The U.S. FERC (Federal Energy Regulatory Commission) unanimously approved on Thursday a sweeping set of actions aimed at strengthening and safeguarding the reliability of the nation’s bulk power system, reinforcing Americans’ access to a dependable electricity supply.
The agency approved two final rules, including the Final Rule on Virtualization Reliability Standards in Docket No. RM24-8-000 and the Final Rule on CIP Reliability Standard CIP-003-11 in Docket No. RM25-8-000. It also approved Reliability Standard CIP-002-8 in Docket No. RD25-8-000, which incorporates an updated definition of ‘control center’ into the NERC (North American Electric Reliability Corporation) Glossary. The revised definition is designed to improve reliability by enabling entities to identify risks and strengthen protections for high-risk assets.
“Our electric grid faces persistent reliability challenges from cybersecurity threats, extreme weather and rising demand,” Laura V. Swett, FERC chairperson, said in a media statement. “The actions we approved today are centered on modernizing and securing grid reliability, with a special emphasis on cybersecurity, so every American can count on the grid and get power when they need it.”
The Final Rule on Virtualization Reliability Standards approves 11 updated Critical Infrastructure Protection Reliability Standards that support the secure use of virtualization technologies across the bulk power system. These updates give entities greater flexibility to deploy modern, software-based tools that reduce reliance on physical hardware while strengthening cyber defenses. The rule also eases administrative burden for entities that rely on alternative mitigation measures, provided they continue to meet defined security objectives. At the same time, the NERC is directed to ensure consistent oversight and accountability in implementing those alternative measures.
The FERC raised concerns that replacing the phrase ‘where technically feasible’ with ‘per system capability’ across multiple requirements could weaken transparency and reduce meaningful oversight. The Commission warned that the change risks creating a self-implementing exception process with no clear reporting obligations.
To address this, the Commission directed the NERC to establish a defined framework around the use of the ‘per system capability’ exception. This includes developing clear, standardized criteria so that responsible entities understand when the exception applies and what alternative mitigation is required. It also mandates reporting obligations to the Electric Reliability Organization Enterprise, including relevant Regional Entities and NERC, whenever the exception is invoked.
In addition, NERC must submit an annual report to the Commission with anonymized and aggregated data showing how entities are applying the exception. Together, these measures are intended to preserve oversight, ensure consistent application, and confirm that appropriate mitigation is in place whenever the exception is used.
NERC said its revisions are designed to modernize the Critical Infrastructure Protection standards for increasingly virtualized environments. The changes move beyond traditional perimeter-based security to support multiple security models, formally recognize virtualization infrastructure and virtual machines in the NERC Glossary, and update change management practices to reflect dynamic, software-defined systems that are no longer tied to specific hardware. The revisions also aim to manage access points better and reduce the attack surface in virtualized configurations.
Alongside these updates, NERC proposed replacing “technical feasibility” with “per system capability” across several requirements and introducing the term in others. Under this approach, if an entity can demonstrate that a system cannot perform a required function, it may adopt an alternative mitigation measure of its choosing to meet the same security objective. NERC argues this shift reflects the diversity of technologies now deployed across the bulk power system.
In the Final Rule on CIP Reliability Standard CIP-003-11, FERC said that the final rule approves modifications to a CIP Reliability Standard to improve baseline cybersecurity for low impact bulk electric system (BES) cyber systems, i.e., digital or computer systems that support the electric grid but do not meet the criteria for medium or high impact under the tiered approach of the CIP Standards.
The modified CIP Standard requires new password protocols for remote users, including safeguards for passwords, and the detection of intrusions to low impact BES cyber systems. The final rule represents significant progress in grid security as NERC continues to strengthen its overall security strategy, helping keep the grid resilient to both existing and new threats. By introducing new baseline security controls alongside current protections for grid operators, the final rule improves reliability by reducing the risk of potential system disruptions stemming from coordinated cyberattacks on low impact BES cyber systems.
As part of its determination, the FERC adopted the NOPR proposal and approved Reliability Standard CIP-003-11 as submitted by the NERC. Based on the record, the Commission found the standard to be just, reasonable, not unduly discriminatory or preferential, and in the public interest. The FERC also approved the associated violation risk factors, severity levels, implementation plan, and effective date. It confirmed that the currently effective version of the standard will be retired once CIP-003-11 takes effect.
“We agree with NERC that Reliability Standard CIP-003-11 strengthens baseline cybersecurity protections for low impact BES cyber systems by addressing the risk of coordinated cyberattacks that exploit distributed, externally routable assets,” according to the Final Rule. “We find that the new requirements to authenticate remote users, protect authentication information in transit, and detect malicious communications directly target the threat vectors identified in the Low Impact Criteria Review Report and represent a measured, risk-based enhancement to existing controls applicable to low impact BES cyber systems.”
Expansion of detection requirements to include all traffic into or out of a low impact BES Cyber System, as opposed to just detecting malicious traffic in vendor-based electronic access, should mitigate the risk of malicious communications to or from a low impact BES Cyber System from going undetected.
“Similarly, we agree with NERC that the new requirements to authenticate users and protect their authentication information should mitigate the risk of unauthorized users gaining access to low impact BES Cyber Systems or compromising legitimate credentials to gain access,” FERC noted. “Together, these controls should improve the cybersecurity posture of the BES by protecting against potential coordinated attacks on multiple low impact BES Cyber Systems or using a compromised low impact BES Cyber System to move laterally and pivot to a medium or high impact BES Cyber System.”
On Reliability Standard CIP-002-8, FERC identified that the NERC proposed revising the definition of ‘control center’ in its Glossary to resolve confusion between ‘control’ and ‘authority.’ NERC said the updated definition expands the scope to include transmission owners, clarifying that an entity is considered to have a control center if it can manage transmission facilities across multiple locations using supervisory control and data acquisition systems. NERC maintains that the revised definition strengthens reliability by clearly identifying which facilities fall under Critical Infrastructure Protection requirements.
“We find that proposed Reliability Standard CIP-002-8 would advance the reliable operation of the BES by better aligning the level of impact BES cyber systems could have on the reliable operation of the Bulk-Power System as a result of loss, compromise, or misuse of those systems,” the FERC detailed. “Further, we determine that the proposed definition of control center would strengthen reliability by improving risk identification, allowing responsible entities to focus on protecting assets that pose a higher reliability risk if unavailable, degraded, or compromised. Lastly, the revised definition would also help responsible entities in interpreting the control center definition by making clear that a transmission owner may have a control center through its capability to control transmission facilities.”
Furthermore, NERC’s proposed implementation plan states that the proposed Reliability Standard CIP-002-8 and the proposed definition for control center shall become effective on the later of either the effective date of Reliability Standard CIP-002-7 or the first day of the first calendar quarter that is three calendar months after the effective date of the Commission’s order approving proposed Reliability Standard CIP-002-8. NERC concludes that the implementation plan is designed to “balance the urgency to implement the requirements while affording Responsible Entities time to incorporate the updated requirements into their processes.
Last October, FERC staff reported that, during Fiscal Year 2025, they found that most U.S.-based entities registered with the North American Electric Reliability Corporation (NERC) met mandatory cybersecurity requirements, certain gaps and potential security risks persisted. The report highlighted several lessons to enhance compliance, including accounting for Distributed Energy Resources (DERs) when categorizing control center impacts, exercising due diligence with third-party vendors, and assessing compliance risks associated with cloud services.
