Legal Status This site displays a prototype of a “Web 2.0” version of the daily
Federal Register. It is not an official legal edition of the Federal
Register, and does not replace the official print version or the official
electronic version on GPO’s govinfo.gov.

The documents posted on this site are XML renditions of published Federal
Register documents. Each document posted on the site includes a link to the
corresponding official PDF file on govinfo.gov. This prototype edition of the
daily Federal Register on FederalRegister.gov will remain an unofficial
informational resource until the Administrative Committee of the Federal
Register (ACFR) issues a regulation granting it official legal status.
For complete information about, and access to, our official publications
and services, go to About the Federal Register on NARA's archives.gov.

The OFR/GPO partnership is committed to presenting accurate and reliable
regulatory information on FederalRegister.gov with the objective of
establishing the XML-based Federal Register as an ACFR-sanctioned
publication in the future. While every effort has been made to ensure that
the material on FederalRegister.gov is accurately displayed, consistent with
the official SGML-based PDF version on govinfo.gov, those relying on it for
legal research should verify their results against an official edition of
the Federal Register. Until the ACFR grants it official status, the XML
rendition of the daily Federal Register on FederalRegister.gov does not
provide legal notice to the public or judicial notice to the courts.

Legal Status

Rule

Order No. 918; Critical Infrastructure Protection Reliability Standard CIP-003-11-Cyber Security-Security Management Controls

A Rule by the Federal Energy Regulatory Commission on 03/24/2026

• 1.

1.

• Document Details Published Content - Document Details Agencies Department of Energy Federal Energy Regulatory Commission Agency/Docket Number Docket No. RM25-8-000 CFR 18 CFR 40 Document Citation 91 FR 13952 Document Number 2026-05711 Document Type Rule Pages 13952-13957
  (6 pages) Publication Date 03/24/2026 Published Content - Document Details

• PDF Official Content

  • View printed version (PDF) Official Content

• Document Details Published Content - Document Details Agencies Department of Energy Federal Energy Regulatory Commission Agency/Docket Number Docket No. RM25-8-000 CFR 18 CFR 40 Document Citation 91 FR 13952 Document Number 2026-05711 Document Type Rule Pages 13952-13957
  (6 pages) Publication Date 03/24/2026 Published Content - Document Details

• Document Dates Published Content - Document Dates Effective Date 2026-05-26 Dates Text This action is effective May 26, 2026. Published Content - Document Dates

• Table of Contents Enhanced Content - Table of Contents This table of contents is a navigational tool, processed from the
  headings within the legal text of Federal Register documents.
  This repetition of headings to form internal navigation links
  has no substantive legal effect.

  • AGENCY:
  • ACTION:
  • SUMMARY:
  • DATES:
  • FOR FURTHER INFORMATION CONTACT:
  • SUPPLEMENTARY INFORMATION:
  • I. Background
  • A. Section 215 of the FPA and Mandatory Reliability Standards
  • B. NERC Petition
  • C. Notice of Proposed Rulemaking
  • II. Discussion
  • A. Proposed Reliability Standard CIP-003-11
  • 1. Comments
  • 2. Commission Determination
  • B. Proposal for NERC Study
  • 1. NOPR Proposal
  • 2. Comments on Evolving Threats and an Additional Study
  • 3. Commission Determination
  • III. Information Collection Statement
  • IV. Environmental Analysis
  • V. Regulatory Flexibility Act
  • VI. Document Availability
  • VII. Regulatory Planning and Review
  • VIII. Effective Date and Congressional Notification
  • Footnotes Enhanced Content - Table of Contents

• Related Documents Enhanced Content - Related Documents FederalRegister.gov uses the agency dockets published with the document to display related documents.

| Docket No. RM25-8-000
(2 Documents) | | | |
| --- | | | |
| Date | | Action | Title |
| | 2026-03-24 | Final action. | Order No. 918; Critical Infrastructure Protection Reliability Standard CIP-003-11-Cyber Security-Security Management Controls |
| | 2025-09-23 | Notice of proposed rulemaking. | Critical Infrastructure Protection Reliability Standard CIP-003-11-Cyber Security-Security Management Controls |

Enhanced Content - Related Documents

• Public Comments Enhanced Content - Public Comments This feature is not available for this document.

Enhanced Content - Public Comments
- Regulations.gov Data Enhanced Content - Regulations.gov Data Additional information is not currently available for this document.

Enhanced Content - Regulations.gov Data

- Sharing Enhanced Content - Sharing Shorter Document URL https://www.federalregister.gov/d/2026-05711 Email Email this document to a friend Enhanced Content - Sharing

• Print Enhanced Content - Print
  • Print this document Enhanced Content - Print
• Other Formats Enhanced Content - Other Formats This document is also available in the following formats:

JSON Normalized attributes and metadata XML Original full text XML MODS Government Publishing Office metadata More information and documentation can be found in our developer tools pages.

