Citizen Portal
Sign In

FERC approves package of reliability and cybersecurity standards, directs NERC on supply‑chain and virtualization rules

Federal Energy Regulatory Commission (FERC) · September 18, 2025

Loading...

AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

At its September open meeting the Federal Energy Regulatory Commission approved four items updating reliability, cold‑weather, virtualization and supply‑chain standards, directing NERC to submit responsive modifications and setting an Oct. 1, 2025 effective date for a revised cold‑weather standard.

At its September open meeting, the Federal Energy Regulatory Commission approved a package of reliability and cybersecurity measures designed to strengthen protections for the bulk power system and accelerate readiness for winter operations.

The Commission voted to: issue a notice of proposed rulemaking to approve revisions to low‑impact BES cybersecurity controls; issue a separate NOPR to enable virtualization‑friendly, security‑objective based CIP requirements; adopt a revised extreme cold weather preparedness standard with an effective date of Oct. 1, 2025; and issue a final rule directing NERC to update supply‑chain risk management standards and extend protections to additional protected cyber assets.

The actions were taken unanimously by the Commissioners present. The Commission also approved a consent agenda that included several orders and hydro items.

Why it matters: Commissioners said the package is intended to reduce cyber‑risk to smaller or ‘‘low‑impact’’ bulk electric system assets, give utilities a secure, flexible path to adopt virtualization technologies, and ensure generators and regions are better prepared for extreme cold. The supply‑chain directive requires NERC to provide responsive modifications within 18 months and to extend protections to covered assets, while the cold‑weather standard directs biennial informational filings from October 2026 through October 2034 to assess effectiveness.

What the Commission approved

- Cyber controls for low‑impact systems (E1): The Commission issued a NOPR proposing approval of the reliability standard identified in the presentation as “SIP 3 11,” which seeks to strengthen cybersecurity management controls for low‑impact BES cyber systems and solicit comments on evolving threats.

- Virtualization and CIP modernization (E2): The Commission approved a NOPR to revise multiple CIP reliability standards and definitions to enable responsible use of virtualization and related technologies. Mayur Manchanda, technical lead on the virtualization NOPR at FERC’s Office of Electric Reliability, said the existing CIP framework largely assumed a one‑to‑one hardware‑to‑software relationship and that the proposed security‑objective approach gives entities necessary flexibilities while addressing shared‑infrastructure risks.

- Extreme cold weather readiness (E3): The Commission adopted a revised EOP‑012 standard on extreme cold weather preparedness and operations and set an effective date of Oct. 1, 2025 to ensure implementation ahead of winter. The order shortens corrective‑action timelines for generators after cold‑weather events and establishes a generator cold‑weather constraint declaration process to improve consistency and timeliness of compliance reviews.

- Supply‑chain risk management (E4): The Commission issued a final rule directing NERC to update supply‑chain reliability protections, broaden coverage to protected cyber assets, and provide responsive modifications within 18 months of the rule’s effective date. Simon Slobodnick, lead for supply‑chain standards, said the directives are intended to give responsible entities a more complete, risk‑based view of supply‑chain vulnerabilities and a programmatic means to respond.

Quotes and context

“We can’t slow down just because we have a new chair,” Chairman Rosner said, praising staff and stressing continuity as the agency pursues orders to support transmission development, interconnection queue acceleration and other infrastructure priorities.

Commissioner C said the Commission must balance speed with ‘‘regulatory certainty’’ and noted the decision earlier to terminate a draft certificate policy statement to avoid potential confusion and legal vulnerability.

Commissioner Chang highlighted growing load‑growth issues such as data centers and urged continued Commission leadership on integrating large loads reliably and affordably. She also called attention to refund liabilities related to unwinding SPP’s Attachment Z2 in the context of E7 on the consent agenda.

Votes and formal actions

FERC took a roll‑call style vote on the consent agenda (items E5–E10 and H1–H3) and recorded affirmative votes from the Commissioners present. The Commission then considered items E1–E4 together and recorded unanimous approval from the Commissioners in attendance.

Next steps and implementation

- NERC is directed to provide responsive modifications addressing supply‑chain risks within 18 months of the final rule on E4.

- The revised cold‑weather standard is effective Oct. 1, 2025, with biennial informational filings beginning Oct. 2026 and continuing through Oct. 2034 to evaluate the standard’s effectiveness and consistent application.

- The virtualization NOPR and SIP changes will proceed through notice‑and‑comment; FERC sought stakeholder input on eliminating certain technical‑feasibility exceptions and on how virtualization should be defined and secured under CIP.

The Commission adjourned after brief final remarks that reiterated the value of a full five‑member Commission and welcomed the nominees advancing through the Senate Energy and Natural Resources Committee.