🇺🇸 Live Nuclear

NERC CIP — Critical Infrastructure Protection Standards

Mandates cybersecurity standards for operators of the North American bulk electric system.

View official source document

Rules extracted

Obligations decomposed

4.2x

Avg obligations per rule

🇺🇸 United States

Jurisdiction

About this regulation

The NERC Critical Infrastructure Protection (CIP) standards are mandatory cybersecurity requirements for the bulk electric system (BES) in North America. They establish requirements for identification and categorization of BES Cyber Systems, security management controls, personnel and training, electronic security perimeters, physical security, system security management, incident reporting and response planning, recovery plans, configuration change management and vulnerability assessments, information protection, and supply chain risk management. The standards apply to all responsible entities that own, operate, or use the bulk power system.

What AuditDSS covers

Source

Regulation

Extracted

Rules

Decomposed

Obligations

4.2x

Decomposition ratio

Each rule is decomposed into an average of 4.2 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 46 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in NERC CIP is scored across independent risk dimensions:

Obligation Weight

How critical within the regulatory framework

Violation Likelihood

How often breached in practice

Enforcement Evidence

Regulator enforcement history and penalties

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title: NERC CIP — Critical Infrastructure Protection Standards
Regulatory body: North American Electric Reliability Corporation
Jurisdiction: 🇺🇸 United States
Document type: standard
Effective date: July 1, 2016
Issuing authority: North American Electric Reliability Corporation (NERC)
Industry: Nuclear
Official source: View source document ↗

Who this applies to

responsible entitiesreliability coordinatorsbalancing authoritiestransmission operatorsgeneration ownersdistribution providers

Key requirements

BES Cyber System categorization (High/Medium/Low)
security management controls and CIP Senior Manager
personnel risk assessment and training
electronic security perimeters and access controls
physical security of BES Cyber Systems
system security management and patch management
incident reporting and response planning
recovery plans and backup verification
configuration change management and vulnerability assessments
information protection (BCSI)
supply chain risk management

Frequently asked questions about NERC CIP

What is NERC CIP?

Who does NERC CIP apply to?

NERC CIP applies to responsible entities, reliability coordinators, balancing authorities, transmission operators, generation owners, distribution providers.

How many obligations does NERC CIP contain?

AuditDSS has decomposed NERC CIP into 46 atomic obligations from 11 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of NERC CIP?

The key requirements include: BES Cyber System categorization (High/Medium/Low), security management controls and CIP Senior Manager, personnel risk assessment and training, electronic security perimeters and access controls, physical security of BES Cyber Systems, system security management and patch management, incident reporting and response planning, recovery plans and backup verification, configuration change management and vulnerability assessments, information protection (BCSI), supply chain risk management.

How can I assess my NERC CIP compliance?

Upload your compliance policy to AuditDSS. The platform maps your document against all 46 NERC CIP obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces NERC CIP?

NERC CIP is enforced in United States by North American Electric Reliability Corporation.

When did NERC CIP come into effect?

NERC CIP became effective on July 1, 2016.

What industry does NERC CIP apply to?

NERC CIP is primarily relevant to the Nuclear industry. AuditDSS covers 83 regulations in this industry sector.

Build a NERC CIP compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for NERC CIP — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering NERC CIP requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine NERC CIP with other regulations into a single unified compliance pack for your business.

Build NERC CIP compliance pack

Already have a policy? Assess it against NERC CIP

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

AI maps against 46 obligations

Your document is scored against every obligation in NERC CIP. Each claim is mapped to the obligation tree and evaluated for coverage.

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.