Enhanced Content - Other Formats
- Public Inspection Public Inspection This PDF is FR Doc. 2026-05711 as it appeared on Public Inspection on
03/23/2026 at 8:45 am.

It was viewed
24
times while on Public Inspection.

If you are using public inspection listings for legal research, you
should verify the contents of the documents against a final, official
edition of the Federal Register. Only official editions of the
Federal Register provide legal notice of publication to the public and judicial notice
to the courts under 44 U.S.C. 1503 & 1507. Learn more here.

Public Inspection
Published Document: 2026-05711 (91 FR 13952) This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Document Headings Document headings vary by document type but may contain
the following:

1. the agency or agencies that issued and signed a document
2. the number of the CFR title and the number of each part the document amends, proposes to amend, or is directly related to
3. the agency docket number / agency internal file number
4. the RIN which identifies each regulatory action listed in the Unified Agenda of Federal Regulatory and Deregulatory Actions See the Document Drafting Handbook for more details.

Department of Energy

Federal Energy Regulatory Commission

1. 18 CFR Part 40
2. [Docket No. RM25-8-000]

AGENCY:

Federal Energy Regulatory Commission.

ACTION:

Final action.

SUMMARY:

The Federal Energy Regulatory Commission (Commission) approves the proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-11 (Cyber Security—Security Management Controls). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted the proposed Reliability Standard to mitigate risks posed by a coordinated cyberattack on low-impact facilities, the aggregate impact of which could be much greater.

DATES:

This action is effective May 26, 2026.

FOR FURTHER INFORMATION CONTACT:

Jacob Waxman (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6879, Jacob.Waxman@ferc.gov.

Felicia West (Legal Information), Office of General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-8948, Felicia.West@ferc.gov.

SUPPLEMENTARY INFORMATION:

1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA), [1 ] the Federal Energy Regulatory Commission (Commission) approves proposed Reliability Standard CIP-003-11, submitted by the North American Electric Reliability Corporation (NERC). We also approve the associated violation risk factors, violation severity levels, implementation plan, and effective date for the proposed Reliability Standard. In addition, we approve the retirement of the currently effective version of the proposed Reliability Standard upon the effective date of Reliability Standard CIP-003-11. [2 ] We approve proposed Reliability Standard CIP-003-11 because it improves the reliability of the bulk electric system (BES) by strengthening the cyber security protections for low impact BES Cyber Systems to reduce the risk of compromise.

2. Proposed CIP Reliability Standard CIP-003-11 specifies security management controls that establish responsibility and accountability to protect low impact BES Cyber Systems against compromise that could lead to misoperation or instability in the bulk electric system. [3 ] The proposed modifications to the Reliability Standard mitigate the risks posed by a coordinated attack utilizing distributed low impact BES Cyber Systems by adding controls to authenticate remote users, protecting authentication information in transit, and detecting malicious communications to or between assets containing low impact BES Cyber Systems with external routable connectivity.

I. Background

A. Section 215 of the FPA and Mandatory Reliability Standards

1. Section 215 of the FPA provides that the Commission may certify an Electric Reliability Organization (ERO), the purpose of which is to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. [4 ] Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently. [5 ] Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO, [6 ] and subsequently certified NERC. [7 ]

B. NERC Petition

1. On December 20, 2024, NERC submitted proposed Reliability Standard CIP-003-11 (Cyber Security—Security Management Controls) for Commission approval. [8 ] NERC stated that the purpose of proposed CIP Reliability Standard CIP-003-11 is to “specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems (“BCS”) against compromise that could lead to misoperation or instability in the [BES].” [9 ] NERC explained that proposed CIP-003-11 is intended to “mitigate the risks posed by a coordinated attack utilizing distributed low impact BES Cyber Systems” by adding three specific categories of controls: “controls to authenticate remote users; protecting the authentication information in transit; and detecting malicious communications to or between assets containing low impact BES Cyber Systems with external routable ( printed page 13953) connectivity.” [10 ] In addition to seeking Commission approval of proposed Reliability Standard CIP-003-11, NERC requested that the Commission approve: (i) the associated implementation plan; (ii) the associated violation risk factors and violation severity levels; (iii) and the retirement of the proposed Reliability Standard CIP-003-10 or the version of Reliability Standard CIP-003 then in effect. [11 ]

C. Notice of Proposed Rulemaking

1. On September 18, 2025, the Commission issued a Notice of Proposed Rulemaking (NOPR) proposing to approve Reliability Standard CIP-003-11. [12 ] The Commission noted that under the tiered structure of the CIP Reliability Standards, most BES Cyber Systems are categorized as low impact and therefore are subject to fewer cybersecurity requirements than medium and high impact systems. [13 ] However, the Commission emphasized that “low impact BES Cyber Systems may still introduce reliability risks of a higher impact when distributed low impact BES Cyber Systems are subjected to a coordinated cyber-attack.” [14 ]

