Ampyx Cyber Blog

The Intersection of Regulation & Resilience

Using the Work of Others in NERC CIP and O&P Compliance
Deep Dive Patrick Miller Deep Dive Patrick Miller

Using the Work of Others in NERC CIP and O&P Compliance

The work of others lets you lean on someone else's assessment as compliance evidence. It does not transfer accountability. This breakdown maps the ERO guidance stack, the two-part test auditors apply, worked examples for CIP-013 vendor assessments and BCSI in the cloud, the FERC FY2025 findings on delegation gone wrong, and the audit prep questions to answer first.

Read More
CMEP Version 9: Maintenance on the Surface, Three Signals Underneath
Policy Pulse Patrick Miller Policy Pulse Patrick Miller

CMEP Version 9: Maintenance on the Surface, Three Signals Underneath

NERC released CMEP Manual Version 9 on March 1, 2026. On the surface it is a maintenance release. Underneath, three signals matter: the Global Internal Audit Standards join the authoritative guidance stack, Rules of Procedure Appendix 4C moved, and a decade-old CIP Version 3 artifact got scrubbed from the Sampling Guide. None of it redraws CMEP. All of it reinforces v8's direction.

Read More