FERC Approves NERC Reliability Standard CIP-002-8

Content

North American Electric Reliability Corporation, 1401 H Street NW, Suite 410, Washington, DC 20005. Attention: Lauren A. Perotti,
Sarah P. Crawford, Amy E. Engstrom.

Dear Ms. Perotti, Ms. Crawford, and Ms. Engstrom:

1. On December 20, 2024, the North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability
   Organization, submitted a petition seeking approval of proposed Critical Infrastructure Protection (CIP) Reliability Standard
   CIP-002-8 (Cyber Security—BES Cyber System Categorization) and the modification of the term control center in the Glossary
   of Terms Used in NERC Reliability Standards (NERC Glossary). (1) NERC also requested approval of the associated implementation plans, violation risk factors, and violation severity levels,
   as well as the retirement of Reliability Standard CIP-002-7. (2) For the reasons discussed below, pursuant to section 215(d)(2) of the Federal Power Act (FPA), (3) we approve proposed Reliability Standard CIP-002-8 and the related definition.

2. NERC explains that the purpose of proposed Reliability Standard CIP-002-8 is to identify and categorize bulk electric system
   (BES) cyber systems and their associated BES cyber assets for the application of cyber security requirements commensurate
   with the adverse impact that loss, compromise, or misuse of those BES cyber systems could have on the reliable operation of
   the BES. (4) Further, NERC notes that responsible entities are required to categorize BES cyber systems as low, medium, or high impact
   based on the characteristics of their BES facilities, which determines the applicability of the suite of CIP Reliability Standards. (5) NERC also states that Attachment 1 of proposed Reliability Standard CIP-002-8 includes the impact rating criteria used to
   determine the impact level for BES cyber systems.

3. NERC proposes to revise the definition of the term control center in the NERC Glossary to alleviate confusion from a lack
   of common understanding of the term “control” as opposed to “authority.” (6) NERC explains that the revision to the definition expands the reach of the term to incorporate transmission owners “so that
   a Transmission Owner is considered to have a Control Center if it has the capability to control transmission Facilities at
   two or more locations using SCADA,” i.e., supervisory control and data acquisition. (7) NERC asserts that the revised definition of control center advances reliability by clarifying the facilities that are subject
   to the CIP requirements.

4. NERC proposes to modify Criterion 2.12 of Attachment 1 of proposed Reliability Standard CIP-002-8. (8) NERC explains that proposed Criterion 2.12 assigns a weighted value to the transmission lines that a control center monitors
   and controls to assess the appropriate impact of BES cyber systems associated with a control center. Pursuant to the results
   of a field test conducted by the NERC Standards Development Team, NERC determined that a threshold of 6,000 for the total

   aggregate weighted value, (9) with appropriate inclusion and exclusion criteria, would sufficiently differentiate medium and low impact BES cyber systems
   associated with control centers that are operated by a transmission operator or owned by a transmission owner. (10) NERC explains that proposed Criterion 2.12 contains an exclusion clause that allows responsible entities to categorize their
   BES cyber systems at control centers at a level commensurate with the risk for local systems that have limited flow-through
   or export generation and are primarily designed to serve load without extending the exclusion to large control areas. (11)

5. NERC's proposed implementation plan states that proposed Reliability Standard CIP-002-8 and the proposed definition for
   control center shall become effective on the later of either the effective date of Reliability Standard CIP-002-7 or the first
   day of the first calendar quarter that is three calendar months after the effective date of the Commission's order approving
   proposed Reliability Standard CIP-002-8. NERC concludes that the implementation plan is designed to “balance the urgency to
   implement the requirements while affording Responsible Entities time to incorporate the updated requirements into their processes.” (12)

6. Notice of NERC's petition was published in the
   Federal Register
   , 90 FR 24606 (June 11, 2025), with interventions and protests due on or before July 7, 2025. Public Citizen, Inc. filed a
   timely motion to intervene. No comments or protests were submitted. Pursuant to Rule 214 of the Commission's Rules of Practice
   and Procedure, 18 CFR 385.214 (2025), the timely, unopposed motion to intervene serves to make Public Citizen, Inc. a party
   to the proceeding.

