Using the Work of Others in NERC CIP and O&P Compliance
By Patrick Miller
The work of others lets you lean on someone else's assessment as compliance evidence. It does not transfer accountability. This breakdown maps the ERO guidance stack, the two-part test auditors apply, worked examples for CIP-013 vendor assessments and BCSI in the cloud, the FERC FY2025 findings on delegation gone wrong, and the audit prep questions to answer first.
Overview
You do not have to build every piece of your compliance evidence yourself. The ERO Enterprise has a name for relying on someone else's work product to support your demonstration of compliance: the "work of others." It is a legitimate, endorsed practice. It is also one of the fastest ways to take a finding if you treat it as a handoff instead of a controlled reliance.
The distinction that matters is simple. The work of others lets you lean on a qualified party's output as evidence. It does not let you transfer accountability. Whether the other party is an independent internal audit team, a commissioned third-party assessor, a government auditor, or a vendor producing an independent assessment, you remain solely responsible for compliance. The ERO can rely on the work of others to decide how to audit you. You can rely on the work of others to demonstrate you met an objective. Neither of you gets to skip the question of whether that work was any good.
This post lays out what the work of others actually is, the authoritative sources that govern it, the two-sided risk picture, two worked examples, and the audit-prep questions you should be able to answer before an auditor asks them.
What "Work of Others" Means
The ERO Enterprise uses "others" to mean any internal or external party that performs work for the registered entity, and "independent" to mean that party can carry out that work objectively and without bias. The CMEP Practice Guide on the subject recognizes four categories of others whose work may be relied upon.
The first is an independent subject matter expert, such as an outside ICS/OT security specialist engaged to assess compliance or review controls. The second is a government entity whose assessment touches the same controls, such as the GAO, the NRC, or a FISMA assessor. The third is a contractor commissioned by the entity as an independent third party, such as a consultancy performing a mock audit or a vendor assessment. The fourth, and the one most entities forget, is an internal department that is independent of the function performing the reliability task, such as internal audit, internal controls, or risk management.
That last category is worth dwelling on. An independent internal department is the work of others, with internal audit being the clearest case, and the Practice Guide names internal audit, internal control, and risk management explicitly. If that function is genuinely independent of the people running the CIP program, its testing can support your reliance position the same way an outside firm's would. The independence is what counts, not whether the party is on your payroll.
The Authoritative Source Stack
There is no single rulebook for the work of others. There is a small stack of documents, each carrying different weight, and they pull from a foundation that predates NERC entirely. If you are going to build reliance into a program, know which document does what.
| Source | Document and current revision | What it covers | Authority weight |
|---|---|---|---|
| GAO | Government Auditing Standards (Yellow Book), sections 8.80 to 8.86 | The upstream audit methodology the ERO built on. Defines using the work of others as standard government-audit practice. | Foundational methodology |
| ERO Enterprise | ERO Enterprise Guide for Internal Controls, Section 2.2.2 | Uses the term by name. Promotes CEAs evaluating the independence, capabilities, and competencies of the work of others. | Doctrinal root |
| ERO Enterprise | CMEP Practice Guide: Using the Work of Others, V1.0 (March 14, 2023) | Tells CMEP staff how to evaluate work-of-others evidence. The operational elaboration, written for auditors. | CMEP Practice Guide |
| NATF | CIP-013 Implementation Guidance: Using Independent Assessments of Vendors, V3.1 (Doc ID 1097, October 23, 2023) | Applies the work of others to vendor assessments under CIP-013. The marquee use case. | ERO-endorsed Implementation Guidance |
| NERC RSTC | Implementation Guidance: Usage of Cloud Solutions for BCSI, CIP-004-7 R6 and CIP-011-3 R1 (June 21, 2023) | Endorses third-party audit reports as BCSI cloud compliance evidence. A second reliance use case. | ERO-endorsed Implementation Guidance |
| FERC | FY2025 Lessons Learned from Commission-Led CIP Reliability Audits (October 20, 2025), Lesson 2 | Governs the accountability side: due diligence and oversight when a third party performs the actual compliance task. | FERC staff report (non-binding) |
A few notes on how to read that stack…
The Guide for Internal Controls is the doctrinal root, and the Practice Guide is the operational version of the same idea aimed at CMEP staff. Reading both gives you the entity-side concept and the auditor-side application of it.
