NERC Critical Infrastructure Protection Standards — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each NERC CIP requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clauseCIP-002-7 BES Cyber System Categorization
Rationale
RA-02 security categorization provides a general framework for classifying systems by impact level. RA-03 risk assessment supports the analysis process for determining criticality. PM-07 enterprise architecture helps identify system boundaries and interdependencies. PM-11 mission/business process definition supports identification of critical BES functions. SC-07 boundary protection provides context for defining electronic perimeters around categorized systems. Together these controls address the intent of impact-based categorization but lack BES-specific methodology.
Gaps
NERC CIP-002 requires BES-specific impact rating methodology (high/medium/low) based on Bulk Electric System reliability criteria, NERC registration categories, and BES Cyber System/Asset identification criteria (including BES Cyber Assets, Protected Cyber Assets, and Electronic Access Control or Monitoring Systems). The NERC Glossary definitions and Attachment 1 criteria for high/medium impact ratings are sector-specific and not captured in SP 800-53.
CIP-003-9 Security Management Controls
Rationale
PL-01 planning policy and PL-02 system security plan establish the policy framework. PM-01 information security program provides the overarching governance structure. PM-02 senior information security officer designates the CIP Senior Manager equivalent role. PM-03 information security resources addresses budget and staffing. PM-09 risk management strategy covers the strategic governance layer. AC-01 access control policy and AT-01 training policy address the policy requirements for electronic/physical access and awareness. These controls collectively cover governance, policy documentation, and senior management accountability.
Gaps
CIP-003 requires BES-specific policy elements for low-impact BES Cyber Systems including Transient Cyber Asset and Removable Media management policies. The CIP Senior Manager designation with specific delegation authority requirements and the low-impact asset policy structure (Sections 1-5 of Attachment 1) are NERC-specific constructs not addressed in SP 800-53.
CIP-004-7 Personnel & Training
Rationale
AT-01 security awareness policy and AT-02 security awareness training address CIP-004 R1 security awareness requirements. AT-03 role-based training covers the CIP-specific training program for personnel with authorized access. AT-04 training records provides the documentation requirements. PS-01 through PS-07 comprehensively address personnel security: PS-01 policy, PS-02 position risk designation, PS-03 personnel screening (background checks), PS-04 personnel termination, PS-05 personnel transfer, PS-06 access agreements, PS-07 external personnel security. AC-02 account management covers authorization and access revocation. This is one of the strongest mappings due to the universal nature of personnel security controls.
Gaps
NERC CIP-004 requires specific Personnel Risk Assessment (PRA) criteria including 7-year criminal history checks, identity verification, and PRA updates every 7 years. The 24-hour access revocation requirement upon personnel termination and the specific quarterly review of user access are more prescriptive than SP 800-53 PS-family controls. BES-specific training content requirements (e.g., CIP Exceptional Circumstances) are not addressed.
CIP-005-7 Electronic Security Perimeter
Rationale
SC-07 boundary protection is the primary mapping, addressing perimeter definition, access control at boundaries, and monitoring. AC-04 information flow enforcement supports the inbound/outbound access permission controls at Electronic Access Points. AC-17 remote access covers the Interactive Remote Access (IRA) requirements including encryption and multi-factor authentication. AC-20 use of external systems addresses vendor remote access scenarios. IA-02 identification and authentication and IA-08 identification and authentication for non-organizational users support authentication at Electronic Access Points. CM-07 least functionality addresses disabling unnecessary ports and services.
Gaps
CIP-005 uses BES-specific architectural concepts: Electronic Security Perimeter (ESP), Electronic Access Points (EAPs), and Interactive Remote Access (IRA) with mandatory intermediate systems (jump hosts). The vendor remote access requirements (CIP-005 R2.4-R2.5) including session termination controls and the Dial-up Connectivity provisions are sector-specific. The routable vs. non-routable protocol distinctions in ESP boundary definitions are not addressed in SP 800-53.
CIP-006-6 Physical Security of BES Cyber Systems
Rationale
PE-01 physical and environmental protection policy establishes the Physical Security Plan equivalent. PE-02 physical access authorizations covers the authorization of individuals for unescorted physical access. PE-03 physical access control addresses Physical Access Control Systems (PACS) and multi-factor authentication at Physical Security Perimeter (PSP) access points. PE-04 access control for transmission medium and PE-05 access control for output devices address cabling and device-level protections. PE-06 monitoring physical access addresses alerting and logging of physical access events. PE-08 visitor access records supports the visitor control program. PE-16 delivery and removal covers equipment management. PE-18 location of information system components addresses facility siting considerations.
