NERC CIP Compliance Checklist for 2026

NERC CIP is not a best-practice framework you adopt at your own pace. It is mandatory law for the North American bulk electric system, enforced by NERC and FERC through eight Regional Entities, with civil penalties that can reach into seven figures per violation per day. This checklist walks a NERC-registered entity through every CIP standard that matters in 2026, with concrete, auditable actions for each.

Why NERC CIP compliance is non-negotiable in 2026

The Critical Infrastructure Protection (CIP) standards are the cybersecurity rules that govern the bulk electric system (BES) across the United States and most of Canada. They are developed by the North American Electric Reliability Corporation (NERC), approved and enforced under the authority of the Federal Energy Regulatory Commission (FERC), and audited in the field by Regional Entities: WECC, ReliabilityFirst (RF), SERC, MRO, NPCC, Texas RE, and SPP RE.

Unlike voluntary frameworks, CIP compliance is a legal obligation tied to your NERC registration. Under the Federal Power Act, civil penalties for reliability standard violations can reach up to $1 million per violation per day as a statutory maximum. Actual penalties are set through NERC's enforcement process and depend on the violation risk factor, severity, duration, and your compliance history, so most settlements land well below that ceiling. The point stands: this is enforced, it is audited, and the documentation burden is heavy. The checklist below is organized by standard so a compliance lead can work through it methodically.

Step one: categorize your BES Cyber Systems (CIP-002)

Everything in CIP flows from categorization. CIP-002 requires you to identify your BES Cyber Systems and rate each as high, medium, or low impact using the bright-line criteria in Attachment 1. Your obligations under nearly every other standard scale with that rating, so getting this wrong contaminates the entire program.

CIP-002 checklist

• Inventory all Cyber Assets associated with BES facilities, then group them into BES Cyber Systems.
• Apply the Attachment 1 bright-line criteria to assign each system a high, medium, or low impact rating.
• Document the rationale for each categorization, including control centers, generation, and transmission assets.
• Review and approve the categorization at least once every 15 calendar months by a CIP Senior Manager or delegate.
• Keep dated evidence of the review, since auditors will ask for the approval trail, not just the current list.

Governance and people: CIP-003, CIP-004

CIP-003 (Security Management Controls) establishes the policy backbone and the accountable role. CIP-004 (Personnel and Training) governs who can touch your systems and what they must know before they do.

CIP-003 checklist

• Maintain documented cybersecurity policies reviewed and approved at least once every 15 calendar months.
• Designate a CIP Senior Manager by name and document any delegations of authority.
• Implement the required security controls for low-impact assets, including physical and electronic access controls and a cyber security awareness program.

CIP-004 checklist

• Run a security awareness program that reinforces cyber security practices on a recurring basis.
• Deliver role-based training before granting authorized electronic or unescorted physical access.
• Conduct personnel risk assessments, including identity verification and a seven-year criminal history check, before access is granted and at least once every seven years thereafter.
• Maintain access management programs that authorize, review, and revoke access. Revoke access for terminations promptly, and review access privileges at least once every 15 calendar months.

Perimeters and physical security: CIP-005, CIP-006, CIP-014

These three standards protect the boundaries around your systems, both the logical perimeter and the physical one.

CIP-005 (Electronic Security Perimeters) checklist

• Define Electronic Security Perimeters and route all external routable connectivity through an identified Electronic Access Point.
• Deny access by default and permit only what is explicitly needed.
• For Interactive Remote Access, require an Intermediate System, encryption, and multi-factor authentication.
• Detect and document malicious communications where technically feasible.

CIP-006 (Physical Security of BES Cyber Systems) checklist

• Define physical security perimeters and control unescorted physical access to BES Cyber Systems.
• Log physical entry and monitor for unauthorized access.
• Retain physical access logs and test physical access control systems on the required interval.

CIP-014 (Physical Security of critical substations) checklist

• Perform a risk assessment to identify transmission stations and substations that, if rendered inoperable, could cause instability or cascading failures.
• Obtain an unaffiliated third-party verification of that risk assessment.
• Evaluate potential threats and vulnerabilities to the identified facilities, then develop and implement a physical security plan.

System hardening and recovery: CIP-007, CIP-009, CIP-010

This cluster is where most audit findings originate, because it demands continuous, evidence-heavy operational discipline.