The two Implementation Guidance documents, NATF for vendor assessments and the RSTC guidance for BCSI in the cloud, are the only items in the stack that carry Implementation Guidance weight. Implementation Guidance is industry-vetted and ERO-endorsed, which means it comes with the "you could comply this way" safe-harbor value that a Practice Guide does not. If you are actually wiring reliance into a program, those are the documents to follow, because they are the ones that give you cover.
The FERC report never uses the phrase "work of others." It governs the inverse situation, and that distinction is the single most important thing in this post.
Two Sides of the Same Relationship
People collapse two different things into "using a third party." They are not the same, and they carry different risks.
| Dimension | Work of others (evidence reliance) | Delegated performance (task outsourcing) |
|---|---|---|
| What you are leaning on | Someone else's assessment or review as a source of assurance. | Someone else performing the compliance task itself. |
| Governing guidance | ERO Internal Controls Guide, CMEP Practice Guide, NATF, RSTC BCSI guidance. | FERC FY2025 Lessons Learned, Order No. 706, ERO Registration Procedure. |
| Core risk | The work was not qualified, not independent, or not aimed at NERC compliance. | The third party never did the task, and you had no control to catch it. |
| What survives the audit | Documented evaluation of the work and how you used it. | Oversight controls plus evidence the task was actually completed. |
In practice, a serious reliance program has to satisfy both columns at once. You evaluate the work of others to the standard the ERO guidance sets, and you maintain oversight controls to the standard FERC expects. A program that does the first and skips the second is exactly what produces the FERC findings discussed later in this post.
The Test for Relying on the Conclusions of Others
The CMEP Practice Guide gives CMEP staff a two-part test before they treat the conclusions of others as usable. Read it as the bar your own evidence has to clear, because the auditor is going to apply it to whatever you submit.
First, the work product has to stand on its own. A reasonably qualified person should be able to re-perform the work and arrive at the same conclusion. If the output is a black box that cannot be reconstructed or defended, it does not qualify.
Second, it must be known or demonstrated that the others were qualified to reach those conclusions and that they were considering NERC Reliability Standards compliance, including internal controls. This is the prong most third-party work fails. The assessor may have done excellent work, but if they were assessing against a generic framework and never had NERC requirements in scope, their conclusions do not map to your obligations.
When you evaluate qualifications, the guidance points to expertise in the related area: certifications, relevant training, background, and work experience. For the vendor-assessment use case, the NATF guidance names credentials like Certified Internal Auditor and Certified Information Systems Auditor as relevant and cross-references the NERC Compliance Monitoring and Enforcement Manual for example assessor qualifications. One currency note, since NATF points to an older edition: the Manual has since advanced to version 9, effective March 1, 2026, so work the qualification and competency expectations from the current version. Version 9 also folded the Global Internal Audit Standards into its authoritative guidance stack, which gives auditors a recognized professional benchmark for judging the independence and competency of an internal audit function, and by extension the weight that function's work can carry as the work of others.
Worked Example: Independent Vendor Assessments Under CIP-013
The clearest application of the work of others is CIP-013 supply chain risk management, and it has a fully developed, ERO-endorsed playbook in the NATF guidance. The logic is a direct parallel: just as the ERO may rely on the work of others to decide how to monitor you, you may rely on a qualified independent assessment of a vendor's risk-management controls to show you assessed the cyber security risks tied to that vendor's products and services.
Building reliance into the plan under Requirement R1 means describing a process to do four things. First, ask the vendor for a third-party independent assessment, including the methodology used, performed by an auditor who evaluates the vendor's controls against, at minimum, the criteria in CIP-013 R1 Part 1.2. Second, evaluate the auditor's qualifications and the cyber security framework they used, confirming appropriate independence, credentials, and sufficient understanding of supply chain risk in the electric industry. Third, evaluate the scope and the results of the assessment. Fourth, document that evaluation, including the assessor's qualifications, the methodology and scope, and your conclusions about what additional mitigating actions are appropriate. Mitigating actions can include physical controls, logical controls, or contract modifications.
