by GDS Associates, Inc | October 9, 2025 | Energy, Reliability, and Security
FERC issued two separate NOPRs in regard to CIP on September 18, 2025, one pertaining to the CIP-003 Low Impact requirements (CIP-003-11) and one pertaining to CIP Virtualization. FERC issues NOPRs when they are proposing new or revised rules, seeking comment on the proposed rules. The comment period for the two NOPRs is 60 days. FERC is proposing to approve the new standards to be mandatory enforceable after the proposed implementation period. In this case, the implementation period for CIP-003-11 is around 36 calendar months after FERC issues a final order, and the implementation period for CIP Virtualization is around 24 calendar months after the final order. Final orders approving the standards could be issued as early as first quarter of 2026.
The CIP Virtualization Project adds and modifies several definitions in the NERC glossary of terms. The key definition modifications are to BES Cyber Asset, Cyber Asset, Electronic Access Control and Monitoring System (EACMS), and Protected Cyber Asset (PCA), among other changes. New definitions include those for Cyber System, Management Interface, Shared Cyber Infrastructure (SCI), and Virtual Cyber Asset (VCA).
Starting with the new definitions first, a Virtual Cyber Asset (VCA) is:
A logical instance of an operating system or firmware, currently executing on a virtual machine hosted on a BES Cyber Asset; Electronic Access Control or Monitoring System; Physical Access Control System; Protected Cyber Asset; or Shared Cyber Infrastructure (SCI). Virtual Cyber Assets (VCAs) do not include:
Application containers are considered software of VCAs or Cyber Assets.
BES Cyber Assets and Protected Cyber Assets (PCA) can now consist of either Cyber Assets or the new Virtual Cyber Assets. Also mentioned in the above definition is Shared Cyber Infrastructure (SCI) which is defined as:
One or more programmable electronic devices, including the software that shares the devices’ resources, that:
SCI does not include the supported VCAs or Cyber Assets with which it shares its resources.
Cyber Asset notably excludes the new Shared Cyber Infrastructure (SCI), while the new term, Cyber System, is:
One or more Cyber Assets, Virtual Cyber Assets, or Shared Cyber Infrastructure.
Both Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) can be a Cyber System. Electronic Security Perimeters (ESP) are still needed to protect BES Cyber Systems and their associated Protected Cyber Assets (PCA), so nothing has changed on that front. However, Physical Security Perimeters (PSP) must now include Shared Cyber Infrastructure in addition to the previously required BES Cyber Systems and EACMS.
The last new definition is for a Management Interface, which is defined as:
An administrative interface that:
This is utilized in the reworked Interactive Remote Access (IRA) definition. User-initiated electronic access by as person using bi-directional routable protocol to a Management Interface is considered IRA. To see the full list of changes, visit the NERC Website to view the redline changes from the current definition to the new definition.
Along with the definition changes, FERC will approve updated versions of CIP-002 through CIP-013 (not including CIP-012 as it deals only with communication paths between Control Centers) to account for the new definitions. This mostly manifests in changing the applicability to account for things like Shared Cyber Infrastructure (SCI) and updating the standard language with the new terms. CIP-005 Electronic Security Perimeter(s), CIP-007 Systems Security Management, and CIP-010 Configuration Change Management and Vulnerability Assessments will all see modified or added requirements.
CIP-005 Electronic Security Perimeter(s) specifically, has almost been completely reworked. In Requirement 1 – Electronic Security Perimeter, entities must:
1.1 Applicable Systems connected to a network via a routable protocol must be protected by an ESP.Excluding:
This largely functions similarly to the previous iteration of CIP-005, however Requirement 1.3 is completely new, and Requirement 1.6 was pulled over from CIP-006 Physical Security of BES Cyber Systems (formerly Requirement 1.10). Requirement 2 – Remote Access Management has also significantly changed. Instead of needing to utilize encryption, entities are required to protect the confidentiality and integrity of IRA communications, which can also be encryption, or the entity can utilize other methods. Remote Access Management also adds two additional requirements:
2.6 Prevent Intermediate System(s) from sharing CPU resources and memory resources with any part of a high or medium impact BCS or associated PCAs.
2.7 Routable protocol communications from an Intermediate System to a high or medium impact BCS or associated PCAs must be through an ESP.
CIP-007 Systems Security Management has some changes that can be found in Requirement 1 – System Hardening. This has changed from the previous title, Ports and Services. The major changes include:
1.1 Disable or prevent unneeded routable protocol network accessibility on each Applicable System, per system capability.
1.3 Mitigate the risk of CPU or memory vulnerabilities by preventing the sharing of CPU resources and memory resources, excluding storage resources, between VCAs that are, or are associated with, a medium or high impact BCS, and VCAs that are not, or are not associated with, a medium or high impact BCS.
