Ampyx Cyber Blog
The Intersection of Regulation & Resilience
What Multi-Region Entities Need to Know About Coordinated Oversight in 2026
NERC's Coordinated Oversight Program lets multi-region entities consolidate compliance monitoring under one Lead Regional Entity, eliminating duplicate audits across six footprints. New for 2026: Category 2 GO/GOP eligibility opens May 15, annual asset verification becomes formal, periodic group reviews go standard. Breakdown of qualifications, modification paths, and audit prep questions.
Inside the ERPQ: How One Form Shapes Your Audit
NERC's Currently Compliant Episode 9 introduced the consolidated Entity Risk Profile Questionnaire (ERPQ). What the podcast did not draw is the bigger picture: with ICE eliminated and continuous internal controls evaluation now embedded across CMEP, the ERPQ is the entry point into how the ERO Enterprise sees you for every monitoring cycle.
CMEP Version 9: Maintenance on the Surface, Three Signals Underneath
NERC released CMEP Manual Version 9 on March 1, 2026. On the surface it is a maintenance release. Underneath, three signals matter: the Global Internal Audit Standards join the authoritative guidance stack, Rules of Procedure Appendix 4C moved, and a decade-old CIP Version 3 artifact got scrubbed from the Sampling Guide. None of it redraws CMEP. All of it reinforces v8's direction.
CIP-003 Low Impact Vendor Remote Access: Expert Audit Questions
A deep dive into NERC’s Currently Compliant Podcast Episode 8, extracting every key question being asked about CIP-003-9 vendor remote access. These questions provide a clear view into audit expectations across the ERO Enterprise and highlight where entities are struggling with visibility, control validation, and monitoring of vendor access.
How CMEP Version 8 Reshapes NERC’s Compliance Model
The CMEP Version 8 does not rewrite NERC compliance, rather it stabilizes it. Building on years of evolution, the updated Manual reinforces risk-based oversight, professional judgment, technical competence, and enterprise consistency across all Reliability Standards. The result is a more mature, defensible compliance model that shapes how audits, enforcement, and reliability governance now operate.
From Spot Evaluations to Continuous Oversight: NERC’s New Internal Controls Model
NERC’s December 2025 ERO Enterprise Guide replaces the old ICE model with continuous, risk based internal control oversight embedded across CMEP and Joint Monitoring. This shift makes control design, evidence, and effectiveness a core driver of Compliance Oversight Plans (COPs), audit depth, and how the Regions measure compliance maturity.
ERO CMEP 2026: Oversight in the Age of Transformation
The Electric Reliability Organization’s (ERO) 2026 Compliance Monitoring and Enforcement Program Implementation Plan (CMEP) signals a new era in how risk-based oversight keeps pace with a rapidly transforming grid. Released in October, the plan refines NERC’s compliance priorities for the coming year, retiring Incident Response as a distinct risk element and introducing Grid Transformation as a central theme.
20 years of NERC CIP - What's next?
Two industry veterans who cultivated NERC CIP over the past 20 years discuss how it all started, and what’s next for electric power industry security regulations. Patrick C. Miller, one of the first NERC CIP auditors in the country, and Carter Manucy, a utility IT/OT Security Director, talk about the regulation that changed the electric sector cybersecurity landscape forever.
How it started, where it's going: 20 years of NERC CIP
Two key people who helped start NERC CIP 20 years ago talk about how and why it came together, and where it could go next. Patrick C. Miller, one of the first NERC CIP auditors in the country, and Earl Shockley, a former leader at NERC, talk about this momentous regulation that changed the electric sector cybersecurity landscape forever.
New alliance works to improve the cybersecurity of the U.S. electric grid
New alliance works to improve the cybersecurity of the U.S. electric grid.
Ampere Industrial Security and INPOWERD have combined forces to help utilities and energy companies raise their levels of cybersecurity, reliability and compliance