FERC’s 2025 Lessons Learned: Direct Insights from Commission-Led CIP Audits

Each year, the Federal Energy Regulatory Commission (FERC) conducts its own commission-led Critical Infrastructure Protection (CIP) audits to gain a direct view of how utilities and other registered entities are implementing the NERC CIP Reliability Standards.

These audits are part of FERC’s own CIP audit program, rather than typical regional entity-led audits. In this process, FERC staff issue data requests, hold webinars and teleconferences, conduct virtual and on-site visits, interview personnel at multiple levels, review documentation and observe cyber-asset operations to provide the Commission with a more direct view of compliance maturity and cybersecurity practices across the Bulk Electric System.

On October 20, 2025, FERC released its latest Lessons Learned from Commission-Led CIP Reliability Audits summarizing findings from its Fiscal Year 2025 reviews. While anonymized, the report offers valuable insight into where registered entities continue to face challenges and how FERC interprets compliance obligations in emerging technology areas.

FERC’s direct participation in CIP audits helps the Commission validate that approved standards are being implemented as intended and identify where evolving technologies or operational models may be introducing new risk.

FY2025 Key Takeaways

1. Control Center Categorization Must Reflect DER Growth (CIP-002-5.1a)

FERC staff found that several entities failed to include distributed energy resources (DERs) and distribution-connected generation when calculating aggregate generation capacity for control centers performing generator operator (GOP) functions.

In some cases, utilities operated hundreds of small DERs—totaling more than 1,700 MVA—through the same physical control centers that managed bulk generation. When these facilities were not properly categorized, the result was a misapplied impact rating and missing security controls required for medium-impact systems.

Takeaway: Identification and categorization remain the foundation of the CIP standards. As DER portfolios expand, entities must ensure control center impact ratings reflect all generation resources operated through those facilities, consistent with CIP-002 Attachment 1 Section 2.11.

2. Third-Party Oversight Must Be Continuous (CIP-003-8, CIP-006-6, CIP-010-4)

Many entities now rely on third parties to perform key compliance or technical functions, such as firewall rule management, physical access control system (PACS) maintenance and vulnerability assessments. FERC staff observed cases where these responsibilities were delegated but not adequately monitored, leading to missed tasks, outdated firewall rules, or unverified testing intervals.

Key risks observed:

• Lack of oversight controls or evidence retention for vendor-performed work.
• Reliance on vendor attestations without direct validation.
• Missed periodic testing of PACS or delayed vulnerability assessments.

Takeaway: Outsourcing does not transfer accountability. Entities must document third-party responsibilities, monitor execution, and retain evidence of oversight. FERC also recommends including security and compliance clauses in contracts, maintaining compensating controls, and ensuring third-party operations and data remain within the continental U.S.

3. Cloud Service Adoption Remains a Compliance Challenge (CIP-004-7, CIP-010-4)

FERC’s audit staff found multiple instances where entities could not demonstrate compliance when using cloud service providers (CSPs) for Electronic Access Control or Monitoring Systems (EACMS) and PACS functions.

Because the current CIP standards were developed before widespread cloud adoption, they do not explicitly address CSP environments, making it difficult for entities to verify baseline configurations, perform vulnerability assessments, or demonstrate personnel risk screening for CSP staff.

Key risks observed:

• Lack of documented agreements specifying security roles, controls, and compliance responsibilities between entities and CSPs.
• Inability to perform required verification steps (e.g., software integrity checks, vulnerability scans).
• Vendor claims of “CIP-compliant” services that, upon audit, did not satisfy specific requirements.

Takeaway: While cloud services offer scalability and efficiency, FERC cautions that under current standards it remains “unlikely that entities can provide the measures needed to demonstrate compliance.” Entities should fully assess whether their BES Cyber Systems—or associated cyber assets—reside in the cloud and plan accordingly, especially before any change in impact rating.

For the full report, access it on FERC's website here: https://www.ferc.gov/news-events/news/ferc-staff-report-offers-lessons-learned-2025-cip-audits

Improving FERC/NERC CIP Compliance Going Forward

The 2025 findings underscore the following:

• Asset identification and categorization must keep pace with distributed and hybrid architectures.
• Vendor and cloud oversight is essential.
• Baseline documentation and change management remain critical for proving security controls.

Organizations should expect future FERC and NERC oversight to continue probing these areas, particularly third-party reliance and the emerging use of cloud services in operational technology environments.

Industrial Defender’s unified OT asset and compliance platform gives utilities and critical infrastructure operators the data and context needed to stay ahead of evolving compliance expectations:

• Comprehensive Asset Inventory: Automatically discovers and categorizes OT assets across control environments, supporting accurate impact assessments under CIP-002.
• Configuration and Change Monitoring: Tracks system baselines, firewall rules, and user activity for defensible evidence during audits.
• Third-Party Oversight Support: Provides detailed configuration and security event data that help verify vendor-performed work and demonstrate oversight.
• Automated Compliance Reporting: Streamlines evidence collection and reporting for CIP standards, helping teams stay audit-ready year-round.

As one of the longest-standing platforms purpose-built for OT cybersecurity and compliance, Industrial Defender has been helping registered entities NERC CIP requirements for over two decades. Supporting utilities across audit cycles, evolving standards, and real-world operations, we remain committed to strengthening reliability and resilience across the grid through better visibility, stronger evidence, and continuous compliance.