2. In the NOPR, the Commission sought comments on the continuing threats of compromise to low impact BES Cyber Systems and on whether it would be worthwhile to direct NERC to perform a study or develop a whitepaper on evolving threats as they relate to the potential exploitation of low impact BES Cyber Systems. [15 ] The Commission received comments from the following: NERC, the Trade Associations, Mr. Tammer Haddad, and Mr. Michael Ravnitzky. [16 ]

II. Discussion

A. Proposed Reliability Standard CIP-003-11

1. Comments

1. NERC and the Trade Associations support the Commission's proposal to approve Reliability Standard CIP-003-11 without modification. NERC states that proposed Reliability Standard CIP-003-11 “would enhance reliability by mitigating the risk posed by a coordinated attack using distributed low impact BES Cyber Systems.” [17 ] NERC reiterates that by adding controls to authenticate remote users, protect the authentication information in transit, and detect malicious communications to, from, or between assets containing low impact BES Cyber Systems with external routable connectivity, the BES Cyber Systems are more protected from the threat of a coordinated attack on dispersed low impact systems. NERC “strongly encourages the Commission to move forward . . . expeditiously” so that the reliability benefits of the proposed Standard “may be realized as soon as possible.” [18 ]

2. The Trade Associations state that the proposed modifications “appropriately implements” the Low Impact Criteria Review Report's recommendations, including requirements to permit only necessary access, authenticate users, protect credentials in transit, detect malicious communications, and control vendor access. [19 ] In their view, proposed Reliability Standard CIP-003-11 “will improve the baseline cybersecurity requirements to mitigate against threats of a coordinated attack” for low impact BES Cyber Systems and complements the protections already included in Reliability Standard CIP-005 and related Reliability Standards. [20 ]

3. Conversely, Mr. Haddad and Mr. Ravnitzky argue that the proposed Reliability Standard CIP-003-11 is incomplete and should not be approved without modification. [21 ] Mr. Haddad contends that the proposed Standard adopts a “detection-only approach” for low impact BES Cyber Systems that “creates unacceptable vulnerabilities that sophisticated threat actors are actively exploiting.” [22 ] Mr. Haddad cites the Volt Typhoon and Colonial Pipeline incidents as evidence that detection without response enables adversaries to persist and pivot. He recommends remanding the proposed Standard to NERC with directions to add response requirements, establish collaborative defense mechanisms such as Regional Security Operations Centers, provide support for small utilities, and accelerate implementation. [23 ]

4. Mr. Ravnitzky similarly argues that approving CIP-003-11 without additional requirements “risks leaving exploitable gaps in the Bulk-Power System's defenses,” [24 ] particularly because “adversaries exploit weak, distributed targets to reach critical systems.” [25 ] Mr. Ravnitzky further claims that “[t]he NOPR does not contain an explicit requirement addressing lateral-movement risk.” [26 ] He recommends conditioning approval on adding mandatory response timelines, clarifying definitions, mandating network segmentation or compensating controls, requiring cryptographic baselines, and enhancing vendor access, telemetry, and validation obligations. [27 ]

2. Commission Determination

1. We adopt the NOPR proposal and approve Reliability Standard CIP-003-11 as proposed by NERC. Based on the record in this proceeding, we find that Reliability Standard CIP-003-11 is just, reasonable, not unduly discriminatory or preferential, and in the public interest. [28 ] We also approve the associated violation risk factors, violation severity levels, implementation plan, and effective date for the proposed Reliability Standard. In addition, we approve the retirement of the currently effective version of the proposed Reliability Standard upon the effective date of Reliability Standard CIP-003-11.

2. We agree with NERC that Reliability Standard CIP-003-11 strengthens baseline cybersecurity protections for low impact BES Cyber Systems by addressing the risk of coordinated cyberattacks that exploit distributed, externally routable assets. We find that the new requirements to authenticate remote users, protect authentication information in transit, and detect malicious communications directly target the threat vectors identified in the Low Impact Criteria Review Report and represent a measured, risk-based enhancement to ( printed page 13954) existing controls applicable to low impact BES Cyber Systems. [29 ] The expansion of detection requirements to include all traffic into or out of a low impact BES Cyber System, as opposed to just detecting malicious traffic in vendor-based electronic access, should mitigate the risk of malicious communications to or from a low impact BES Cyber System from going undetected. [30 ] Similarly, we agree with NERC that the new requirements to authenticate users and protect their authentication information should mitigate the risk of unauthorized users gaining access to low impact BES Cyber Systems or compromising legitimate credentials to gain access. [31 ] Together, these controls should improve the cybersecurity posture of the BES by protecting against potential coordinated attacks on multiple low impact BES Cyber Systems or using a compromised low impact BES Cyber System to move laterally and pivot to a medium or high impact BES Cyber System.

