Regulatory Affairs news highlights: November 2025

 

Recent regulatory headlines we’re tracking include:

FERC issues Order 912 directing additions to CIP supply chain risk management standards

FERC has issued a final rule (Order 912) directing NERC to develop new or modified Reliability Standards within 18 months to address “gaps” in the CIP supply chain risk management (SCRM) standards.  The Order states that these new or modified standards must address: 1) the sufficiency of responsible entities’ supply chain risk management plans related to how they identify and respond to supply chain risks; and 2) how the SCRM standards apply to protected cyber assets (PCAs). FERC states that the current SCRM standards provide a baseline of protection but must be enhanced to keep up with the changing threat landscape.

 

FERC holds annual Reliability Technical Conference

FERC held its annual Reliability Technical Conference on Oct. 21. The conference opened with comments from the commissioners, who discussed the critical importance of reliability issues and risks posed by data centers and large load growth. NERC President & CEO Jim Robb then presented on the State of Reliability, noting that while reliability remains high, there is an increasing number of near misses and a “five alarm fire” with risks related to resource adequacy, permitting issues, extreme weather, natural gas interdependencies, demand growth, and security. The first panel focused on leadership priorities, with panelists from NERC, Vistra Corp., NARUC, Invenergy, AEP, ComEd, and Duke Energy. The industry leaders shared solutions they are employing, such as uprating power plants for additional capacity and utilizing Grid Enhancing Technologies (GETs).

During the second panel, “Ensuring Reliability with Large Loads,” NERC Vice President Mark Lauby shared the various actions the ERO Enterprise is taking to address reliability risks posed by rapidly increasing large loads, including a NERC alert with guidance on interconnecting loads and ongoing work of the NERC Large Loads Taskforce. There was discussion among the panelists of the importance of certainty and being able to plan for the amount of large loads coming online, and the need for robust modeling and load forecasting. A full recording of the conference is available here.

 

FERC issues Lessons Learned Report from FERC-led CIP audits

FERC staff issued the 2025 Lessons Learned from Commission-Led CIP Reliability Audits report, an anonymized summary report with takeaways from FERC-led CIP audits from the past year.  The report states that while entities met most CIP requirements during these audits, FERC identified potential noncompliance and security risks, as well as voluntary cyber security recommendations.

There were three key lessons learned in the report: first, for CIP-002-5.1a (Cyber Security — BES Cyber System Categorization), R1, BES Asset identification and categorization procedures should include distributed energy resources (DERs) when determining the impact rating of a control center. Second, for CIP-003-8 (Cyber Security — Security Management Controls), CIP-006-6 (Cyber Security — Physical Security of BES Cyber Systems), and CIP-010-4 (Cyber Security — Configuration Change Management and Vulnerability Assessments), entities should perform due diligence and careful oversight when relying on third parties to perform compliance duties. Finally, for CIP-004-7 (Cyber Security — Personnel & Training) and CIP-010-4, entities should consider compliance risks associated with cloud services (for example, some entities could not provide personnel risk assessments for employees of the cloud service provider, or baselines for cloud-based systems under CIP-010). Each of these lessons learned has suggested mitigation actions listed with them in the report, along with references to additional guidance documents.