Demonstrating implementation under Requirement R2 then means showing you asked for and received the assessment and documented your conclusion that the assessor was qualified, reviewed and confirmed (a predefined checklist works well here) that the results address the R1 Part 1.2 topics, and used the results to inform the actions you took on each of those topics. The NATF Criteria and the Energy Sector Supply Chain Risk Questionnaire exist to standardize the information you collect from vendors, and they map to known security frameworks so you are not reinventing the questionnaire each time.
The accountability line in the NATF guidance is the same one that runs through every source in this post. You are ultimately responsible for compliance with the supply chain standards, so you maintain the evidence: the plan, the recurring reviews, the risk identifications, the conclusions, and the mitigating actions with their status.
A Second Example: Third-Party Audit Reports for BCSI in the Cloud
The same pattern shows up in a place most people do not label as the work of others: BCSI stored in a cloud service. When you put BCSI in the cloud and the cloud service provider performs access provisioning, the periodic access review, or revocation, you often cannot produce your own direct records of those actions. The NERC RSTC Implementation Guidance for CIP-004-7 R6 and CIP-011-3 R1 anticipates exactly this and repeatedly offers an alternative: third-party audit reports providing reasonable assurance that the provider's controls and processes are effective and being followed, such as FedRAMP or SOC 2 Type 2 reports or similar.
That is reliance on the work of others. The assessor's report becomes part of your compliance evidence, in place of records you cannot generate yourself. And the guidance attaches the same caveat as every other source: the division of security responsibilities in a cloud environment does not transfer compliance responsibility to the provider. You are the data owner. You must still be able to demonstrate compliance with CIP-004-7 and CIP-011-3, and the guidance notes that auditors may want to verify for reasonable assurance even where the provider prevents its own personnel from reaching the data.
The evaluation discipline carries over intact. A SOC 2 Type 2 report is only useful to you if its scope actually covers the controls and processes in question, whether that is confidentiality protection of BCSI under CIP-011-3, the access review every 15 calendar months, or revocation by the end of the next calendar day. A report scoped to a different trust services criterion, or to a different system boundary, does not get you there. The report is the work of others, and the two-part test applies to it the same way it applies to a vendor assessment.
One realistic caution worth stating plainly. CIP-004-7 and CIP-011-3 became enforceable on January 1, 2024, and they opened a path for BCSI in the cloud. Actual adoption for high and medium impact environments has been modest since then, in part because clear, purpose-built compliance guidance has been thin. The third-party-report reliance path works, but it is still maturing in practice, so plan for more auditor scrutiny here than the guidance alone might suggest. For the deeper treatment of BCSI access, cloud models, and encryption choices, see our earlier post on CIP-004-7 and CIP-011-3.
What Goes Wrong: the FERC FY2025 Findings
FERC's FY2025 Lessons Learned report, issued October 20, 2025, made third-party due diligence one of its three headline lessons, alongside DER considerations in control center categorization and cloud service compliance risk. Our full breakdown of the FY2025 findings covers all three; here the focus is the third-party lesson. The framing is the accountability side of the relationship, and the principle is blunt: registered entities are ultimately responsible for compliance even when using third parties, and an entity may delegate the performance of a task but remains solely responsible and accountable for violations on tasks performed on its behalf. FERC reaches back to Order No. 706 for the point that a responsible entity must conduct vigorous oversight of the vendors it employs.
The three findings are worth memorizing because each one is an oversight control that was missing, not an assessment that was wrong.
In the first, under CIP-003-8, an entity contracted a third party to keep its firewall rules current and necessary. The third party never completed the task, which left unnecessary inbound and outbound electronic access in place, and the entity had no control to catch it. Its only follow-up was after the fact. Delegation without a timely verification control is a gap.
In the second, under CIP-006-6, an entity relied on a vendor to perform the recurring 24-month testing of a cloud-based physical access control system. The vendor missed the required window, and the entity had no control to ensure the testing happened or to learn of the failure in time. Recurring obligations need monitoring that fires before the deadline, not a calendar reminder that arrives after it.
In the third, under CIP-010-4, an entity retained a third party to handle vulnerability scanning, review of the results, and prioritization of the mitigation plan. The entity did not participate in the analysis or the prioritization at all, effectively ceding its risk decisions to the contractor. You can outsource the legwork. You cannot outsource the risk judgment, and the entity should have run joint review and prioritization sessions to keep the mitigation aligned with its own risk tolerance.