CIP-007 (System Security Management) checklist

• Enable only the logical network ports needed for operation and document the justification for each.
• Track security patch sources, evaluate applicable patches at least once every 35 calendar days, and apply, mitigate, or document a plan for each (CIP-007 R2).
• Deploy and maintain malicious code prevention.
• Log security events, generate alerts for detected events, and review logs on the required cadence.
• Enforce strong authentication and manage shared and default account credentials.

CIP-010 (Configuration Change Management and Vulnerability Assessments) checklist

• Establish and maintain baseline configurations for applicable Cyber Assets.
• Authorize and document changes that deviate from the baseline, and update the baseline within the required window.
• Monitor for unauthorized changes to the baseline where required.
• Conduct vulnerability assessments at least once every 15 calendar months, with an active vulnerability assessment before adding a new applicable Cyber Asset to production.

CIP-009 (Recovery Plans) checklist

• Maintain recovery plans for BES Cyber Systems, including backup and restoration processes.
• Test recovery plans on the required interval and after major changes.
• Verify the integrity and usability of backup media so a restore actually works when you need it.

Incident response, information protection, and supply chain: CIP-008, CIP-011, CIP-013

CIP-008 (Incident Reporting and Response Planning) checklist

• Maintain a documented Cyber Security Incident response plan with defined roles and notification steps.
• Report Reportable Cyber Security Incidents, and attempts to compromise, to the Electricity Information Sharing and Analysis Center (E-ISAC) within the required timeframes.
• Test the response plan at least once every 15 calendar months and update it based on lessons learned.
• Coordinate with broader energy-sector reporting obligations, such as DOE Form OE-417 where applicable.

CIP-011 (Information Protection) checklist

• Identify and classify BES Cyber System Information (BCSI).
• Protect BCSI in storage, transit, and use, including any cloud or third-party repositories.
• Sanitize or destroy data on media before reuse or disposal to prevent unauthorized recovery.

CIP-013 (Supply Chain Risk Management) checklist

• Maintain a documented supply chain cyber security risk management plan for applicable systems.
• Address vendor security controls in procurement, including notification of incidents, coordination of remote access, and disclosure of known vulnerabilities.
• Review and approve the plan at least once every 15 calendar months.

For a deeper treatment of vendor risk obligations, see our CIP-013 supply chain risk management guide.

How CIP maps to complementary frameworks

CIP defines the mandatory floor, but most mature utility programs run it alongside cross-industry frameworks. NIST CSF 2.0 gives executives a common control language, IEC 62443 hardens the OT and industrial control layer, and NIST SP 800-82 provides ICS-specific guidance. The table below shows where each fits.

Framework	Scope	Status	Role alongside CIP
NERC CIP	Bulk electric system	Mandatory, enforced	The regulatory baseline you must meet
NIST CSF 2.0	Cross-industry	Voluntary	Common governance and risk language for the board
IEC 62443	Industrial automation and control systems	Voluntary standard	Deep OT and ICS hardening and segmentation
NIST SP 800-82	ICS / OT	Guidance	Practical OT security implementation reference

If you are weighing how the industrial standard lines up against the regulatory one, read our comparison of IEC 62443 vs NERC CIP, and use our NIST CSF 2.0 compliance checklist to align executive reporting.

Run the program with an operating partner, not a binder

The hard part of CIP is not knowing the requirements. It is sustaining the evidence: the 35-day patch evaluations, the 15-month reviews, the access revocations, the configuration baselines, and the audit trail that proves all of it happened on time. That work never stops, and audit findings almost always trace back to a lapsed cadence rather than a missing policy.

This is where Z Cyber's utilities practice operates differently from a consultant who hands you a binder and leaves. Z Cyber is a cybersecurity operating partner. We embed a dedicated, forward-deployed security team that implements and runs your CIP program on the Glance platform, our AI-native GRC system, so categorization, control evidence, patch cycles, and audit readiness are maintained continuously on your behalf.

Sources: NERC Critical Infrastructure Protection (CIP) Reliability Standards and NERC enforcement materials, nerc.com; penalty authority under the Federal Power Act as administered by FERC and NERC. Specific compliance intervals and obligations are summarized for orientation. Always work from the currently enforceable version of each standard.