Rethinking CIP Compliance for Cloud and Emerging Technologies

The North American Electric Reliability Corporation is exploring a new framework for its Critical Infrastructure Protection standards that could fundamentally change how cybersecurity compliance is structured across the bulk power system. The proposed “100-series” approach would introduce a parallel, more flexible model better suited to cloud and third-party environments, with potential implications for compliance strategy, audit readiness, and vendor contracting.

For entities registered with the North American Electric Reliability Corporation (NERC) and subject to mandatory reliability standards, NERC’s proposed “100-series” Critical Infrastructure Protection (CIP) standards are the most ambitious and potentially most consequential cybersecurity compliance developments in years. NERC is considering a fundamental shift in how CIP standards are structured and applied, driven in large part by the increasing use of cloud services and consideration of other modern technologies across the bulk power system.

If the standards initiative succeeds in its aims, the new standards would create significant new flexibility for CIP compliance programs as registered entities move away from traditional hardware-based compliance models and toward a more objective-based framework that is better suited to current technology than the existing standards that are largely based on operational technology models from two decades ago—a lifetime in technology. For reference, the current suite of CIP reliability standards was filed with FERC in August 2006, which was in turn based on a voluntary cybersecurity standard adopted by NERC in 2003, both before the first iPhone was launched.

For registered entities already using, or planning to use, cloud and vendor-managed services in CIP-relevant environments, the 100-series concept may signal future changes in how compliance obligations are framed, how audit readiness is established, and what must be built into vendor arrangements to ensure compliance can be achieved and proven. However, the proposal is still in early development and likely to evolve substantially, which is why registered entities, particularly those that use or plan to implement cloud services, should track developments closely and consider where participation in the standards-development and regulatory process may help shape the final framework so that those standards can be implemented in a way that allows registered entities to fully realize the advantages of current technology.

A PARALLEL FRAMEWORK FOR CIP COMPLIANCE

At the center of the proposal is the development of a new suite of “100-series” CIP reliability standards that would operate alongside the existing standards rather than replace them. The concept is to create parallel requirements aligned with each existing CIP standard, allowing entities to select the framework that best fits their operational environment, complying with the existing series or the 100 series, but not both for the same asset.

This approach reflects a departure from traditional standards development. Rather than incrementally revising existing requirements, the proposal envisions a new framework designed specifically to accommodate cloud services and future technologies. The existing standards are built around a hardware-based model, which assumes that critical systems are owned and controlled by the registered entity. That assumption becomes less workable in cloud environments because cloud services may rely on hardware and software that are neither located on a registered entity’s premises nor under its management and control in the same way as on-premises devices. Instead, while the cloud services can be subject to very strict security controls, those controls to some extent rely on implementation by a cloud service provider or other third party that would have the physical assets.

Under the proposed structure, entities would be able to

• apply either the existing CIP standards or the new 100-series standards;
• make that selection at a system level rather than at an asset level; and
• align compliance approaches with the technologies deployed in each environment.

This flexibility is intended to support innovation without requiring wholesale transition to a new CIP compliance paradigm. At the same time, this proposal also introduces practical complexity. Many entities operate a mix of legacy and modern systems implemented over decades, which could mean maintaining parallel compliance frameworks at the same time, along with the documentation, governance, and oversight needed to ensure the frameworks are applied consistently and defensibly.

That complexity may be especially important for entities adopting cloud or vendor-managed services. If the 100-series standards ultimately allow a different compliance pathway for certain systems or services, the standards-development process will need to clarify how that choice is made, how boundaries are drawn, and how entities demonstrate that the selected framework is appropriate. Those are issues that may change materially as the proposal develops, and they are likely to be important areas for stakeholder input.

FROM ASSET-BASED CONTROLS TO OBJECTIVE-BASED REQUIREMENTS

A defining feature of the proposed 100-series standards is the shift from prescriptive, asset-focused requirements to an objective-based model. Rather than mandating specific controls, the new framework would focus on whether entities achieve defined security outcomes.

This shift is supported by a revised conceptual foundation for compliance. The proposal expands the definition of in-scope systems to include both systems and services, reflecting the increasing role of third-party platforms and cloud-based infrastructure. This expanded concept becomes the basis for identifying applicable systems and structuring compliance obligations.

In practice, this model would require entities to

• identify systems based on function and operational impact rather than physical assets;
• develop security plans designed to meet defined objectives; and
• determine appropriate technical and operational controls based on their environment.