3. We acknowledge concerns raised by individual commenters that Reliability Standard CIP-003-11 does not impose explicit response or remediation requirements, [32 ] except in the event of a system disruption. [33 ] However, we decline to condition the approval of Reliability Standard CIP-003-11 on the addition of response-specific requirements. We find that NERC reasonably determined, through the Reliability Standards development process, that Reliability Standard CIP-003-11 should focus on baseline access controls, and authentication and detection enhancements for low impact BES Cyber Systems, while continuing to evaluate response-related issues through ongoing initiatives. [34 ] In particular, we note that NERC's CIP Roadmap, discussed further below, recommends developing guidance for improved cybersecurity incident response plans and associated playbooks, [35 ] and we encourage NERC to address both substantive response efforts and recommended timeline(s) for response as part of that effort. We also note that Reliability Standard CIP-003-11, Requirement R2 and Section 4 of Attachment 1 require entities to have Cyber Security Incident Response plans for low impact BES Cyber Systems, including identification, classification, and response to Cyber Security Incidents. [36 ]

B. Proposal for NERC Study

1. NOPR Proposal

1. In the NOPR, the Commission explained that NERC developed the proposed modifications to Reliability Standard CIP-003-11 based on the recommendations of the Low Impact Criteria Review Report. Noting cybersecurity threats that have emerged since the 2022 issuance of the Report, the Commission asked for comment on the merit of directing NERC to perform a study or develop a whitepaper on evolving threats as they relate to the potential exploitation of low impact BES Cyber Systems. [37 ]

2. Comments on Evolving Threats and an Additional Study

1. All commenters generally agree that coordinated attacks leveraging remote access to multiple low impact BES Cyber Systems present systemic reliability risks, [38 ] but differ in opinion as to whether the Commission should direct NERC to perform further study. NERC and the Trade Associations oppose a directive to require NERC to conduct a study—explaining that NERC already has multiple initiatives underway, including the Level 2 Alert on Cross-Border Remote Access and the CIP Roadmap, which is evaluating emerging cybersecurity and physical risk across the industry. [39 ] NERC asserts that requiring a study would duplicate existing efforts and interfere with NERC's multi-year planning process. [40 ]

2. NERC emphasizes that it has already conducted a comprehensive assessment of evolving cyber risks through the issuance of the Level 2 Alert on Cross-Border Remote Access and the development of the CIP Roadmap approved as part of the NERC's 2025 Work Plan Priorities. [41 ] NERC further states that the CIP Roadmap will “evaluate standards against emerging cybersecurity and physical risks (e.g., network intrusion, new registrants, emerging cyber threats, cloud usage, artificial intelligence, or other new technologies).” [42 ] NERC explains that the results of the Level 2 Alert and CIP Roadmap will enable NERC and industry to prioritize risks and determine whether additional studies, guidance documents, or standards development projects are warranted. [43 ]

3. Similarly, Trade Associations claim that directing NERC to conduct an additional study would be inefficient and counterproductive given the ongoing industry efforts coordinated through NERC and its technical committees. [44 ] They note that industry participants are already engaged in multiple parallel initiatives addressing emerging cyber risks, including work on cloud security, artificial intelligence, internal network security monitoring, supply chain management and vendor incident response. [45 ]

4. However, Mr. Haddad and Mr. Ravnitzky raise issues concerning the adequacy of cybersecurity protections for low impact BES Cyber Systems, including the potential for pivoting from low-impact systems into medium and high impact systems or from non-BES Cyber Assets into low-impact systems. [46 ] Mr. Ravnitzky recommends that NERC be directed to publish an “adversary-centric whitepaper mapping plausible attack chains from low-impact compromises to system effects.” [47 ] He recommends that the study include measurable performance indicators for detection and response and be coordinated with federal partners such as the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE). [48 ] He contends that anonymized key performance indicator reporting could be used so that industry and regulators can measure systemic programs and provide guidance for future rulemakings. [49 ]

5. Mr. Haddad expresses concern that threat assessments can become obsolete due to the rapid evolution of cyber environments and threats. [50 ] Mr. Haddad argues that “periodic re- ( printed page 13955) evaluation of threat models must become standard practice, especially for sectors like energy where adversaries have demonstrated persistence and patience.” [51 ] Beyond an additional study, Mr. Haddad recommends the Commission establish a federal task force for “small utility cybersecurity” including the Commission, DOE, CISA, and NERC, to develop and support the implementation of shared security services and capabilities for small utilities. [52 ]

3. Commission Determination

1. We decline to direct NERC to conduct an additional standalone study, or whitepaper, on evolving threats related to the potential exploitation of low impact BES Cyber Systems.

