Ampyx Cyber Blog

The Intersection of Regulation & Resilience

Using the Work of Others in NERC CIP and O&P Compliance
Deep Dive Patrick Miller Deep Dive Patrick Miller

Using the Work of Others in NERC CIP and O&P Compliance

The work of others lets you lean on someone else's assessment as compliance evidence. It does not transfer accountability. This breakdown maps the ERO guidance stack, the two-part test auditors apply, worked examples for CIP-013 vendor assessments and BCSI in the cloud, the FERC FY2025 findings on delegation gone wrong, and the audit prep questions to answer first.

Read More
INSM Just Got Clearer: Key Takeaways from the NATF Guidance
Deep Dive Patrick Miller Deep Dive Patrick Miller

INSM Just Got Clearer: Key Takeaways from the NATF Guidance

NATF has released new CIP-015 INSM guidance that confirms a risk-based approach for collection points, clarifies scope around ESP boundaries, contains numerous useful reference models, and reinforces practical retention strategies. It aligns closely with our INSM playbook, especially on passive visibility, multicast deduplication, and EACMS/BCSI determinations for INSM platforms.

Read More