NERC CIP Services
CIP Solved
CIP From Every Angle. Since the Beginning.
Most firms offer NERC CIP as part of a broader cybersecurity practice. Ampyx Cyber was built around it, and has been since the regulation was first conceived. Ampyx Cyber has been part of the CIP universe since 2002, when the foundation of what would become the CIP standards was still being debated in FERC's Standard Market Design proceedings. No other firm in the industry carries that depth of history with this regulation, and that history is not just biographical. It translates directly into the quality and precision of the work we do for our clients.
Over more than two decades, we have occupied every seat in the CIP ecosystem. We have been utility staff implementing controls and sitting through audits. We have served on standards and interpretations drafting teams, official guidance working groups, and NERC and Regional committees. We have participated in multiple FERC Technical Committees and submitted direct comments on NOPRs and Orders. We have been the Regional Entity CIP auditors conducting the audits and issuing the findings. We have developed and delivered CIP training for institutions including the SANS Institute and EnergySec (now with our own CIP training). We have seen compliance programs across investor-owned utilities, municipals, cooperatives, and independent power producers. Generation, transmission, control centers, and vertically integrated utilities, across every registered function including GO, GOP, TO, TOP, BA, and RC.
That breadth matters because CIP compliance looks different depending on where you sit. A high-impact BA with a large compliance team faces fundamentally different challenges than a small cooperative or generation aggregator just crossing the NERC registration threshold for the first time. We have worked with all sizes and functions. If you are a new asset owner or inverter-based resource just reaching NERC registration thresholds, we can help you build a program from the ground up. If you are a mature registered entity looking to sharpen a program that has been running for years, we know exactly where to look.
If it is NERC CIP, we have done it.
CIP Compliance
24/7/365
Getting compliant is hard.
Staying compliant is even harder.
NERC CIP is not a regulation you satisfy once and revisit before your next audit. It is a zero-defect, zero-tolerance framework that requires your program to be audit-ready every day of every year, not just in the weeks before a Regional Entity shows up. The standards change. Your infrastructure changes. Staff turns over, taking institutional knowledge with them. New assets get brought into scope. Vendors get acquired or discontinued. Each of these events creates compliance exposure, and organizations that aren't actively managing their program between audits tend to discover their gaps at the worst possible time.
The challenge isn't just maintaining what you have. It's keeping pace with a regulatory environment that doesn't stand still. NERC regularly revises and expands the CIP standards, and what satisfied auditors in a previous cycle may not satisfy them in the next one. Interpretations evolve. Auditor expectations shift. Staying current requires dedicated attention that most compliance teams, already stretched thin by day-to-day operational demands, simply don't have the bandwidth to sustain on their own.
Ampyx Cyber provides ongoing compliance maintenance support designed to keep your program healthy, defensible, and audit-ready at all times (not just when an audit is on the horizon). We work alongside your team to manage the continuous demands of a mature CIP program so that nothing falls through the cracks between now and your next audit cycle.
We can help you manage these obstacles and keep your program on track:
Gap assessment - collaborative approach to identifying compliance gaps
Mock audit - performed in the style of your Regional Entity, just like the real thing
Policy, process and procedure review
Facilitated incident response and recovery exercises
Internal control evaluation, design, and testing (ICE, RAI)
Inherent Risk Assessment (IRA) preparation
Internal Compliance Program (ICP) evaluation
Compliance program benchmarking and metrics
Compliance staff augmentation
Compliance “phone a friend” - sometimes you just need to call an expert for a quick answer
RC/BA/TOP and Control Center certification and re-certification preparation
Pre-Audit Support
Go into the audit with no surprises.
A NERC CIP audit does not begin when the auditors arrive. It begins months earlier, when your team starts pulling documentation, reviewing evidence, and trying to identify gaps before the Regional Entity does. For most utilities, that process surfaces uncomfortable realities: RSAWs that haven't been updated, evidence that doesn't quite match the standard's requirements, or controls that work in practice but aren't documented in a way that holds up under scrutiny. The larger and more complex your program, the more there is to find.
Even low-impact organizations with lean compliance teams face the same fundamental challenge of doing more with less.
Ampyx Cyber works with utilities at every stage of audit preparation, from initial readiness assessments to final evidence review. We have been through this process from the auditor's side. We know what Regional Entities look for, how they interpret evidence, and where programs most commonly fall short. That perspective lets us focus your preparation effort where it matters most rather than chasing completeness for its own sake. Our goal is to get you into the audit confident that your program is defensible, your documentation is solid, and your team is ready to present it. Whether you are six months out or six weeks out, there is meaningful work we can do together.
Below are just some of the pre-audit services we offer to help you go into the audit prepared, confident, and ready:
RSAW (Reliability Standards Audit Worksheet) review, creation, and markup
ERT (Evidence Request Tool) assistance
Evidence sufficiency review, creation, and markup
Gap assessment - collaborative approach to identifying compliance gaps
Mock audit - performed in the style of your Regional Entity, just like the real thing
Self-report review and preparation
Internal control evaluation, design, and testing
Inherent Risk Assessment
Witness/SME preparation and training
Senior Management awareness, preparation, and training
Live Audit Support
Real-time support for the real thing.
