomaly detection capabilities, closing the loop on the NOI’s concerns around visibility and detection of malicious activity inside BES networks.
CIP-003-9 and Proposed CIP-003-11 (Low Impact Controls)
Low-impact BES Cyber Systems were a weak point cited in both the NOI and several real-world incidents. The new and proposed standards include requirements to control vendor remote access, detect malicious communications, and authenticate remote users, all aimed at reducing the attack surface presented by distributed infrastructure.
What This Means in Practice
FERC’s withdrawal of RM20-12-000 does not mean these concerns were unfounded, just that the regulatory mechanism to address them has evolved.
For the industry, this means:
No sweeping overhaul of the CIP standards, evolution, not revolution, remains the regulatory strategy.
Expect continued pressure on low-impact asset security, especially where remote connectivity is involved.
New obligations under CIP-015-1 (INSM) are now active, with audit preparation and implementation timelines kicking off for registered entities.
The regulatory bar continues to rise for anomaly detection, supply chain risk, and network monitoring, even without a direct mandate from RM20-12-000.
The Bigger Picture: What FERC's Move Tells Us
At first glance, FERC’s withdrawal of RM20‑12-000 might look like a quiet vote of confidence in the CIP standards development process, a signal that the industry has made meaningful progress in closing key cybersecurity gaps without the need for further top-down intervention. But the full picture is more complicated.
Historically, FERC has routinely pressured NERC to incorporate concepts from NIST SP 800-53 and 800-82, citing their relevance for addressing operational technology (OT) risks. The original 2020 NOI in RM20-12-000 was itself rooted in a comparison to the NIST Cybersecurity Framework, and many of its concerns, including data protection, anomaly detection, and incident mitigation, clearly echo 800-series control families. FERC’s posture, at least until recently, was aligned with deeper integration or at minimum greater harmonization with NIST standards.
But the tone may be shifting. With the arrival of new executive orders promoting zero-based regulatory budgeting, sunset provisions, and streamlined energy infrastructure approvals, along with new political leadership at FERC, the withdrawal of RM20-12-000 may be more about clearing the decks than affirming success. The docket’s termination offers no sweeping endorsement of how well the NERC standards currently align with federal frameworks, and the language in the order is careful to highlight incremental progress, not perfection.
In that context, the move could be seen less as a declaration that the industry is “getting it right,” and more as a regulatory reprioritization under deregulatory pressure. With infrastructure growth, AI-driven energy demands, and political incentives focused on acceleration over enforcement, FERC may be signaling that it's content (or compelled) to let industry self-correct for now, at least within the CIP framework.
That doesn't mean NIST alignment is off the table. But it does suggest that future integration may rely more heavily on industry-led SARs and voluntary convergence rather than Commission mandates, at least under current leadership.
What Comes Next
Even as RM20-12-000 is closed, the issues it raised haven’t gone away. Instead, they’ve evolved, and are now showing up in active standards, enforcement expectations, and industry best practices. Here’s where attention should be focused now:
INSM Readiness
With CIP-015-1 (Internal Network Security Monitoring) now approved, registered entities must prepare to implement real-time monitoring, anomaly detection, and alerting within protected BES environments. This includes establishing network baselines, deploying detection tools, and defining response playbooks. FERC made it clear that INSM directly addresses gaps in anomaly and event detection, a central issue in the original NOI. Implementation will be subject to both audit scrutiny and potential follow-up enhancements as the standard matures.
CIP-003-11 Scrutiny
CIP-003-11 is currently pending Commission approval, and FERC has explicitly reserved judgment. The proposed standard introduces new expectations for low-impact BES Cyber Systems, including user authentication, encryption of credentials in transit, and detection of malicious communications. These changes aim to mitigate coordinated attacks leveraging distributed low-impact assets. If approved, entities will need to upgrade remote access procedures and technical controls, particularly those with a wide operational footprint or vendor-managed endpoints.
Supply Chain and Vendor Risk
While not the primary driver of RM20-12-000, third-party and vendor-related risk surfaced repeatedly during public comment and was cited in related actions such as the CIP-003 and CIP-013 revisions. FERC and NERC both highlighted scenarios where remote access pathways to low-impact assets created significant reliability risk. Organizations should expect ongoing regulatory and audit attention on vendor access controls, contract language, and monitoring of third-party communications, especially in facilities previously considered “lower risk.”
Virtualization Standards on the Horizon
Also pending before the Commission are updates to formally incorporate virtualization into the CIP framework. These proposed standards are designed to address security risks in virtual machine environments, including access control, configuration management, and supply chain risk in hypervisor-based systems. As more entities adopt virtualization to modernize and scale their BES Cyber Systems, these standards will help close previously undefined gaps. While FERC has not yet issued a final approval, these changes signal where grid cybersecurity is heading next.
Final Thoughts
FERC’s closure of RM20‑12-000 isn’t necessarily an indication that cybersecurity concerns have been dismissed, it’s the culmination of a deliberate, standards-centric strategy that's now unfolding in real time.
In the backdrop, the current administration has been pushing a broader “deregulation” agenda, adding a layer of complexity to the regulatory environment. For example:
An April 9 Executive Order introduced zero-based regulatory budgeting, requiring energy and environmental agencies (including FERC) to apply sunset provisions to their rules, signaling a potential rollback of existing regulations.
An April 8 Executive Order directing DOE to streamline emergency authority under FPA Section 202(c) hints at shifting some operational oversight away from FERC.
Meanwhile, leadership is shifting at the Commission: Chairman Mark Christie, a Trump appointee, is stepping down to make way for Laura Swett, who is expected to align with the administration’s priorities. This change comes as FERC navigates mounting executive scrutiny and a more facilitative stance on energy infrastructure.
Why this matters for CIP
Even as grid investment accelerates and rule rollbacks happen elsewhere, cybersecurity isn’t being deregulated - for now. FERC’s messaging is clear: the “how” and “why” of securing infrastructure may flex under deregulatory political winds, but the “what,” robust logging, anomaly detection, remote access restrictions, and virtualization controls, is evolving, but probably not gone for the foreseeable future.
So, while the FERC docket RM20‑12-000 may have been quietly closed, its substance is carrying on in the standards that followed, and in the cloud of political pressure to streamline and accelerate grid deployment.
Bottom line
The regulatory landscape is at a crossroads, pulling between deregulatory momentum and mature cybersecurity expectations. The next few months will test whether standards like CIP‑015‑1, the virtualization updates, and CIP‑003‑11 can stand firm amid political shifts, or whether they’ll be recalibrated under the complex pressures and opposing forces of today’s landscape.
