On October 20, 2025, FERC Staff issued a report outlining areas of risk to the reliability of the electric grid based on non-public Critical Infrastructure Protection (CIP) Audits of U.S. based North American Electric Reliability (NERC) registered entities’ (Registered Entities) compliance with CIP Reliability Standards during Fiscal Year 2025 (FY2025). FERC Staff reported that the FY2025 audits show that while most of the Registered Entities’ cyber security protection processes and procedures met the CIP Reliability Standard requirements, some potential noncompliance and security risks remained. FERC Staff identified lessons learned from the CIP Audits, which included (1) considering Distributed Energy Resources (DERs) in Control Center impact ratings; (2) performing due diligence of third parties’ compliance efforts on behalf of a Registered Entity; and (3) evaluating compliance risk when using cloud services.
The CIP Reliability Standards aim to reduce the cyber security and physical security risks to facilities connected to the bulk electric system (BES). FERC maintains jurisdiction over the Reliability Standards through its jurisdiction over NERC as the Electric Reliability Organization. The CIP Audits, which have been conducted since FY2016, consist of data requests and virtual and on-site visits of Registered Entities.
FERC Staff found that numerous NERC Registered Entities were not considering DERs and distribution-connected generation when calculating the impact rating of a Control Center. FERC Staff identified that a Registered Entity’s failure to consider DERs when determining the Control Center impact rating may result in that Registered Entity not applying the required controls consistent with the risk. FERC Staff thus recommended including DERs in a Registered Entity’s assessment of generation to ensure accurate categorizations of Control Centers under NERC requirements.
FERC Staff next found that some Registered Entities were not maintaining proper oversight of third parties that perform compliance duties under the Reliability Standards on behalf of Registered Entities, thus leading to compliance risks. FERC Staff recommended documenting compliance risks in outsourcing compliance functions to a third party and establishing controls, such as a Memorandum of Understanding between the Registered Entity and the third party performing the compliance functions, to reduce such risks.
Finally, FERC Staff found that some Registered Entities used cloud services without (1) ensuring that such cloud services were compliant under the Reliability Standards, or (2) establishing proper oversight over the cloud services’ functions. Specifically, FERC Staff identified risks from utilizing cloud services for Electronic Access Control of Monitoring Systems, as well as Physical Access Control Systems. FERC Staff stated that Registered Entities should understand the CIP Reliability Standards’ limitations when operating high and medium impact BES cyber systems in the cloud, and recommended that Registered Entities review their usage of cloud services and mitigate risk where appropriate.
FERC Staff’s report is available here.