Examples of these objectives may include restricting access based on operational need, protecting configurations that affect system security, and ensuring monitoring and enforcement mechanisms are effective.

The proposed approach offers several potential advantages. It could make it easier to adopt new and emerging technologies, align more closely with risk-based cybersecurity frameworks, and reduce reliance on static requirements tied to specific hardware configurations or legacy operational technology architecture. At the same time, it introduces important considerations. Entities may face increased interpretive uncertainty, a greater need for internal documentation and justification, and potential challenges in demonstrating compliance during audits or enforcement.

Those issues may be even more pronounced in cloud and other shared-responsibility environments. In those settings, demonstrating that a security objective has been achieved may depend in part on information, support, or evidence controlled by a third-party provider. As a result, the practical success of a more flexible framework may depend not only on how the standards are written but also on whether registered entities have vendor arrangements that require providers to implement relevant controls, preserve and share needed evidence, support audits and assessments, and otherwise enable the entity to demonstrate compliance.

A CLOUD-SPECIFIC RELIABILITY STANDARD

The proposal also contemplates a cloud-specific standard that would address issues unique to third-party environments. While no draft of the standard currently exists, NERC stated that the standard should address data sovereignty considerations across jurisdictions and the allocation of responsibility between service providers and registered entities.

A core challenge in the NERC compliance space is not simply whether cloud services can be used, but how accountability, oversight, and evidence collection work when critical functions rely on an external provider. The standards-development process may therefore need to address not only technical expectations but also what it means in practice for an entity to retain sufficient control, visibility, and documentation over outsourced or vendor-supported environments.

Under this new standard, this is also where commercial contracting is likely to become increasingly important. If future standards are designed to accommodate cloud services more explicitly, entities may need to revisit vendor arrangements to ensure compliance can be achieved and demonstrated. Depending on how the standards evolve, that could include adding new provisions addressing security control obligations, audit and information rights, logging and retention, incident notification and response support, subcontractor oversight, change management transparency, and other forms of cooperation needed to support compliance and evidentiary requirements.

STAKEHOLDER SUPPORT AND PRACTICAL TRADEOFFS

Initial stakeholder response to the proposed framework has been largely positive, with broad support for both the overall direction and the move toward objective-based requirements. At the same time, stakeholders have emphasized the need for more detailed examples and draft language to better evaluate how the new standards would function in practice.

The potential benefits are significant. The proposed model could enable broader adoption of cloud services and modern technologies, reduce structural barriers embedded in existing standards, and support more adaptable and tailored compliance programs.  In addition, greater flexibility may allow entities to better align compliance approaches with their specific operational environments and risk profiles.

But at the same time, the transition presents notable tradeoffs. Maintaining parallel standards could increase administrative burden and staffing needs, duplicate compliance processes and documentation, and risk gaps or inconsistencies across systems. These challenges are particularly relevant for entities managing diverse infrastructure portfolios. The effectiveness of the new framework will depend heavily on how the standards are ultimately drafted, including whether they strike an appropriate balance between flexibility and clarity.

LOOKING AHEAD

The proposal remains at an early stage, and several pathways are possible, but it signals a potentially important shift in how CIP compliance may be approached in a more cloud-enabled and technology-diverse environment. Next steps could include continued refinement of the proposal, development of draft standards, industry balloting, and eventual regulatory review. The timeline remains uncertain, although the project’s elevation to a “high” priority standards drafting project suggests continued momentum with a slated goal to be completed by the end of 2027.

Companies that rely on cloud services or third-party technology providers should monitor this development closely. Stakeholders should consider utilizing opportunities to participate in the legal and regulatory process as the proposal develops. Engagement through standards drafting, industry comment processes, and related regulatory proceedings may help shape how the final framework addresses shared responsibility, evidentiary burdens, and the practical realities of compliance in outsourced environments.

Companies should also consider whether their current vendor arrangements would allow them to satisfy and demonstrate compliance under a more objective-based framework. Compliance may turn less on the technical capabilities of a provider than on what the contract requires the provider to do, preserve, disclose, and support. Contractual provisions that once seemed ancillary may become central to an entity’s ability to show that compliance obligations have been met.

While significant questions remain, the direction of travel is clear. As the bulk power system continues to modernize, the regulatory framework governing cybersecurity is likely to evolve alongside it. Companies that follow these developments closely, evaluate the implications for both compliance programs and vendor arrangements, and engage early in the development process may be better positioned to adapt as the 100-series proposal becomes more concrete.