New Low Impact NERC CIP-003-9 Regulations: Vendor Supply Chain Security
By Patrick Miller
On March 16 2023, FERC issued a new Order approving NERC CIP-003-9 introducing new requirements for vendor electronic remote access security controls to low impact BES Cyber Systems. These new security controls are intended to allow detection and the ability to disable vendor remote access in the event of a known or suspected malicious communication.
Ampere hosed a webinar/webpanel featuring a former CIP regulator and three former asset owners, where they will discuss what is in scope, when it be applicable, how it will impact your utility, and what you should be doing.
Panelists
Patrick Miller, CEO, Ampere
Ron Fabela, Industrial Security Champion and Sr Consultant, Ampere
Jason Smith, Sr Consultant, Ampere
Carter Manucy, Sr. Manager - Cybersecurity, NRECA
Show Links
FERC Order Approving Reliability Standard CIP-003-9 - Docket No. RD23-3-00
CIP-003-9 Reliability Standard, NERC
NERC Project 2020-03 Page for all documents related to the drafting and adoption process for CIP-003-09
All draft versions
Redlines to last posted/approved
Technical Rationale
VRF/VSL Justifications
Reliability Standard Audit Worksheet (RSAW)
Ballot results
Supply Chain Risk Assessment Report
Safety Sign Generator
Slides from this webinar/webpanel
Featured Posts
NERC CIP compliance is no longer a checklist exercise. Internal controls are now how the ERO Enterprise measures whether an entity can sustain compliance over time. This post breaks down what internal controls are, the preventive, detective, and corrective types, how entities test and evidence them, and how WECC's ICDCT and the December 2025 ERO Guide put controls at the center of audit scoping.
DHS just reopened the closed-door forum where critical infrastructure operators and federal agencies compare notes on cyber threats in private. The legal protection that once made those conversations safe did not come back with it. ANCHOR-CI restores the room and leaves the shield behind, and here is what that changes for anyone who plans to speak in it.
The work of others lets you lean on someone else's assessment as compliance evidence. It does not transfer accountability. This breakdown maps the ERO guidance stack, the two-part test auditors apply, worked examples for CIP-013 vendor assessments and BCSI in the cloud, the FERC FY2025 findings on delegation gone wrong, and the audit prep questions to answer first.
Stop treating NERC CIP audits as fire drills. Learn the proactive timelines, documentation discipline, and live audit approach that separate prepared utilities from panicked ones. Here’s a strategic guide to compliance sanity from a former CIP auditor.
NERC's May 2026 draft Rules of Procedure revisions retire the Standards Committee, eliminate ballot pools, restructure the Registered Ballot Body, and create a new Reliability Standards Body under the RISC. The MSPP Task Force implementation package is the most consequential governance change to NERC standards development since the ERO model was certified in 2006.