7. Pursuant to section 215(d)(2) of the FPA, we approve proposed Reliability Standard CIP-002-8 as well as the proposed control
   center definition for inclusion in the NERC Glossary, as just, reasonable, not unduly discriminatory or preferential, and
   in the public interest. We also approve the proposed Reliability Standard's associated violation risk factors and violation
   severity levels, as well as the proposed implementation plans. Finally, we approve the retirement of Reliability Standard
   CIP-002-7 immediately prior to the effective date of proposed Reliability Standard CIP-002-8.

8. We find that proposed Reliability Standard CIP-002-8 would advance the reliable operation of the BES by better aligning
   the level of impact BES cyber systems could have on the reliable operation of the Bulk-Power System as a result of loss, compromise,
   or misuse of those systems. Further, we determine that the proposed definition of control center would strengthen reliability
   by improving risk identification, allowing responsible entities to focus on protecting assets that pose a higher reliability
   risk if unavailable, degraded, or compromised. Lastly, the revised definition would also help responsible entities in interpreting
   the control center definition by making clear that a transmission owner may have a control center through its capability to
   control transmission facilities.

Information Collection Statement

1. The FERC-725B information collection requirements are subject to review by the Office of Management and Budget (OMB) under
   section 3507(d) of the Paperwork Reduction Act of 1995. OMB's regulations require approval of certain information collection
   requirements imposed by agency rules. Upon approval of a collection of information, OMB will assign an OMB control number
   and expiration date. Respondents subject to the filing requirements will not be penalized for failing to respond to these
   collections of information unless the collections of information display a valid OMB control number. The Commission solicits
   comments on the need for this information, whether the information will have practical utility, the accuracy of the burden
   estimates, ways to enhance the quality, utility, and clarity of the information to be collected or retained, and any suggested
   methods for minimizing respondents' burden, including the use of automated information techniques.

2. The Commission bases its paperwork burden estimates on the additional paperwork burden presented by the proposed revisions
   to Reliability Standard CIP-002-8. Reliability Standards are objective-based and allow entities to choose compliance approaches
   best tailored to their systems. The NERC Compliance Registry, as of June 2025, identifies approximately 1,673 (13) U.S. entities that are subject to mandatory compliance with Reliability Standards.

3. Of this total, we estimate that 1,573 entities will face a minor increase in paperwork burden of two hours each for a
   total burden hours increase of 3,146 at $97 (14) per hour for $194 per entity and a total $305,162 burden for the first year and no ongoing burdens in addition to the burden
   already accounted for in the OMB control number for CIP Reliability Standards.

4. Additionally, we estimate that another 100 entities will have a burden of four hours each for a total burden hours increase
   of 400 at $85 per hour for a total burden of $38,000 for the first year and no ongoing burdens in addition to the burden already
   accounted for in the OMB control number for CIP Reliability Standards.

5. The responses and burden hours for Years 1-3 will total respectively as follows:

• Year 1-3 each: for proposed Reliability Standard CIP-002-8 will be 557.67 responses; 1,182 hours;
• The annual cost burden for each Year 1-3 is $101,803 for proposed Reliability Standard CIP-002-8. Title: Mandatory Reliability Standards, Revised Critical Infrastructure Standards.

Action: Revision 8 of CIP-002 under FERC-725B Mandatory Reliability Standards—CIP Reliability Standards.

OMB Control No.: 1902-0248.

Respondents: Businesses or other for-profit institutions; not-for-profit institutions.

Frequency of Responses: On Occasion.

Necessity of the Information: This order approves proposed Reliability Standard CIP-002-8 related to the

  identification and categorization of BES cyber systems and their associated BES cyber assets. As discussed above, the Commission
  approves the proposed Reliability Standard CIP-002-8 pursuant to section 215(d)(2) of the FPA because the Standard would advance
  reliability by revising the threshold for applicable transmission owners and transmission operators to categorize their BES
  cyber systems based on the impact to their associated facilities, systems, and equipment, which, if destroyed, degraded, misused,
  or otherwise rendered unavailable would affect the reliability of the BES.

Internal Review: The Commission has reviewed the proposed Reliability Standard and made a determination that its action is necessary to implement
section 215 of the FPA.

