Nani
Getting NERC CIP scope right is the difference between a clean audit and costly remediation.
In 2025, enforcement data shows most issues still cluster around system security management (CIP-007), configuration change/assessment (CIP-010), and personnel & training (CIP-004)—and the root causes are often weak preventive controls and incomplete procedures.
Meanwhile, updated expectations around BCSI in the cloud, supply-chain risk (CIP-013-2), and precise BES Cyber System identification (CIP-002) are reshaping where the compliance line is drawn.
Why “scope determination” matters more than ever
Scope determination is the foundational exercise that decides what systems, data, and controls fall under NERC CIP.
If you scope too narrowly, you risk leaving in-scope assets unsecured; too broadly, and you waste resources and complicate operations.
NERC’s categorization framework requires entities to identify BES Cyber Systems (BCS)—logical groupings of cyber assets whose compromise could affect the Bulk Electric System—and then capture the systems that protect or broker access to them (e.g., EACMS, PACS), plus the information about them (BCSI).
Key scoping anchors:
- CIP-002 (Categorization): Determine which cyber functions support reliability tasks and classify assets High, Medium, or Low impact; this decision drives all downstream obligations.
- EACMS/PACS are in scope: Electronic Access Control or Monitoring Systems (EACMS) (e.g., firewalls, auth servers, jump hosts) and Physical Access Control Systems (PACS) that protect BCS also become applicable under multiple CIPs.
- BCSI (CIP-011-3): BES Cyber System Information—drawings, configs, settings, credentials, architecture—must be identified and protected wherever it resides, including cloud platforms.
- Low-impact connectivity: For Low-impact assets, LERC (Low-impact External Routable Connectivity) and the associated LEAP concept align scoping to routable entry points and remote access exposure.
What 2025 enforcement is telling us (and how it affects scope)
NERC’s 2025 CMEP Mid-Year Report shows the same core trouble spots as 2024: CIP-007, CIP-010, and CIP-004 are the most frequently reported CIP standards.
Nearly 80% of issues were found by entities’ own detective controls (self-reports/logs), while <10% of processed noncompliances were moderate/serious risk.
NERC also notes an ~18% reduction in older (pre-2025) noncompliance inventory and that ~80% of mitigations complete within six months.
Critically, >40% of root causes trace to ineffective preventive controls or deficient policies/procedures—classic scope/planning failures.
The top CIP themes behind findings
- CIP-007 (System Security Management): Patch/vulnerability cadence, malware defenses, and account hardening on BCS, EACMS, PACS, and PCA frequently expose scope gaps (e.g., assets that should have been included under the ESP/EAP boundary).
- CIP-010 (Configuration & change management): Incomplete inventories, missing baseline elements, or unassessed changes often trace back to incorrect asset inclusion/exclusion.
- CIP-004 (Personnel & training): Access authorization and revocation workflows sometimes omit people with logical or indirect access to BCS/BCSI, revealing gaps in the defined scope of “who’s in”.
Newer drivers that expand (or clarify) your scope
Supply-chain obligations (CIP-013-2)
CIP-013-2 requires a documented Supply Chain Risk Management plan that covers procurement, vendor vulnerability notification/coordination, and integrity/authenticity verification for software and patches used on BCS, EACMS, and PACS.
If your scoping misses these associated systems—or the vendor pathways that touch them—your plan will be incomplete.
BCSI in the cloud (CIP-011-3 + endorsed guidance)
As teams move drawings/configs to SaaS or hyperscale platforms, the BCSI boundary now includes cloud storage, collaboration suites, ticketing tools, and code repos.
NERC’s Implementation Guidance and the RSTC Security Guideline outline responsibilities across IaaS/PaaS/SaaS and the division of controls between provider and utility—make sure your scope and controls reflect the “overlay/underlay” model and encryption/identity guardrails.
Updated terminology and draft evolutions
Recent glossary updates standardize definitions such as EACMS, and ongoing CIP drafting (e.g., CIP-007-X proposals) continues to emphasize risk-based access and vulnerability management—nudging programs to include previously overlooked systems that influence authentication, logging, and malware defense.
A step-by-step scope determination playbook
Start with functions (CIP-002): Map reliability tasks to systems; identify BES Cyber Systems and classify impact.
Use a repeatable methodology owned by a cross-functional team (Operations, OT/IT, Protection, Telecom).
Draw your perimeters: Define the Electronic Security Perimeter (ESP) and Electronic Access Points (EAPs), then list EACMS (firewalls, auth, SIEM/IDS, jump hosts) and PACS that protect BCS.
These systems inherit applicability across multiple CIPs.
Chase the data (BCSI): Inventory where BCSI lives and flows: engineering file shares, ticket systems, cloud drives, backup media, email attachments, and vendor portals.
Apply CIP-011-3 controls (classification, protection, destruction) tuned to cloud models if used.
Account for Low-impact exposure: For low-impact assets, examine LERC and enforce appropriate access points (LEAP) and remote access controls; update CIP-003 attachments to reflect routable pathways.
Pull in supply-chain touchpoints: Extend scope to procurement, supplier access, patch delivery channels, binary provenance checks, and vendor notification flows per CIP-013-2.