2. We are persuaded by NERC's explanation that it already has substantial and comprehensive efforts underway that are evaluating the risks to low impact BES Cyber Systems. [53 ] NERC explains that it will consider the “collective findings from the Level 2 Alert and the CIP Roadmap to determine the most serious cyber security and physical risks to the BPS” and that “future actions will likely include studies, if it is determined more information is needed.” [54 ] NERC explains that the CIP Roadmap will inform NERC's CIP Reliability Standards priorities over the next few years. [55 ]

3. In fact, since the issuance of the NOPR and submission of comments, NERC publicly issued its CIP Roadmap. [56 ] We note that the CIP Roadmap identifies several focus areas that directly affect low impact BES Cyber Systems, including risks associated with remote and third-party access, shared and cloud-managed infrastructure, lateral movement pathways, and the maturity of detection capabilities. [57 ] The CIP Roadmap emphasizes that low impact BES Cyber Systems may present increased system risk when leveraged as part of coordinated attacks and recommends that these risks be addressed through the prioritized, risk-based evolution of CIP Reliability Standards and supporting guidance, rather than isolated or duplicative studies. [58 ] While the CIP Roadmap does not establish fixed timelines for each recommendation, NERC asserts that it actively prioritizes these efforts based on risk significance, operational feasibility, and stakeholder input. [59 ]

4. Based on these considerations, we conclude that directing NERC to perform an additional study at this time is unnecessary. NERC's ongoing work under the CIP Roadmap, including the recommendations related to Reliability Standards development, provides an appropriate and efficient mechanism to address evolving threats to low impact BES Cyber Systems and related concerns.

5. We further encourage NERC to look at how it can achieve efficiencies in effort and time in the implementation of the recommendations outlined in the CIP Roadmap report. The recommendations, if implemented in a timely and efficient manner, present the opportunity to significantly advance the security of low impact BES Cyber Systems. We will continue to monitor NERC's progress and expect NERC to keep us informed of material findings from this work that may warrant future consideration.

6. Finally, we believe that our approval of Reliability Standard CIP-003-11 and NERC's ongoing initiatives will address some of these concerns raised by commenters, such as the risk of lateral movement. [60 ] In response to Mr. Haddad, we also decline to recommend a federal task force for “small utility cybersecurity,” as it is out of scope for this rulemaking.

III. Information Collection Statement

1. The Commission bases its paperwork burden estimates on the additional paperwork burden presented by the revisions to Reliability Standard that the Commission has approved. The approved revisions focus on mitigation risks posed by a coordinated attack on low-impact facilities. The Reliability Standard approved by this final rule is objective-based and provides requirements to address ongoing threats to the low impact BES Cyber Systems.

The Reliability Standard approved by this final rule does not require responsible entities to submit any filings with either the Commission or NERC as the ERO. Responsible entities, however, will be required to maintain documentation adequate to demonstrate compliance with the Reliability Standard approved by this final rule. Commission and NERC staff conduct periodic audits of registered entities, and auditors rely on the entity's documentation in determining compliance with Reliability Standards. While registered entities retain flexibility on how they choose to demonstrate compliance, the Reliability Standard includes compliance measures, which provide examples of the type of documentation an entity may want to develop and maintain to demonstrate compliance. The reporting burden below is based on the compliance measurements provided in the Reliability Standard approved by this final rule. As of June 2025, the NERC Compliance Registry identifies approximately 1,673 unique U.S. entities that are subject to mandatory compliance with CIP Reliability Standards. Entities are allowed to choose their compliance approach to most efficiently meet the requirements of the Reliability Standards. All 1,673 entities would need to conform to modifications in Reliability Standard CIP-003-11. Therefore, these entities will have an increased paperwork burden. Based on these assumptions, the estimated reporting burden is as follows:

| | Number of
respondents | Annual
number of
responses per
respondent | Total number of responses | Average burden & cost per response 62 | Total annual burden hours & total annual cost | Cost per
respondent ($) |
| --- | --- | --- | --- | --- | --- | --- |
| | (1) | (2) | (1) * (2) = (3) | (4) | (3) * (4) = (5) | (5) ÷ (1) |
| Create one or more documented process(es) (R2) | 1,673 | 1 | 1,673 | 1 hr.; $97 | 1,673 hrs.; $162,281 | $97 |
| ( printed page 13956) | | | | | | |
| R2, Attachment 1, Section 2, Physical Security Controls | 1,673 | 1 | 1,673 | 2 hrs.; $194 | 3346 hrs.; $324,562 | 194 |
| R2, Attachment 1, Section 3, Electronic Access Controls | 1,673 | 1 | 1,673 | 1hr.; $97 | 1673 hrs.; $162,281 | 97 |
| R2, Attachment 1, Section 3.1 | 1,673 | 1 | 1,673 | 5 hrs.; $485 | 8,365 hrs.; $811,405 | 485 |
| R2, Attachment 1, Section 3.1.1 | 1,673 | 1 | 1,673 | 2 hrs.; $194 | 3346 hr.; $324,562 | 194 |
| R2, Attachment 1, Section 3.1.2 | 1,673 | 1 | 1,673 | 20 hrs.; $1,940 | 33,460 hrs.; $3,245,620 | 1,940 |
| R2, Attachment 1, Section 3.1.3 | 1,673 | 1 | 1,673 | 60 hrs.; $5,820 | 100,380 hrs.; $9,736,860 | 5,820 |
| R2, Attachment 1, Section 3.1.4 | 1,673 | 1 | 1,673 | 60 hrs.; $5,820 | 100,380 hrs.; $9,736,860 | 5,820 |
| R2, Attachment 1, Section 3.1.5 | 1,673 | 1 | 1,673 | 1 hr.; $97 | 1,673 hrs.; $162,281 | 97 |
| R2, Attachment 1, Section 3.1.6 | 1,673 | 1 | 1,673 | 1 hr.; $97 | 1,673 hr.; $162,281 | 97 |
| R2, Attachment 1, Section 3.2 | 1,673 | 1 | 1,673 | 1 hr.; $97 | 1,673 hrs.; $162,281 | 97 |
| Total burden for FERC-725B(5) under CIP-003-11 | | | 1,673 | | 257,642 hrs.; $24,991,274 | 14,938 |
27. The responses

