The Federal Energy Regulatory Commission (FERC) announced on February 17, 2026, a notice soliciting public comments on the extension of its information collection FERC-725B. This collection pertains to Mandatory Reliability Standards for Critical Infrastructure Protection (CIP), aimed at safeguarding the cybersecurity of the Bulk-Power System. The request complies with the Paperwork Reduction Act of 1995 and seeks a three-year renewal without modifications to the existing reporting requirements. Comments are due by April 20, 2026, and the extension underscores FERC's commitment to ensuring reliable operation of the electric grid amid persistent cyber threats. This development is significant as it maintains a framework that has evolved over nearly two decades to address vulnerabilities in critical infrastructure.
Background on CIP Reliability Standards
The CIP Reliability Standards originated from the Energy Policy Act of 2005, which added section 215 to the Federal Power Act. This legislation mandated the development of mandatory and enforceable reliability standards, including cybersecurity protections, for the Bulk-Power System. FERC certified the North American Electric Reliability Corporation (NERC) as the Electric Reliability Organization in 2006 through Order No. 672, establishing procedures for standard approval and enforcement.
NERC develops these standards, which FERC reviews and approves. Once approved, they apply to users, owners, and operators of the Bulk-Power System. The standards are results-oriented, allowing entities flexibility in compliance methods rather than prescribing specific technologies. This approach emerged in response to growing concerns over cyber threats to electric infrastructure, with initial approvals in Order No. 706 in 2008 for the first version of CIP standards.
Evolution and Key Updates to the Standards
Over time, FERC has approved multiple revisions to the CIP standards to counter emerging threats. A major milestone was Order No. 791 in 2013, which introduced CIP version 5. This version adopted a tiered categorization of assets as high, medium, or low impact based on their potential effect on Bulk Electric System reliability if compromised. High-impact assets include large control centers, while medium-impact ones cover smaller control centers, high-voltage transmission, and major substations. Low-impact assets encompass the rest, with tailored requirements accordingly.
Subsequent updates addressed specific risks. For instance, Order No. 822 in 2016 revised standards for physical security and communications. More recently, standards like CIP-013-3 for supply chain risk management and CIP-012-2 for protecting data between control centers were added. CIP-014-3 focuses on physical security of critical transmission facilities, and CIP-015-1 aims to enhance detection of unauthorized network activity. These evolutions reflect input from industry stakeholders and responses to incidents, such as cyberattacks on energy sectors globally.
Key players include FERC as the approving authority, NERC as the standard developer, and registered entities responsible for implementation. Perspectives vary: industry groups often emphasize the need for flexibility to avoid undue burdens, while cybersecurity experts advocate for stricter measures given rising threats from state actors and hackers. Government reports, including those from the Department of Energy, highlight the standards' role in national security without endorsing specific changes.
Current Composition of CIP Standards
The CIP suite currently comprises 12 effective cybersecurity standards, one pending enforcement in July 2022 (CIP-012-2, now effective based on the 2026 notice date), and one physical security standard (CIP-014-3). Each standard targets distinct aspects of protection.
For example, CIP-002-5.1a requires categorizing Bulk Electric System Cyber Systems based on impact levels. CIP-003-10 mandates security management controls for accountability. Standards like CIP-004-8 focus on personnel training and risk assessments, while CIP-005-8 and CIP-006-7.1 address electronic and physical security perimeters. CIP-007-7.1 covers system security management, and CIP-008-7.1 deals with incident reporting. Recovery is handled in CIP-009-7.1, configuration management in CIP-010-5, and information protection in CIP-011-4.1. Newer additions like CIP-013-3 mitigate supply chain risks, and CIP-015-1 improves anomaly detection.
These standards implement a defense-in-depth strategy, as noted in Order No. 822, allowing tailored compliance. Burden estimates in the notice detail the reporting load: for instance, CIP-003-10 affects 1,579 respondents with an average of 1.56 hours per response, totaling 384,635 hours annually at a cost of $29,732,285.50. Overall, the collection burdens 833,369 hours and $64,419,423.70 yearly, based on NERC's registry of 1,492 U.S. entities.
Implications and Perspectives
Short-term implications include continued compliance obligations for entities, ensuring no lapse in cybersecurity measures upon extension approval. Long-term, the standards support grid resilience against evolving threats, potentially influencing energy policy and investment in secure technologies.
Different viewpoints exist. Utilities may view the burdens as necessary but costly, as evidenced by the notice's cost estimates using Bureau of Labor Statistics data for managers and engineers at $77.30 per hour. Regulators and security advocates see them as vital for preventing disruptions, citing precedents like the 2015 Ukraine blackout from cyberattacks. Critics argue for more innovation in standards to address quantum computing risks, though the notice invites comments on burden reduction and information utility.
The extension aligns with broader federal efforts, such as those under the Federal Power Act, without introducing new requirements. This stability could encourage voluntary enhancements, but it also highlights debates on whether current standards sufficiently cover low-impact systems, which have lighter requirements.
In summary, FERC's request to extend FERC-725B reinforces the foundational cybersecurity framework for the Bulk-Power System. Potential next steps include reviewing public comments, which could lead to adjustments in burden estimates or collection methods. Ongoing challenges involve balancing compliance costs with security needs, adapting to new threats like supply chain vulnerabilities, and fostering collaboration between NERC, FERC, and industry. Debates may center on enhancing standards' clarity and reducing administrative loads while maintaining robust protections for critical infrastructure.