Validate people & identities: Align CIP-004 personnel risk assessments, training cadence, and joiner/mover/leaver processes with actual access to BCS, EACMS, PACS, and BCSI (including contractors and MSSPs).
Test the scope with change/use cases: Run tabletop exercises: new relay firmware, EMS patch, vendor remote session, drawing export to cloud, SOC account creation—does each pathway fall under your controls? If not, you’ve missed scope.
Enforcement takeaways you can act on now
- Treat EACMS/PACS as first-class citizens. Several audit lessons emphasize evaluating risks from associated cyber assets—not just BCS—especially auth proxies, firewalls, PAM, and physical access systems. If they mediate access, they’re in scope.
- Tighten patch/change governance. Most findings still trace to CIP-007 and CIP-010 control families. Centralize inventories, document baselines, record variance justifications, and prove timely vulnerability handling.
- Prove your detective muscle. With ~80% of potential noncompliances discovered by entities themselves, build robust self-reporting and mitigation pipelines; this both reduces risk and demonstrates program maturity during enforcement.
- Write it down—cleanly. Over 40% of root causes tie to ineffective preventive controls or deficient procedures. Clear ownership, versioned procedures, and control-evidence maps are now table stakes.
- Know the stakes. Fines can reach seven figures per day per violation when risk is significant—budget for compliance the way you budget for reliability.
Quick reference: 2025 enforcement pulse (H1)
| Theme/Metric | What auditors saw | So what? |
|---|---|---|
| Most reported CIP standards | CIP-007, CIP-010, CIP-004 | Expect scrutiny on patching, baselines/changes, and access/authorization workflows. |
| Discovery method | ~80% self-identified via detective controls | Build strong monitoring and internal reviews; self-report early. |
| Volume | 863 possible noncompliances reported (Q1–Q2 2025) | Prioritize triage and mitigation planning capacity. |
| Risk profile | <10% processed cases were moderate/serious risk | Most issues are fixable control/coverage gaps—don’t let them age. |
| Aging inventory | ~18% reduction in 2024-and-older items | Enforcement values throughput; keep remediation moving. |
| Mitigation speed | ~80% complete within 6 months | Set 180-day internal targets for closure. |
| Root causes | >40% tied to weak preventive controls or deficient procedures | Invest in design reviews and document quality, not just tooling. |
Scoping pitfalls that lead to findings
Missing “indirect” systems: Auth directories, jump hosts, remote access brokers, and logging stacks that sit outside the ESP—but govern access—are often under-scoped. They’re EACMS and must be treated accordingly.
Cloud spillover of BCSI: Engineering artifacts or network maps synced to collaboration tools without BCSI identification and protection.
Address key-management, encryption, retention, and provider responsibility splits.
Low-impact complacency: Assuming Low-impact sites are “light touch” and overlooking LERC pathways or remote interactive access requirements in CIP-003 attachments.
People-scope blind spots: Vendors, seasonal workers, or corporate IT staff with functional access to BCS/EACMS/PACS but not fully enrolled in CIP-004 training and PRA cycles.
Supply-chain myopia: Focusing on “buying secure gear” but not documenting vulnerability coordination, patch provenance, and software authenticity checks across EACMS/PACS.
What “good” scope documentation looks like in 2025
- A CIP-002 methodology mapping reliability tasks to BCS, with impact ratings and rationale.
- Network and data-flow diagrams showing ESP/EAP boundaries, EACMS locations, and BCSI repositories (including cloud and backups).
- A CIP-013-2 SCRM plan aligning procurement, vendor notifications, and software/patch integrity verification to BCS/EACMS/PACS.
- A BCSI register (what it is, where it is, who can access, how it is protected/destroyed) that integrates CIP-004 access workflows.
- A controls-to-evidence matrix tying standards/requirements to procedures, owners, and proof (tickets, logs, screenshots, configs).
Scope is strategy.
If you identify the right systems, the right access brokers, and the right data, the bulk of CIP-007/CIP-010/CIP-004 findings will evaporate because your baselines, patches, accounts, and training will naturally map to the true risk surface.
2025 enforcement shows that mature programs find and fix their own issues quickly, and that penalties increasingly reflect not just the violation, but the quality of your controls and procedures.
Treat EACMS/PACS as in-scope by design, bring BCSI in the cloud under explicit protection, and extend CIP-013-2 rigor to every supplier pathway that touches your grid.
Do these consistently, and scope becomes your strongest defense—technically and during audits.
Frequently Asked Questions
Under-scoping EACMS/PACS, forgetting about BCSI in collaboration or cloud tools, and assuming Low-impact assets have no LERC/remote access exposure.
These drive many findings under CIP-007, CIP-010, CIP-004, and CIP-003.
CIP-013-2 pulls in procurement paths, vendor vulnerability coordination, and software/patch integrity checks for systems that touch BCS/EACMS/PACS.
If a supplier’s process can affect your environment, include it—contractually and procedurally.
Plan for deeper review of CIP-007/CIP-010/CIP-004 controls, show self-detection and <6-month mitigation, and tighten procedures—since >40% of root causes are policy/control design issues. Keep an eye on BCSI-in-cloud expectations and glossary/standards updates.