                 and burden hours for Years 1-3 will total respectively as follows:

• Year 1-3 total: 1,673 responses; 257,642 hours.
• The annual cost burden for each year One to Three is $8,330,425.
• Title: Mandatory Reliability Standards for Critical Infrastructure Protection (CIP).

Action: Revision to FERC-725B information collection.

OMB Control No.: 1902-0248.

Respondents: Businesses or other for-profit institutions, not-for-profit institutions.

Frequency of Responses: On Occasion.

Necessity of the information: This final rule approves the Reliability Standard CIP-003-11. As discussed above, the Commission approves Reliability Standard CIP-003-11 pursuant to section 215(d)(2) of the Federal Power Act because it mitigates risks posed by a coordinated cyberattack on low-impact facilities, the aggregate impact of which could be much greater.

Internal Review: The Commission has reviewed the proposed Reliability Standard and made a determination that its action is necessary to implement section 215 of the Federal Power Act.

1. Interested persons may obtain information on the reporting requirements by contacting the following: Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426 [Attention: Kayla Williams, Office of the Executive Director, email: DataClearance@ferc.gov, phone: (202) 502-8663, fax: (202) 273-0873].

2. For submitting comments concerning the collection(s) of information and the associated burden estimate(s), please send your comments to the Commission, and to the Office of Management and Budget, Office of Information and Regulatory Affairs, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission, phone: (202) 395-4638; fax: (202) 395-7285]. For security reasons, comments to the Office of Management and Budget should be submitted by email to: oira_submission@omb.eop.gov. Comments submitted to the Office of Management and Budget should include Docket No. RM25-8 and OMB Control Number 1902-0248.

IV. Environmental Analysis

1. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment. [63 ] The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended. [64 ] The action proposed herein falls within this categorical exclusion in the Commission's regulations.

V. Regulatory Flexibility Act

1. The Regulatory Flexibility Act of 1980 (RFA) [65 ] generally requires a description and analysis of final rules that will have significant economic impact on a substantial number of small entities. The Small Business Administration's (SBA) Office of Size Standards develops the numerical definition of a small business. [66 ] The SBA revised its size standard for electric utilities (effective March 17, 2023) to a standard based on the number of employees, including affiliates (from the prior standard based on megawatt hour sales). [67 ]

2. The SBA sets the threshold for what constitutes a small business. Under SBA's size standards, balancing authorities, generator operators, generator owners, reliability coordinators, transmission operators, and transmission owners all fall under the category of Electric Bulk Power Transmission and Control (NAICS code 221121), with a size threshold of 950 employees (including the entities and its associates). According to SBA guidance, the determination of significance of impact “should be seen as relative to the size of the business, the size of the competitor's business, the number of filers received annually, and the impact this regulation has on larger competitors.” [68 ]

3. The Reliability Standard CIP-003-11 is expected to impose an additional ( printed page 13957) burden on 1,673 U.S. entities 69 .

Of the 1,673 affected entities discussed above, we estimate that 406 entities are small entities and, therefore, will be affected by the proposed modifications to CIP-003-11. We estimate that each of the 406 small entities to whom the proposed modifications of CIP-003-11 applies will incur one-time costs of approximately $19,000 per entity to implement this Standard, in addition to the ongoing paperwork burden reflected in the Information Collection Statement (a total of $14,938 per entity over Years 1-3), giving a total one-time cost of $33,938 per entity. We do not consider the estimated one-time costs for these 406 small entities to have a significant economic impact.

1. The Reliability Standard approved in this final rule requires minimal action by registered entities subject to compliance. As a result, we certify that the Reliability Standard approved in this final rule will not have a significant economic impact on small entities.

VI. Document Availability

1. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the internet through the Commission's Home Page (http://www.ferc.gov).

2. From the Commission's Home Page on the internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number excluding the last three digits of this document in the docket number field.

3. User assistance is available for eLibrary and the Commission's website during normal business hours from FERC Online Support at 202-502-6652 (toll free at 1-866-208-3676) or email at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-8371, TTY (202) 502-8659. Email the Public Reference Room at public.referenceroom@ferc.gov.

