New Low Impact NERC CIP-003-9 Regulations: Vendor Supply Chain Security

Policy Pulse
Written By Patrick Miller

By Patrick Miller

On March 16 2023, FERC issued a new Order approving NERC CIP-003-9 introducing new requirements for vendor electronic remote access security controls to low impact BES Cyber Systems. These new security controls are intended to allow detection and the ability to disable vendor remote access in the event of a known or suspected malicious communication.

Ampere hosed a webinar/webpanel featuring a former CIP regulator and three former asset owners, where they will discuss what is in scope, when it be applicable, how it will impact your utility, and what you should be doing.

Panelists

Show Links

FERC Order Approving Reliability Standard CIP-003-9 - Docket No. RD23-3-00

CIP-003-9 Reliability Standard, NERC

NERC Project 2020-03 Page for all documents related to the drafting and adoption process for CIP-003-09

  • All draft versions

  • Redlines to last posted/approved

  • Technical Rationale

  • VRF/VSL Justifications

  • Reliability Standard Audit Worksheet (RSAW)

  • Ballot results

Supply Chain Risk Assessment Report

Safety Sign Generator

Slides from this webinar/webpanel

Featured Posts

Featured
NERC MSPP Rules of Procedure: Standards Committee Retired in May 2026 Draft
NERC, MSPPTF, MSPP, Standards Development, Rules of Procedure, Standards Committee, Reliability Standards Body, RBB, Registered Ballot Body, RISC, Ballot Pool, Term Sheet, NERC CIP, FERC, Compliance, Standard Processes Manual
NERC MSPP Rules of Procedure: Standards Committee Retired in May 2026 Draft
NERC, MSPPTF, MSPP, Standards Development, Rules of Procedure, Standards Committee, Reliability Standards Body, RBB, Registered Ballot Body, RISC, Ballot Pool, Term Sheet, NERC CIP, FERC, Compliance, Standard Processes Manual

NERC's May 2026 draft Rules of Procedure revisions retire the Standards Committee, eliminate ballot pools, restructure the Registered Ballot Body, and create a new Reliability Standards Body under the RISC. The MSPP Task Force implementation package is the most consequential governance change to NERC standards development since the ERO model was certified in 2006.

Read more →
NERC, MSPPTF, MSPP, Standards Development, Rules of Procedure, Standards Committee, Reliability Standards Body, RBB, Registered Ballot Body, RISC, Ballot Pool, Term Sheet, NERC CIP, FERC, Compliance, Standard Processes Manual
Computational Load and the Convergence Problem: What NERC's May 2026 Actions Mean for Critical Infrastructure
Computational Load Entity, CLE, Large Loads, Data Centers, NERC CIP, NERC, FERC, Reliability Standards, Reliability Guideline, Level 3 Alert, Critical Infrastructure, Bulk Electric System, BES, Bulk Power System, ICS, OT, Project 2026-02, Hyperscaler, AI, Cryptomining, Cybersecurity
Computational Load and the Convergence Problem: What NERC's May 2026 Actions Mean for Critical Infrastructure
Computational Load Entity, CLE, Large Loads, Data Centers, NERC CIP, NERC, FERC, Reliability Standards, Reliability Guideline, Level 3 Alert, Critical Infrastructure, Bulk Electric System, BES, Bulk Power System, ICS, OT, Project 2026-02, Hyperscaler, AI, Cryptomining, Cybersecurity

Documented load losses approaching one thousand megawatts in seconds. A Level 3 Essential Action Alert. A final Reliability Guideline. Proposed registration of a new Computational Load Entity. NERC's May 2026 actions mark a structural shift in how data centers, hyperscale AI training, and cryptocurrency mining are treated under the North American grid reliability framework.

