← Frameworks / NERC CIP / Control Mappings

NERC Critical Infrastructure Protection Standards

Mandatory reliability standards for the Bulk Electric System (BES) in North America. 14 CIP standards (CIP-002 through CIP-015) covering BES Cyber System categorization, security management controls, personnel and training, electronic security perimeters, physical security, system security management, incident reporting, recovery plans, configuration and vulnerability management, information protection, control center communications, supply chain risk management, transmission station physical security, and internal network security monitoring (INSM). Enforced by NERC with mandatory compliance, violations, and penalties.

Controls: 86

Total Mappings: 101

Publisher: North American Electric Reliability Corporation (NERC) Version: v5-7 (2024)

NERC CIP → SP 800-53 SP 800-53 → NERC CIP Coverage Analysis

AC (6) AT (4) AU (2) CA (2) CM (7) CP (5) IA (3) IR (6) MP (4) PE (9) PL (2) PM (7) PS (7) RA (3) SA (3) SC (7) SI (3) SR (6)

AC Access Control

Control	Name	NERC CIP References
AC-01	Access Control Policies and Procedures	CIP-003-9
AC-02	Account Management	CIP-004-7CIP-007-6
AC-03	Access Enforcement	CIP-007-6CIP-011-3
AC-04	Information Flow Enforcement	CIP-005-7
AC-17	Remote Access	CIP-005-7
AC-20	Use Of External Information Systems	CIP-005-7

AT Awareness and Training

Control	Name	NERC CIP References
AT-01	Security Awareness And Training Policy And Procedures	CIP-003-9CIP-004-7
AT-02	Security Awareness	CIP-004-7
AT-03	Security Training	CIP-004-7
AT-04	Security Training Records	CIP-004-7

AU Audit and Accountability

Control	Name	NERC CIP References
AU-02	Auditable Events	CIP-007-6
AU-06	Audit Monitoring, Analysis, And Reporting	CIP-007-6CIP-015-1

CA Security Assessment and Authorization

Control	Name	NERC CIP References
CA-07	Continuous Monitoring	CIP-015-1
CA-08	Penetration Testing	CIP-010-4

CM Configuration Management

Control	Name	NERC CIP References
CM-02	Baseline Configuration	CIP-010-4
CM-03	Configuration Change Control	CIP-010-4
CM-04	Monitoring Configuration Changes	CIP-010-4
CM-06	Configuration Settings	CIP-010-4
CM-07	Least Functionality	CIP-005-7CIP-007-6
CM-08	Information System Component Inventory	CIP-010-4
CM-14	Signed Components	CIP-013-2

CP Contingency Planning

Control	Name	NERC CIP References
CP-01	Contingency Planning Policy And Procedures	CIP-009-6
CP-02	Contingency Plan	CIP-009-6
CP-04	Contingency Plan Testing And Exercises	CIP-009-6
CP-09	Information System Backup	CIP-009-6
CP-10	Information System Recovery And Reconstitution	CIP-009-6

IA Identification and Authentication

Control	Name	NERC CIP References
IA-02	User Identification And Authentication	CIP-005-7
IA-05	Authenticator Management	CIP-007-6
IA-08	Identification and Authentication (Non-Organizational Users)	CIP-005-7

IR Incident Response

Control	Name	NERC CIP References
IR-01	Incident Response Policy And Procedures	CIP-008-6
IR-02	Incident Response Training	CIP-008-6
IR-04	Incident Handling	CIP-008-6CIP-009-6CIP-015-1
IR-05	Incident Monitoring	CIP-008-6
IR-06	Incident Reporting	CIP-008-6
IR-08	Incident Response Plan	CIP-008-6

MP Media Protection

Control	Name	NERC CIP References
MP-01	Media Protection Policy And Procedures	CIP-011-3
MP-02	Media Access	CIP-011-3
MP-04	Media Storage	CIP-011-3
MP-06	Media Sanitization And Disposal	CIP-011-3

PE Physical and Environmental Protection

Control	Name	NERC CIP References
PE-01	Physical And Environmental Protection Policy And Procedures	CIP-006-6CIP-014-3
PE-02	Physical Access Authorizations	CIP-006-6
PE-03	Physical Access Control	CIP-006-6CIP-014-3
PE-04	Access Control For Transmission Medium	CIP-006-6
PE-05	Access Control For Display Medium	CIP-006-6
PE-06	Monitoring Physical Access	CIP-006-6CIP-014-3
PE-08	Access Records	CIP-006-6
PE-16	Delivery And Removal	CIP-006-6
PE-18	Location Of Information System Components	CIP-006-6

PL Planning

Control	Name	NERC CIP References
PL-01	Security Planning Policy And Procedures	CIP-003-9
PL-02	System Security Plan	CIP-003-9

PM Program Management

Control	Name	NERC CIP References
PM-01	Information Security Program Plan	CIP-003-9
PM-02	Information Security Program Leadership Role	CIP-003-9
PM-03	Information Security and Privacy Resources	CIP-003-9
PM-07	Enterprise Architecture	CIP-002-7
PM-09	Risk Management Strategy	CIP-003-9
PM-11	Mission and Business Process Definition	CIP-002-7
PM-12	Insider Threat Program	CIP-014-3

PS Personnel Security

Control	Name	NERC CIP References
PS-01	Personnel Security Policy And Procedures	CIP-004-7
PS-02	Position Categorization	CIP-004-7
PS-03	Personnel Screening	CIP-004-7
PS-04	Personnel Termination	CIP-004-7
PS-05	Personnel Transfer	CIP-004-7
PS-06	Access Agreements	CIP-004-7
PS-07	Third-Party Personnel Security	CIP-004-7

RA Risk Assessment

Control	Name	NERC CIP References
RA-02	Security Categorization	CIP-002-7
RA-03	Risk Assessment	CIP-002-7CIP-014-3
RA-05	Vulnerability Scanning	CIP-010-4CIP-014-3

SA System and Services Acquisition

Control	Name	NERC CIP References
SA-04	Acquisitions	CIP-013-2
SA-09	External Information System Services	CIP-013-2
SA-22	Unsupported System Components	CIP-013-2

SC System and Communications Protection

Control	Name	NERC CIP References
SC-07	Boundary Protection	CIP-002-7CIP-005-7CIP-015-1
SC-08	Transmission Integrity	CIP-012-1
SC-12	Cryptographic Key Establishment And Management	CIP-012-1
SC-13	Use Of Cryptography	CIP-012-1
SC-23	Session Authenticity	CIP-012-1
SC-28	Protection of Information at Rest	CIP-011-3
SC-48	Sensor Relocation	CIP-015-1

SI System and Information Integrity

Control	Name	NERC CIP References
SI-02	Flaw Remediation	CIP-007-6
SI-03	Malicious Code Protection	CIP-007-6
SI-04	Information System Monitoring Tools And Techniques	CIP-007-6CIP-015-1

SR Supply Chain Risk Management

Control	Name	NERC CIP References
SR-01	Policy and Procedures	CIP-013-2
SR-02	Supply Chain Risk Management Plan	CIP-013-2
SR-03	Supply Chain Controls and Processes	CIP-013-2
SR-05	Acquisition Strategies, Tools, and Methods	CIP-013-2
SR-06	Supplier Assessments and Reviews	CIP-013-2
SR-11	Component Authenticity	CIP-013-2