VII. Regulatory Planning and Review

1. Executive Orders 12866 and 13563 direct agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. The Office of Information and Regulatory Affairs (OIRA) has determined this regulatory action is not a “significant regulatory action,” under section 3(f) of Executive Order 12866, as amended. Accordingly, OIRA has not reviewed this regulatory action for compliance with the analytical requirements of Executive Order 12866.

VIII. Effective Date and Congressional Notification

1. This final rule is effective May 26, 2026. The Commission has determined, with the concurrence of the Administrator of the Office of Information and Regulatory Affairs of the Office of Management and Budget, that this action is not a “major rule” as defined in section 351 of the Small Business Regulatory Enforcement Fairness Act of 1996.

By the Commission.

Issued: March 19, 2026.

Carlos D. Clay,

Deputy Secretary.

Footnotes

1. 16 U.S.C. 824o(d)(2).

Back to Citation 2.

                     Concurrently in Docket No. RM24-8-000, we are issuing a final rule, in  which we are approving, *inter alia,* the proposed Reliability Standard CIP-003-10. *Virtualization Reliability Standards,* 194 FERC ¶ 61,209 (2026). Here, we are approving the proposed Reliability Standard CIP-003-11, which will supersede Reliability Standard CIP-003-10. NERC explains that the proposed Reliability Standard CIP-003-11 incorporates and builds upon virtualization-related revisions in the proposed Reliability Standard CIP-003-10.

Back to Citation 3.

                     NERC Petition at 1.

Back to Citation 4. 16 U.S.C. 824o(c).

Back to Citation 5. Id. 824o(e).

Back to Citation 6. Rules Concerning Certification of the Elec. Reliability Org.; & Procs. for the Establishment, Approval, & Enf't of Elec. Reliability Standards, Order No. 672, 71 FR 8662 (Feb. 17, 2006), 114 FERC ¶ 61,104, order on reh'g, Order No. 672-A, 71 FR 19814 (Apr. 18, 2006), 114 FERC ¶ 61,328 (2006); see also 18 CFR 39.4(b).

Back to Citation 7. N. Am. Elec. Reliability Corp., 116 FERC ¶ 61,062, order on reh'g & compliance, 117 FERC ¶ 61,126 (2006), aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).

Back to Citation 8.

                     The proposed Reliability Standard is not attached to this final rule. The proposed Reliability Standard is available on the Commission's eLibrary document retrieval system in Docket No. RM25-8-000 and on the NERC website, *[www.nerc.com](http://www.nerc.com/).*

Back to Citation 9.

                     NERC Petition at 1.

Back to Citation 10. Id. at 1-2. See also id. at 8-9 (citing NERC, Low Impact Criteria Review Report, at v and 15 (Oct. 2022) (Low Impact Criteria Review Report), https://www.nerc.com/​globalassets/​our-work/​reports/​white-papers/​nerc​licrt​white​paper​clean.pdf.

Back to Citation 11. Id. at 2.

Back to Citation 12. Critical Infrastructure Protection Reliability Standard CIP-003-11—Cyber Sec.—Sec. Mgmt. Controls, 192 FERC ¶ 61,227 (2025) (NOPR).

Back to Citation 13. Id. PP 5-6.

Back to Citation 14. Id. P 6.

Back to Citation 15. Id. P 16.

Back to Citation 16.

                     The Trade Associations include: American Public Power Association, Edison Electric Institute, Electric Power Supply Association, Large Public Power Council, National Rural Electric Cooperative Association, and Transmission Access Policy Study Group.

Back to Citation 17.

                     NERC Comments at 2. *See also* Trade Associations Comments at 1.

Back to Citation 18.

                     NERC Comments at 2-3.

Back to Citation 19.

                     Trade Associations Comments at 5-6 (citing the Low Impact Criteria Review Report).

Back to Citation 20. Id. at 12.

Back to Citation 21.

                     Mr. Haddad Comments at 1; Mr. Ravnitzky Comments at 5.

Back to Citation 22.

                     Mr. Haddad Comments at 1-2.

Back to Citation 23. Id. at 1-2, 4.

Back to Citation 24.

                     Mr. Ravnitzky Comments at 5.

Back to Citation 25. Id. at 1.

Back to Citation 26. Id. at 2. “Lateral movement” is the set of techniques adversaries use after gaining an initial foothold in a network to move from one system, account, or network segment to another, with the goal of expanding access, escalating privileges, discovering critical assets, and positioning themselves for further actions (such as data theft, disruption, or impact).
See
MITRE ATT&CK, Lateral Movement (last updated Aug. 11, 2025), https://attack.mitre.org/​tactics/​TA0008/.

Back to Citation 27.

                     Mr. Ravnitzky Comments at 1-3.

Back to Citation 28.

                     
                    See 
                     NOPR, 192 FERC ¶ 61,127 at P 12.

Back to Citation 29. Id. P 8; Low Impact Criteria Review Report at 15.

Back to Citation 30.

                     NERC Petition at 16.

Back to Citation 31. Id. at 16-17.