For mitigation, FERC named three categories of compensating control: contractual instruments such as service level agreements and memoranda of understanding, internal controls that provide oversight through monitoring and alerting of third-party actions, and keeping third-party staff, infrastructure, and data within the continental United States. The CONUS emphasis is newer and worth flagging to anyone leaning on offshore managed services. In practice, the oversight that survives an audit looks like a named-role responsibility matrix tied to specific CIP requirements and assets, status telemetry on a defined cadence that flags a time-bound task as overdue before the deadline rather than after, and an evidence repository the registered entity itself controls, backed by an agreed audit-access window when the vendor holds the underlying records. Treat delegated compliance tasks as controlled processes, not tickets.
Multi-Stakeholder View
The work of others lands differently depending on where you sit.
| Stakeholder | What it means | Priority action |
|---|---|---|
| Compliance lead | Reliance can cut duplication, but only with documented evaluation of the work and how it was used. | Build an evaluation and use-of-work template, not a filing cabinet. |
| Internal audit / controls | Your independent testing is itself the work of others and can support reliance positions. | Preserve independence from the CIP program and document it. |
| Procurement / supply chain | Independent vendor assessments are an endorsed CIP-013 path, but the qualification and scope checks are on you. | Adopt the NATF Criteria and ESSCR Questionnaire and a checklist for R1 Part 1.2. |
| Cloud / BCSI owner | FedRAMP and SOC 2 Type 2 reports can stand in for records you cannot generate, if their scope fits. | Confirm report scope maps to the specific CIP-004-7 and CIP-011-3 obligations. |
| Shared services / multi-entity | Parent or affiliate work product feeds subsidiary compliance, raising both reliance and oversight questions. | Formalize responsibilities, audit rights, and change notification in writing. |
| Executive / accountable officer | Accountability never transfers. A vendor failure is your violation. | Fund the oversight controls, not just the outsourced task. |
Audit Prep Questions
Before you rely on anyone's work, be ready to answer these. If you cannot, you are not relying on the work of others. You are hoping.
For each piece of work you intend to rely on, can you state who performed it, their qualifications, and why they were independent of the function being assessed?
Can you show the work was performed with NERC Reliability Standards compliance in scope, including internal controls, rather than against a generic framework?
Could a reasonably qualified person re-perform the work and reach the same conclusion from what you have on file?
For a third-party audit report you are leaning on, does its scope actually cover the specific control or process at issue, and the right system boundary?
Do you have a documented evaluation of the work, separate from the work itself, showing how you assessed it and how you used it in your environment?
For each task you delegated, do you have an oversight control that detects non-performance before the compliance deadline, not after?
Can you produce written evidence that the delegated task was actually completed, and can your own staff speak to its substance in an interview?
Are your reliance relationships anchored in contract terms, service level agreements, or intercompany agreements that define responsibilities, audit rights, and change notification?
Open Issues
A few things the current guidance does not fully resolve, and that you should watch.
The work-of-others guidance predates the virtualization wave. The CMEP Practice Guide is V1.0 from March 2023, and it has not been refreshed to address how reliance interacts with the virtualization standards now coming into effect. The BCSI cloud guidance is similarly an early artifact, and as noted above, real-world adoption has lagged the standards. The intersection of reliance, delegation, and cloud is still unsettled, and FERC's FY2025 report flags the broader cloud compliance gap directly.
The independence bar for internal departments is qualitative. The guidance says the internal party must be independent of the function performing the reliability task, but how much organizational separation is enough remains a judgment call that varies by region and auditor.
The CONUS-location expectation in FERC's FY2025 mitigation list is a staff recommendation, not a requirement. How regions weigh offshore managed services in practice is worth tracking as more entities lean on global providers.
Bottom Line
The work of others is a real efficiency, and the ERO endorses it across vendor assessments, internal controls, and BCSI in the cloud alike. It is also a discipline, not a shortcut. Treat the other party's work as a source you evaluate and document, keep an oversight control on anything you delegate, and remember that accountability stays with you no matter who does the work. Get those three right and reliance strengthens your program. Get them wrong and you have simply added a party to (try to) blame after the finding lands.
