CIP Compliance Spotlight: NERC CIP-003-9 standard, enforceable April 1st, 2026 

By Vinny McKendree, Director NERC CIP Compliance 

Back in 2023, the U.S. Federal Energy Regulatory Commission (“FERC”) published an order approving the proposed Reliability Standard CIP-003-9 put forth by the North American Electrica Reliability Corporation (“NERC”). The agency also approved the associated implementation plan, associated violation risk factors and the retirement of the currently effective standard, CIP-003-8.  

The new standard seeks to improve on CIP-003-8 by adding new requirements that focus on supply chain risk management for low impact bulk electric system (“BES”) Cyber Systems. Specifically, the CIP-003-9 standard requires that responsible entities have additional visibility into threats presented by their vendor(s) electronic remote access connections to their systems. This additional visibility is achieved by requiring responsible entities to include the topic of ‘vendor electronic remote access security controls’ in their cyber security policies and requires responsible entities with assets containing low impact BES Cyber Systems to have methods for determining and disabling vendor electronic remote access.  

NERC states that assets with low impact BES Cyber Systems pose a lower risk to the bulk electric system than assets with medium or high impact BES Cyber Systems. However, NERC observed that there is increased potential for a greater impact if multiple low impact assets are simultaneously compromised through remote access or if a medium or high impact asset is accessed through a low impact asset.  

In the standard itself, only one line of text was added between the CIP-003-8 and CIP-003-9 standards.  That line is found in Requirement 1, part 1.2, subpart 1.2.6 ‘vendor electronic remote access security controls.’   The limited change of wording between standard versions makes it easy to dismiss the update as insignificant.  However, the challenging part is in requirement 2 of both CIP-003-8 and CIP-003-9, which did not change. Requirement 2 requires assets containing low impact BES Cyber Systems to implement a cyber security plan that includes the sections outlined in Attachment 1.  This attachment is where the bulk of the regulatory changes can be found, specifically Section 6 which reads as follows: 

Attachment 1 Section 6. Vendor Electronic Remote Access Security Controls: for assets containing low impact BES Cyber System(s), that allow vendor electronic remote access to implement a process to mitigate risks associated with vendor remote access. These process(s) shall include: 

6.1 One or more method(s) for determining vendor electronic remote access; 

6.2 One or more methods(s) for disabling vendor electronic remote access; and 

6.3 one or more methods(s) for detecting known or suspected inbound and outbound malicious communications for vendor remote electronic remote access.  

One challenge is that NERC never defined ‘Vendor’ in the NERC Glossery of Terms. To be safe all electronic remote access connections into and out of the asset shall be considered for compliance with this requirement.  

Another challenge is this; the requirement is not limited to interactive remote access. For clarification, an example of interactive remote access would be when a vendor remotes into a BES Cyber System and performs maintenance. Data connections and performance tuning data, even cybersecurity monitoring services that are remote, with the language as it is, would be in the scope of this standard’s requirement(s). 

In January of 2026, the CAMS NERC CIP team will be releasing the draft of the CIP-003-9 policy and procedure(s) for CIP Senior manager review. All assets must be compliant by April 1st of 2026 as per the new NERC Standard. We will be providing training and conference calls to assist assets in deciding how each asset can meet the requirements of the standard.  

Please feel free to reach out to your CAMS NERC CIP contact or to me for questions.  

Vinny McKendree 

vmckendree@camstex.com 

Director, NERC CIP Compliance