ReliabilityFirst’s Compliance Monitoring program consists of two groups, Operations and Planning (O&P) and Critical Infrastructure Protection (CIP) (collectively, Compliance Monitoring). The primary function of these two groups is to assess registered entities’ compliance with the North American Electric Reliability Corporation (NERC) Reliability Standards, and they do this through a combination of audits, spot checks, investigations, and self-certifications. For each standard and requirement in scope for an engagement, Compliance Monitoring will make a determination of “No Finding” (NF), “Potential Noncompliance” (PNC), “Open Enforcement Action” (OEA), or “Not Applicable” (NA), and may also identify areas for recommendations, areas of concern, and positive observations. If PNCs are determined, the PNCs are then communicated to ReliabilityFirst Enforcement to resolve the PNCs. During the enforcement process, Compliance Monitoring continues their involvement to support risk assessment and mitigation reviews.

As the name implies, O&P focuses on standards related to operations and planning, such as balancing, emergency operations, facility ratings, modeling, personnel training, operations, planning, and voltage control. In contrast, the CIP group focuses on standards to protect the bulk electric system from cyber and physical attacks on critical infrastructure. Among other topics, CIP standards address identification and categorization of bulk electric system cyber assets, patch management, remote vendor access, firewall rules, physical security, and use of the cloud environment.

ReliabilityFirst takes a risk-based approach to compliance monitoring activities to direct resources where they are needed most based on identification and prioritization of risks. To accomplish this, Compliance Monitoring works closely with our internal risk analysis group to leverage tools including Compliance Oversight Plans and Inherent Risk Assessments.

Compliance Monitoring also takes a lead role within ReliabilityFirst and the ERO Enterprise to help identify, support, and share best practices within the industry, such as identifying and documenting internal controls.

Use the links below to access the NERC Standards and other resources and tools:

Attachment Cs

CIP ERT

NERC Standards

ERO Enterprise Risk-Based Framework

Internal Controls

Align

Secure Evidence Locker (SEL)

NERC training page

ERO enterprise Auditor Handbook, which includes definitions (under Glossary)