Back to Citation 32.

                     
                    See 
                     Mr. Haddad Comments at 1-4; Mr. Ravnitzky Comments at 2-4.

Back to Citation 33.

                     Proposed Reliability Standard CIP-003-11, Requirement R2 & Attach. 1, Sec. 4.

Back to Citation 34.

                     
                    See 
                     NERC Comments 4-8; *see also* NERC Petition at 6-7. *See infra* Section II.B (discussing NERC's proposed initiatives in its *Critical Infrastructure Protection Roadmap* (Jan. 2026) (CIP Roadmap), *[https://www.nerc.com/​globalassets/​our-work/​reports/​special-reports/​nerc_​cip_​roadmap_​01122026.pdf](https://www.nerc.com/globalassets/our-work/reports/special-reports/nerc_cip_roadmap_01122026.pdf).*

Back to Citation 35.

                     CIP Roadmap at 9.

Back to Citation 36.

                     Proposed Reliability Standard CIP-003-11, Requirement R2 & Attach. 1, Sec. 4.

Back to Citation 37.

                     NOPR, 192 FERC ¶ 61,127 at P 16.

Back to Citation 38.

                     Mr. Haddad Comments at 2; NERC Comments at 3-4; Mr. Ravnitzky Comments at 2; Trade Associations Comments at 5-6.

Back to Citation 39.

                     NERC Comments at 1-2, 8; Trade Associations Comments at 1-2, 10-12 (citing NERC, *2025 Work Plan Priorities* (Dec. 10, 2024), *[https://www.nerc.com/​globalassets/​who-we-are/​2025-work-plan-priorities-approved-december-10-2024.pdf](https://www.nerc.com/globalassets/who-we-are/2025-work-plan-priorities-approved-december-10-2024.pdf)*); *see also* CIP Roadmap.

Back to Citation 40.

                     NERC Comments at 8.

Back to Citation 41. Id. at 4-5.

Back to Citation 42. Id. at 6-7.

Back to Citation 43. Id. at 8; Trade Associations Comments at 11-12.

Back to Citation 44.

                     Trade Associations Comments at 11-12.

Back to Citation 45. Id. at 11-13.

Back to Citation 46.

                     Mr. Haddad Comments at 2, Mr. Ravnitzky Comments at 2.

Back to Citation 47.

                     Mr. Ravnitzky Comments at 4.

Back to Citation 48. Id.

Back to Citation 49. Id.

Back to Citation 50.

                     Mr. Haddad Comments, attach. at 6 (Literary Review).

Back to Citation 51. Id.

Back to Citation 52.

                     Mr. Haddad Comments at 5.

Back to Citation 53.

                     NERC Comments at 7-8.

Back to Citation 54. Id. at 8.

Back to Citation 55. Id. at 6-7.

Back to Citation 56. See supra note 35.

Back to Citation 57.

                     CIP Roadmap at 3, 6, 8.

Back to Citation 58. Id. at 5 (citing the Low Impact Criteria Review Report).

Back to Citation 59. Id. at 2-3; see also NERC Comments at 8.

Back to Citation 60. See supra Section II.A.2 (explaining how Reliability Standard CIP-003-11 will strengthen protections for low impact BES Cyber Systems). See supra note 26; see also CIP Roadmap at 5, 8 (noting how multi-factor authentication can help mitigate the risk of lateral movement).

Back to Citation 61.

                     The paperwork burden estimate includes cost associated with the initial development of a policy to address the requirements.

62.

                     This burden applies in Year 1 to Year 3.

Back to Citation 63. Reguls Implementing the Nat'l Env't Pol'y Act, Order No. 486, 52 FR 47897 (Dec. 17, 1987), FERC Stats. & Regs. ¶ 30,783 (1987) (cross-referenced at 41 FERC ¶ 61,284).

Back to Citation 64. 18 CFR 380.4(a)(2)(ii).

Back to Citation 65. 5 U.S.C. 601-612.

Back to Citation 66. 13 CFR 121.101.

Back to Citation 67. Id. 121.201, Subsector 221 (Utilities).

Back to Citation 68.

                     U.S. Small Business Admin., *A Guide for Government Agencies How to Comply with the Regulatory Flexibility Act* 18 (Aug. 2017), *[https://advocacy.sba.gov/​wp-content/​uploads/​2019/​06/​How-to-Comply-with-the-RFA.pdf](https://advocacy.sba.gov/wp-content/uploads/2019/06/How-to-Comply-with-the-RFA.pdf).*

Back to Citation 69.

                     Public utilities may fall under one of several different categories, each with a size threshold based on the company's number of employees, including affiliates, the parent company, and subsidiaries. For the analysis in this NOPR, we are using a  500 employee threshold for each affected entity to conduct a comprehensive analysis.

Back to Citation [FR Doc. 2026-05711 Filed 3-23-26; 8:45 am]

BILLING CODE 6717-01-P

Published Document: 2026-05711 (91 FR 13952)