FERC-725B, RM24-8 Final Rule, Mandatory Reliability Standards for Critical Infrastructure Protection (CIP)

For Final Rule RM24-8 - Reliability Standards CIP 003-10, CIP-004-8, CIP-005-8, CIP-006-7.1, CIP-007-7.1, CIP-008-7.1, CIP 009 7.1, CIP-010-5, CIP-011-4.1, and CIP-013-3 were updated. According to NERC, the Reliability Standards would allow responsible entities to fully implement virtualization and address risks associated with virtualized environments, such as “side channel” attacks where virtual systems executing on the same hardware could affect one another. NERC also states that the use of security objectives within the CIP Reliability Standards establishes a framework adaptable to newer technologies. NERC explains that its revisions would: (1) support different security models by adjusting language around perimeter-based models to accommodate other security models; (2) recognize “virtualization infrastructure and virtual machines through new and revised terms in the NERC Glossary;” (3) broaden “change management approaches beyond a baseline-only configuration to recognize the dynamic nature of virtualized technologies,” e.g., where such virtualized systems are no longer installed on specific servers; and (4) manage “accessibility and attack surfaces of a virtualized configuration.” In addition to the changes to facilitate virtualization, the proposed Reliability Standards incorporate clarifications found during the implementation of prior versions of the CIP Standards.

The latest form for FERC-725B, RM24-8 Final Rule, Mandatory Reliability Standards for Critical Infrastructure Protection (CIP) expires 2026-06-30 and can be found here.

CIP Standards 004-8

Federal Enterprise Architecture: Energy - Energy Conservation and Preparedness