On September 18, 2025, the Federal Energy Regulatory Commission (FERC) issued two Notices of Proposed Rulemaking (NOPR) and one final rule aimed at modernizing the reliability and security of the Bulk Power System (BPS). These actions reflect FERC’s ongoing commitment to strengthen the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Reliability Standards to address emerging challenges in cybersecurity and supply chain risks impacting critical infrastructure.
Background
FERC’s latest rulemakings continue its effort to adapt NERC’s mandatory reliability standards to meet the demands of an increasingly digital and interconnected grid. As utilities integrate cloud computing, virtualized systems and network-connected equipment into operations, new vulnerabilities emerge. These updates build upon previous directives from FERC’s 2024 NOPR, to ensure the standards evolve alongside modern technologies.
Virtualization Reliability Standards
The first NOPR on Virtualization Reliability Standards proposes approval of four new and eighteen revised definitions in NERC’s Glossary of Terms, along with modifications to eleven CIP Reliability Standards. Historically, these standards were built on the assumption that critical hardware and software were installed and secured onsite.
With increasing adoption of virtual and cloud-based systems, FERC’s proposal seeks to modernize those assumptions, updating security expectations to protect virtualized assets critical to Bulk Power System reliability.
CIP-003-11 Low-Impact BES Cyber Systems
The second NOPR concerns Critical Infrastructure Protection Reliability Standard CIP-003-11, which FERC proposes a revised standard to strengthen the cybersecurity posture of low-impact BES Cyber Systems. This NOPR introduces new requirements for communications security and system management to address the increasing risk of coordinated cyber threats across connected systems.
Addressing the importance of protecting low-impact systems, FERC invites public comments and is considering whether NERC should conduct a study or publish a whitepaper on emerging cyber threats and mitigation strategies for these assets.
Supply Chain Risk Management
In addition to the two proposed rules, FERC issued a Final Rule regarding Supply Chain Risk Management, adopting proposals from its September 2024 NOPR. The rule directs NERC to revise Reliability Standards addressing supply chain risks, including enhanced measures for certain types of network-connected equipment.
These updates aim to strengthen protection for the BPS against external threats and risks introduced through global technology supply chains. NERC is required to submit corresponding modifications within 18 months of the rule’s effective date.
Related Services
Next Steps
While the proposed rules are still under FERC review, clients should begin evaluating how these changes may affect existing cybersecurity and supply chain programs. The virtualization and low-impact BES Cyber System updates will likely require adjustments to communications security, system management and cloud or virtual environments. Likewise, with NERC directed to revise its supply chain standards within 18 months, registered entities should further strengthen vendor oversight and ensure procurement controls can trace network-connected equipment and suppliers.
TRC’s cybersecurity and regulatory compliance practitioners help utilities anticipate and adapt to evolving NERC requirements. Our integrated approach connects technical expertise with practical compliance strategies, supporting clients as they modernize CIP programs, reduce risk and maintain reliability across an increasingly digital grid.
About TRC’s NERC Security Practice
TRC’s approach to power system security balances solutions that incorporate appropriate standards, regulatory requirements, best practices and operational goals and budgets. Our work for public and private sector utility clients is a testament to our understanding of NERC compliance related aspects of your business. Our successful application of technology solutions in a constantly evolving business and regulatory landscape will provide you with confidence regarding your power system compliance programs. Our power system security experts help you stay ahead of changing regulatory expectations because they stay engaged with the regulatory process and know how to plan, design and install programs that address your financial, technical and scheduling goals including compliance with changing NERC standards and guidelines as well as industry best practices and the latest technology developments.
This regulatory update is a service to TRC’s utility clients, helping keep you informed of issues that increase your company’s electric compliance risks along with related topics regarding future regulatory developments to help you achieve your company’s business goals.
Resources
FERC Virtualization Reliability Standards NOPR
FERC Virtualization Reliability Standards NOPR September 18, 2025
FERC Cyber Security – Security Management Controls NOPR
September 18, 2025
NERC CIP-013-11 Standard
2025
NERC Low Impact Criteria Review Report
October 2022 septembre 18, 2025
FERC Supply Chain Risk Management Reliability Standards Revisions – Final Order
Publié
TRC Cyber Security Services
Publié
TRC OT-Cyber-Security Services Sheet
September 2024
