Ampyx Cyber Blog
The Intersection of Regulation & Resilience
NERC MSPP Rules of Procedure: Standards Committee Retired in May 2026 Draft
NERC's May 2026 draft Rules of Procedure revisions retire the Standards Committee, eliminate ballot pools, restructure the Registered Ballot Body, and create a new Reliability Standards Body under the RISC. The MSPP Task Force implementation package is the most consequential governance change to NERC standards development since the ERO model was certified in 2006.
Computational Load and the Convergence Problem: What NERC's May 2026 Actions Mean for Critical Infrastructure
Documented load losses approaching one thousand megawatts in seconds. A Level 3 Essential Action Alert. A final Reliability Guideline. Proposed registration of a new Computational Load Entity. NERC's May 2026 actions mark a structural shift in how data centers, hyperscale AI training, and cryptocurrency mining are treated under the North American grid reliability framework.
What Multi-Region Entities Need to Know About Coordinated Oversight in 2026 [Updated]
NERC's Coordinated Oversight Program lets multi-region entities consolidate compliance monitoring under one Lead Regional Entity, eliminating duplicate audits across six footprints. New for 2026: Category 2 GO/GOP eligibility opens May 15, annual asset verification becomes formal, periodic group reviews go standard. Breakdown of qualifications, modification paths, and audit prep questions.
Protocol Converters: The 2023 SAR Just Got Validated (Again)
The 2023 NERC SAR asked whether protocol converters belong inside CIP-002. A new disclosure of 22 CVEs in serial-to-Ethernet hardware, set against a decade of advisories across the category, settles the question. The categorization debate now has its empirical record, and asset owners have CIP-007 R2 and CIP-013 work to do that does not wait for the standard.
Funded, Not Secured: The April 20 DPA Determinations & the Bulk Electric System
Two April 20 Defense Production Act determinations expand domestic capacity for grid components and large-scale energy infrastructure. Neither addresses cybersecurity. For the electric sector, NERC CIP and Order 693 standards still apply. A practitioner's view of intersections with CIP-013, CIP-014, PRC, FAC, and TPL, and why domestic capacity is not domestic assurance.
Inside the ERPQ: How One Form Shapes Your Audit
NERC's Currently Compliant Episode 9 introduced the consolidated Entity Risk Profile Questionnaire (ERPQ). What the podcast did not draw is the bigger picture: with ICE eliminated and continuous internal controls evaluation now embedded across CMEP, the ERPQ is the entry point into how the ERO Enterprise sees you for every monitoring cycle.
Is Something Weird Happening on Your System?
Learn how critical infrastructure operators can spot the early signs of cyber intrusions directly from the control room. Drawing on the latest NERC and CISA guidance, this updated guide details specific physical hardware, workstation, and SCADA anomalies to watch for. Empower your frontline staff with a proactive "See Something, Say Something" cyber defense strategy tailored for OT environments.
Cyber-Informed Transmission Planning: Seven Pilots, CIP Leverage
NERC's April 2026 release of the Cyber-Informed Transmission Planning lessons learned captures seven 2024 pilots. None triggered a corrective action plan. The report's most consequential finding: strengthening low-impact CIP requirements is likely a more cost-effective leverage point than expanding TPL-001 to embed coordinated cyber contingencies.
CMEP Version 9: Maintenance on the Surface, Three Signals Underneath
NERC released CMEP Manual Version 9 on March 1, 2026. On the surface it is a maintenance release. Underneath, three signals matter: the Global Internal Audit Standards join the authoritative guidance stack, Rules of Procedure Appendix 4C moved, and a decade-old CIP Version 3 artifact got scrubbed from the Sampling Guide. None of it redraws CMEP. All of it reinforces v8's direction.
CIP-003 Low Impact Vendor Remote Access: Expert Audit Questions
A deep dive into NERC’s Currently Compliant Podcast Episode 8, extracting every key question being asked about CIP-003-9 vendor remote access. These questions provide a clear view into audit expectations across the ERO Enterprise and highlight where entities are struggling with visibility, control validation, and monitoring of vendor access.