Read more →
Computational Load Entity, CLE, Large Loads, Data Centers, NERC CIP, NERC, FERC, Reliability Standards, Reliability Guideline, Level 3 Alert, Critical Infrastructure, Bulk Electric System, BES, Bulk Power System, ICS, OT, Project 2026-02, Hyperscaler, AI, Cryptomining, Cybersecurity
What Multi-Region Entities Need to Know About Coordinated Oversight in 2026 [Updated]
NERC, NERC CIP, O&P, Coordinated Oversight, Audit Prep, Internal Controls, Compliance Monitoring & Enforcement Program, Multi-Regional Registered Entity, Entity Risk Profile Questionnaire, CMEP, MRRE, ERO, LRE, IBR, Category 2, GO, GOP, Electric Sector, Compliance
What Multi-Region Entities Need to Know About Coordinated Oversight in 2026 [Updated]
NERC, NERC CIP, O&P, Coordinated Oversight, Audit Prep, Internal Controls, Compliance Monitoring & Enforcement Program, Multi-Regional Registered Entity, Entity Risk Profile Questionnaire, CMEP, MRRE, ERO, LRE, IBR, Category 2, GO, GOP, Electric Sector, Compliance

NERC's Coordinated Oversight Program lets multi-region entities consolidate compliance monitoring under one Lead Regional Entity, eliminating duplicate audits across six footprints. New for 2026: Category 2 GO/GOP eligibility opens May 15, annual asset verification becomes formal, periodic group reviews go standard. Breakdown of qualifications, modification paths, and audit prep questions.

Read more →
NERC, NERC CIP, O&P, Coordinated Oversight, Audit Prep, Internal Controls, Compliance Monitoring & Enforcement Program, Multi-Regional Registered Entity, Entity Risk Profile Questionnaire, CMEP, MRRE, ERO, LRE, IBR, Category 2, GO, GOP, Electric Sector, Compliance
Protocol Converters: The 2023 SAR Just Got Validated (Again)
Incident Response, SCADA, Cybersecurity, Threat Detection, CISA, Operational Resilience, NERC CIP, NERC, CIP-002, CIP-007, CIP-010, CIP-013, Protocol Converter, Serial to Ethernet, Vulnerability, Moxa, Lantronix, SAR, Standards Authorization Request, BES Cy ber Asset, ESP, Supply Chain
Protocol Converters: The 2023 SAR Just Got Validated (Again)
Incident Response, SCADA, Cybersecurity, Threat Detection, CISA, Operational Resilience, NERC CIP, NERC, CIP-002, CIP-007, CIP-010, CIP-013, Protocol Converter, Serial to Ethernet, Vulnerability, Moxa, Lantronix, SAR, Standards Authorization Request, BES Cy ber Asset, ESP, Supply Chain

The 2023 NERC SAR asked whether protocol converters belong inside CIP-002. A new disclosure of 22 CVEs in serial-to-Ethernet hardware, set against a decade of advisories across the category, settles the question. The categorization debate now has its empirical record, and asset owners have CIP-007 R2 and CIP-013 work to do that does not wait for the standard.

Read more →
Incident Response, SCADA, Cybersecurity, Threat Detection, CISA, Operational Resilience, NERC CIP, NERC, CIP-002, CIP-007, CIP-010, CIP-013, Protocol Converter, Serial to Ethernet, Vulnerability, Moxa, Lantronix, SAR, Standards Authorization Request, BES Cy ber Asset, ESP, Supply Chain
Funded, Not Secured: The April 20 DPA Determinations & the Bulk Electric System
NERC CIP, NERC, CIP-013, CIP-014, Supply Chain, Defense Production Act, DPA, Grid Security, Electric Grid, BES, O&P, Transformer, Critical Infrastructure, Federal Policy, Procurement, Firmware
Funded, Not Secured: The April 20 DPA Determinations & the Bulk Electric System
NERC CIP, NERC, CIP-013, CIP-014, Supply Chain, Defense Production Act, DPA, Grid Security, Electric Grid, BES, O&P, Transformer, Critical Infrastructure, Federal Policy, Procurement, Firmware

Two April 20 Defense Production Act determinations expand domestic capacity for grid components and large-scale energy infrastructure. Neither addresses cybersecurity. For the electric sector, NERC CIP and Order 693 standards still apply. A practitioner's view of intersections with CIP-013, CIP-014, PRC, FAC, and TPL, and why domestic capacity is not domestic assurance.

Read more →
NERC CIP, NERC, CIP-013, CIP-014, Supply Chain, Defense Production Act, DPA, Grid Security, Electric Grid, BES, O&P, Transformer, Critical Infrastructure, Federal Policy, Procurement, Firmware
Patrick Miller https://www.patrickcmiller.com
Previous

NERC Initiates Data Collection on INSM for Low Impact CIP Assets
Next

New cybersecurity controls for vendor access to low impact NERC CIP assets