A live NERC CIP audit is one of the most operationally demanding events your organization will face. Data requests arrive continuously. Evidence has to be located, reviewed, and presented under time pressure. Potential violations need to be assessed and managed in real time. Your staff, often the same people running day-to-day operations, suddenly find themselves working evenings and weekends just to keep up. It is exhausting, stressful, and for many organizations, deeply disruptive. Your team deserves to go home at night.
Ampyx Cyber provides hands-on, real-time support throughout the live audit process so your team doesn't have to carry that burden alone. We have supported audits across all NERC Regions and maintain direct professional relationships with CIP auditors throughout the ERO enterprise. We know how audits are run, how auditors think, and how to navigate the process efficiently and professionally, from the opening meeting to the final data request. We also understand that every audit is different, and we tailor our support to what your organization actually needs rather than applying a one-size-fits-all approach.
Whether you need full war room management or targeted support for a specific challenge, we are ready to step in at any stage of the process
A sampling of the many live-audit support options we have are as follows:
Audit logistics and planning
“War room” management, triage, and support
Data request processing and narratives
Auditor interpretation, translation, and negotiation
Evidence review and presentation
Violation processing, containment, and management
SME and Witness pre/de-brief, etiquette, and coaching
Senior Management awareness and briefing
Post-Audit Support
The audit is over. The work isn’t.
The close-out meeting is done. The auditors are gone. For a moment, it feels like you can breathe again. And you should. But the post-audit period is one of the most consequential phases of your compliance program, and organizations that treat it as downtime tend to pay for it in the next cycle.
Very few utilities come out of a NERC CIP audit without something to address. Even a clean audit often produces Areas of Concern or official Recommendations that the Regional Entity will revisit. Possible Non-Compliance findings require immediate containment and mitigation planning. And beyond the formal audit output, your own team almost certainly identified issues during preparation and during the audit itself: hot spots, documentation gaps, and control weaknesses that didn't surface as violations this time but will become future risks if left unresolved.
The post-audit window is actually one of the best opportunities to strengthen your program. Leadership attention is high, the findings are fresh, and the path to improvement is clearly mapped. Ampyx Cyber helps you make the most of that window by turning audit findings, observations, and lessons learned into concrete program improvements before the next cycle begins.
Below are just some of the post-audit services we offer to help you address the findings and come out stronger on the other side::
Lessons learned capture and reporting ("hotwash")
Violation processing, containment, and remediation
Possible Non-Compliance (PNC) triage and risk assessment
Audit report interpretation and stakeholder communication
Remediation (Mitigation Plan) preparation, prioritization, and implementation
Settlement negotiations with the Regional Entity
Areas of Concern and Recommendation tracking and response
Control design and implementation to address identified weaknesses
Budget comparison, forecasting, and baselining for remediation projects
Project management for post-audit remediation efforts
Executive and Board-level reporting on audit outcomes
Internal audit and self-assessment program development
Program Development
Compliance is a program, not a project.
Every phase. Every mode. Every size.
NERC CIP compliance is not a destination. It is an ongoing operational discipline that demands consistent attention across people, processes, and technology. Whether your organization is newly registered and standing up a compliance program for the first time, or you have been through multiple audit cycles and are working to refine and mature an established program, the day-to-day demands of CIP don't pause while everything else is happening around you.
Ampyx Cyber supports organizations at every stage of the compliance journey and in whatever mode of engagement fits their needs. Some clients need embedded, hands-on support to get through a difficult stretch. Some need a staff augmentation model where we work alongside your team as an extension of your compliance function. Others need a trusted resource to call when a specific issue arises or a point-in-time problem needs to be resolved quickly and correctly. Still others need a full compliance program build, taken from concept to implementation, to long-term management. We are comfortable in all of these roles and experienced in moving between them as your needs evolve.
No matter the scope, the goal is the same: a defensible, audit-ready compliance program that doesn't depend on a heroic effort every time the Regional Entity comes calling.
Some of the many service offerings we have for “routine” CIP compliance are below:
Documentation review and maintenance
RSAW review and maintenance
Evidence review and maintenance
Process/procedure review and development
Control design and testing
Version transition planning and forecasting
BES Cyber System Categorization and high/medium/low impact rating
Facilitated CIP-008/CIP-009 exercises
Cyber Asset inventory and validation
Compliance management software design, procurement, and implementation
Project management
Compliance program development
Ask an Expert
Got a tough question?
Sometimes you just need to phone a friend. Ask us anything, any time. You don’t need to be an existing or prospective client. No cost, no commitment, no sales follow up, no contact lists. Simply put, no strings attached. We will always respect your privacy. We promise.