FERC Issues Orders on Virtualization and Low Impact: What Changed and What You Need to Do
FERC unanimously approved Order Nos. 918 and 919 on March 19, 2026, finalizing CIP virtualization standards and new low-impact BES Cyber System controls, plus an updated "Control Center" definition. All CIP-registered entities are affected. Implementation windows are 24 and 36 months respectively. Compliance programs should begin gap assessments now.
The E-ISAC's 2025 Report: Real Progress, Remaining Constraints
The E-ISAC's 2025 End-of-Year Report shows real growth in membership, engagement, and threat intelligence output. But a structural challenge rooted in its funding and governance relationship with NERC continues to limit the incident sharing that collective defense depends on. Comparing E-ISAC's reported numbers against peer ISACs in health and financial services reveals how much ground remains.
Redesigning the Machine: NERC Board Accepts Transformational Standards Modernization Plan
The NERC Board has approved a historic transformation of the standards development process to meet the speed of the modern grid. Aiming for a 12–18 month timeline, the new framework re-engineers how NERC addresses risks from data centers, IBRs, and VPPs. Read our deep dive into the 2027 roadmap, the new SME pool, and the upcoming shift in voting eligibility.
How CMEP Version 8 Reshapes NERC’s Compliance Model
The CMEP Version 8 does not rewrite NERC compliance, rather it stabilizes it. Building on years of evolution, the updated Manual reinforces risk-based oversight, professional judgment, technical competence, and enterprise consistency across all Reliability Standards. The result is a more mature, defensible compliance model that shapes how audits, enforcement, and reliability governance now operate.
From Spot Evaluations to Continuous Oversight: NERC’s New Internal Controls Model
NERC’s December 2025 ERO Enterprise Guide replaces the old ICE model with continuous, risk based internal control oversight embedded across CMEP and Joint Monitoring. This shift makes control design, evidence, and effectiveness a core driver of Compliance Oversight Plans (COPs), audit depth, and how the Regions measure compliance maturity.
NERC’s CIP Roadmap and the Future of Grid Cybersecurity
NERC’s new CIP Roadmap signals a major shift in how cyber risk will be regulated across the power grid. This Policy Pulse explains what NERC released, why it matters, what standards and guidance are coming next, and how utilities, generators, and grid operators should prepare for expanding CIP scope and enforcement.
ERO CMEP 2026: Oversight in the Age of Transformation
The Electric Reliability Organization’s (ERO) 2026 Compliance Monitoring and Enforcement Program Implementation Plan (CMEP) signals a new era in how risk-based oversight keeps pace with a rapidly transforming grid. Released in October, the plan refines NERC’s compliance priorities for the coming year, retiring Incident Response as a distinct risk element and introducing Grid Transformation as a central theme.
From Firefighting to Foresight: Building CIP Programs for the Future Power Grid
NERC calls grid reliability a “five-alarm fire.” With data centers, AI, and extreme weather straining capacity, CIP programs must evolve from reactive compliance to proactive resilience. This post outlines how utilities can strengthen controls, close documentation gaps, and build CIP programs ready for the future grid.
INSM Just Got Clearer: Key Takeaways from the NATF Guidance
NATF has released new CIP-015 INSM guidance that confirms a risk-based approach for collection points, clarifies scope around ESP boundaries, contains numerous useful reference models, and reinforces practical retention strategies. It aligns closely with our INSM playbook, especially on passive visibility, multicast deduplication, and EACMS/BCSI determinations for INSM platforms.
FERC 2025 CIP Audit Findings: DER Impact Ratings, Vendor Oversight Gaps, and Cloud Compliance Risk
FERC’s latest CIP audit lessons for 2025 highlight three rising compliance risks. Entities are undercounting DERs in GOP control center impact ratings, outsourcing compliance work without adequate oversight, and moving EACMS or PACS functions to the cloud without a defensible evidence path. These issues now represent real audit exposure across the US bulk power system.