Requirement 1.1 is still functionally the same, NERC has just updated the language, however Requirement 1.3 is a new requirement to address SCI.
The last standard that received significant changes is CIP-010 Configuration Change Management and Vulnerability Assessments. The major changes can be found in Requirement 1 – Configuration Change Management and Requirement 2 – Configuration Monitoring. Requirement 1 – Configuration Change Management has seen the removal of 1.1, 1.2, and 1.3 which all dealt with the development of the baseline configuration, authorizing changes to the baseline configuration, and updating the baseline configuration. Now entities are required to:
1.1 Authorize changes that affect Applicable Systems where those changes alter the behavior of one or more cyber security controls, excluding procedural and physical controls, serving one or more requirement parts in CIP-005 or CIP-007, as defined by the Responsible Entity.1.2.2. Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments.
1.3 Prior to the installation of operating systems, firmware, software, or software patches and when the method to do so is available to the Responsible Entity from the software source:1.3.1. Verify the identity of the software source; and
1.3.2. Verify the integrity of the software obtained from the software source.
1.4 As a part of the changes authorized per Part 1.1, verify that the behavior(s) of the altered cyber security controls were not adversely affected.
Entities still must authorize changes, verify identity and integrity, and verify cyber security controls were not adversely affected; however, they no longer need to deal with keeping up with baseline configurations. Requirement 1.2, testing the changes, also remains solely for entities with High Impact BES Cyber Systems.
The other standards will mostly see wording changes based on the newly added definitions. FERC goes on to state:
These proposed updates will allow responsible entities to enhance their reliability and security posture by adapting to emerging risks with forward-looking security models. As NERC explains, the current framework for CIP Reliability Standards “was designed around the concept that devices have a one-to-one relationship between software and hardware,” and CIP-mandated controls such as perimeter-based security were designed to fit this concept. However, “technology supporting and enabling the industrial control systems that operate the Bulk-Power System has evolved rapidly.” To accommodate this evolution, NERC has updated the CIP Reliability Standards to provide responsible entities the flexibility to adopt virtualization and other new technologies “to operate their systems effectively and efficiently while maintaining a robust security posture.” The proposed modifications do not obligate entities to adopt virtualization, rather, if approved, the proposed CIP Reliability Standards would accommodate responsible entities that choose to do so.
Since the implementation of CIP-003-11 (36 months compared to 24 months) is longer than the CIP Virtualization Project, and assuming FERC issues orders approving both sets of standards at the same or close to the same time, CIP-003-11 can be expected to go into effect after the CIP Virtualization standards. The key changes in the new version of CIP-003 involve adding on to remote access requirements, which were expanded in CIP-003-9 (enforceable on April 1, 2026). This includes adding requirements around protecting communication across the network, authenticating remote user access, and protecting remote user authentication information. Attachment 1 Section 3 Electronic Access Controls now reads:
3.1 For each asset containing low impact BCS identified pursuant to CIP-002, and for SCI that supports a low impact BCS, if any, where electronic access is:the Responsible Entity shall implement one or more controls, where Section 3.1. Parts (a), (b), and (c) are met, that:
3.3.3 Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity;3.1.5 Include one or more method(s) for determining vendor electronic access, where vendor electronic access is permitted; and
3.1.6 Include one or more method(s) for disabling vendor electronic access, where vendor electronic access is permitted.
3.2 For each asset containing low impact BCS identified pursuant to CIP-002 and for SCI that supports a low impact BCS, if any, the Responsible Entity shall implement one or more control(s) that authenticate all Dial-up Connectivity, if any, that provides access to low impact BCS or SCI that supports a low impact BCS, per system capability.
The first part of 3.1 spells out the requirements for the Electronic Access Controls section, which incorporates the new SCI definition. 3.1.1 exists currently and has no changes. Requirements 3.1.2 through 3.1.4 are new requirements for entities with Low Impact BES Cyber Systems. Entities must now be able to detect potential malicious communications across the network, authenticate users being granted access into the network, and protect the user authentication information. Requirements 3.1.5 and 3.1.6 were also moved here from the previous Section 6 – Vendor Electronic Remote Access Security Controls.
These additions, along with the previous additions for vendor remote access, will also be moved into Section 3: Electronic Access Controls. NERC goes on to state:
The modifications in proposed Reliability Standard CIP-003-11 would mitigate the risks posed by a coordinated attack utilizing distributed low impact BES Cyber Systems by adding controls to authenticate remote users, protecting the authentication information in transit, and detecting malicious communications to or between assets containing low impact BES Cyber Systems with external routable connectivity.
To prepare for these upcoming changes, GDS recommends that you take the following actions:
For questions or to discuss further, reach out to the GDS Energy Reliability & Security Team and let us know how we can help.