1. Interested persons may obtain information on the reporting requirements by contacting the following: Federal Energy Regulatory
   Commission, 888 First Street NE, Washington, DC 20426 [Attention: Kayla Williams, Office of the Executive Director, email: DataClearance@ferc.gov, phone: (202) 502-6468].

2. For submitting comments concerning the collection(s) of information and the associated burden estimate(s), please send
   your comments to the Commission, and to the Office of Management and Budget, Office of Information and Regulatory Affairs,
   Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission, phone: (202) 395-4638, fax: (202)
   395-7285]. For security reasons, comments to OMB should be submitted by email to: oira_submission@omb.eop.gov. Comments submitted to OMB should include Docket Number RD25-8-000 and OMB Control Number 1902-0248.

3. In addition to publishing the full text of this document in the
   Federal Register
   , the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the
   internet through the Commission's Home Page (http://www.ferc.gov).

4. From the Commission's Home Page on the internet, this information is available on eLibrary. The full text of this document
   is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document
   in eLibrary, type the docket number excluding the last three digits of this document in the docket number field.

5. User assistance is available for eLibrary and the Commission's website during normal business hours from the Commission's
   Online Support at (202) 502-6652 (toll free at 1-866-208-3676) or email at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-8371, or (202) 502-8659 for TTY. Email the Public Reference Room at public.referenceroom@ferc.gov.

6. All submissions must be formatted and filed in accordance with submission guidelines at: http://www.ferc.gov/help/submission-guide.asp. For user assistance, contact FERC Online Support by email at ferconlinesupport@ferc.gov, or by phone at: (866) 208-3676 (toll-free), or (202) 502-8659 for TTY.

By direction of the Commission.

Issued: March 19, 2026. Carlos D. Clay, Deputy Secretary. [FR Doc. 2026-05715 Filed 3-23-26; 8:45 am] BILLING CODE 6717-01-P

Footnotes

(1) NERC Petition at 1.

(2) The revisions to proposed Reliability Standard CIP-002 are layered on top of the current NERC Board of Trustees approved
draft, proposed Reliability Standard CIP-002-7, which we are approving in a concurrent order. Id. at 11; Virtualization Reliability Standards, 194 FERC ¶ 61,209 (2026).

(3) 16 U.S.C. 824o(d)(2).

(4) NERC Petition, Ex. A-1 (CIP-002-8 Clean) at 3.

(5) NERC Petition at 3.

(6) Id. at 12.

(7) Id.

(8) Id. at 15-17.

(9) Aggregated weighted value is a point system based on voltage values (in kilovolts (kV)) for BES transmission lines that are
monitored and controlled by a control center through inclusion of each BES transmission line that is connected between two
or more transmission stations or substations. Id. at 16. The higher the kV for a BES transmission line, the higher assigned points for that line, indicating a larger potential
adverse impact on the BES if the control center was lost, compromised, or misused; thus, meriting classifying the control
center as a medium impact BES cyber system. See id.

(10) Id. at 15 (citing NERC, NERC Project 2021-03 CIP-002 Transmission Owner Control Center Field Test Final Report 6 (Jan. 2023), https://www.nerc.com/globalassets/standards/projects/2021-03/2021-03_cip-002_tocc_field_test_final_report_01262023.pdf (concluding that under a range of power flow scenarios, 22 entities, which are both below and above the 6,000 aggregated weighted
value bright line and are likely to be impacted by a modification to Criterion 2.12, did not experience an adverse impact
to the BES that would merit classifying the control centers that are operated by a transmission operator or owned by a transmission
owner as medium impact BES cyber systems)).

(11) Id. at 17-21.

(12) Id. at 22.

(13) The “Number of Entity” data is compiled from the June 2025 edition of the NERC Compliance Registry.

(14) The hourly cost for wages is based in part on the average of the occupational categories from the Bureau of Labor Statistics
website (http://www.bls.gov/oes/current/naics2_22.htm) plus benefits: Legal (Occupation Code: 23-0000): $162.66; Electrical Engineer (Occupation Code: 17-2071): $79.31; Office
and Administrative Support (Occupation Code: 43-0000): $48.59 ($162.66 + $79.31 + $48.59) ÷ 3 = $96.85. The figure is rounded
to $97.00 for use in calculating wage figures in this Order.

Download File

Download