Gaps
CIP-006 defines Physical Security Perimeters (PSPs) with BES-specific requirements: two or more different physical access controls at PSP entry points, 90-day alarm/access log review cycles, PACS protection requirements (the PACS itself must be within a PSP), and visitor escort/logging requirements specific to BES facilities. The Defined Physical Boundary concept and six-wall barrier requirements for PSPs are sector-specific physical security constructs not in SP 800-53.
CIP-007-6 System Security Management
Rationale
CM-07 least functionality covers CIP-007 R1 ports and services management (disabling/restricting unnecessary logical ports). SI-02 flaw remediation maps to CIP-007 R2 security patch management including tracking, evaluating, and installing patches. SI-03 malicious code protection addresses CIP-007 R3 malware prevention including antivirus, application whitelisting, or other mitigation methods. SI-04 system monitoring and AU-02 audit events cover CIP-007 R4 security event monitoring including logging of authentication attempts and security events. AU-06 audit review, analysis, and reporting supports the log review requirements. AC-02 account management and AC-03 access enforcement address CIP-007 R5 system access controls including shared account management. IA-05 authenticator management covers password complexity and change requirements.
Gaps
CIP-007 prescribes a 35-calendar-day patch assessment cycle for applicable security patches and a specific mitigation plan process when patches cannot be installed. The Technical Feasibility Exception (TFE) process for legacy systems that cannot meet requirements is a NERC-specific compliance mechanism. BES-specific monitoring requirements include mandatory alerting for detected malicious code and specific event log retention periods (90 days online). Password parameters (8+ characters, complexity, 15-month change) are more prescriptive than SP 800-53 guidance.
CIP-008-6 Incident Reporting and Response Planning
Rationale
IR-01 incident response policy establishes the Cyber Security Incident Response Plan framework. IR-02 incident response training covers training requirements for incident response team members. IR-04 incident handling addresses the detection, analysis, containment, eradication, and recovery phases. IR-05 incident monitoring provides the tracking and documentation requirements. IR-06 incident reporting covers the general reporting requirements. IR-08 incident response plan provides the plan development, testing (annually), and update requirements. These controls comprehensively address the lifecycle of incident response planning and execution.
Gaps
CIP-008 mandates 1-hour reporting of Reportable Cyber Security Incidents to the Electricity Subsector Coordinating Center (E-ISAC) and CISA (formerly ICS-CERT). The definition of Reportable Cyber Security Incident (actual or attempted compromise of a BES Cyber System that compromises or disrupts reliability) is BES-specific. The 15-month plan testing cycle, specific reporting templates, and NERC lessons-learned requirements are sector-specific obligations not in SP 800-53.
CIP-009-6 Recovery Plans for BES Cyber Systems
Rationale
CP-01 contingency planning policy establishes the recovery plan governance framework. CP-02 contingency plan addresses the development of recovery plans specifying the conditions for activation, roles, and recovery procedures. CP-04 contingency plan testing covers the plan exercise requirements including paper drills, tabletop exercises, and operational exercises. CP-09 system backup addresses backup and storage of BES Cyber System information and configuration data. CP-10 system recovery and reconstitution covers the actual recovery procedures and restoration to operational state. IR-04 incident handling supports the coordination between incident response and recovery processes.
Gaps
CIP-009 requires BES-specific recovery plan activation conditions tied to BES reliability impacts and specifies a 15-month testing/exercise cycle. The standard requires testing information used for recovery (backup verification) including successful restoration of a representative BES Cyber System from backup. Data preservation requirements during recovery for forensic/compliance purposes and the specific 15-month exercise interval are more prescriptive than SP 800-53 CP-family controls.
CIP-010-4 Configuration Change Management and Vulnerability Assessments
Rationale
CM-02 baseline configuration establishes the documented baseline covering OS, firmware, ports/services, custom software, and security patches. CM-03 configuration change control addresses the change management process including authorization and documentation of changes. CM-04 security impact analysis covers the analysis of changes for potential security impacts before implementation. CM-06 configuration settings addresses the specific security-relevant configuration parameters. CM-08 system component inventory supports the asset identification and tracking requirements. RA-05 vulnerability assessment covers both the paper-based and active vulnerability assessments required by CIP-010. CA-08 penetration testing supports the active vulnerability assessment component.
Gaps
CIP-010 requires 35-calendar-day baseline deviation detection for unauthorized changes and a 15-month active vulnerability assessment cycle. The baseline configuration must specifically document five elements: OS/firmware, commercially available software, custom software, logical network accessible ports, and applied security patches. The Transient Cyber Asset management requirements (CIP-010 R4) including software verification and patching before connection are BES-specific requirements not in SP 800-53.
CIP-011-3 Information Protection
Rationale
MP-01 media protection policy establishes the information protection program framework. MP-02 media access addresses access restrictions to BES Cyber System Information (BCSI) storage locations. MP-04 media storage covers the protection requirements for stored BCSI. MP-06 media sanitization addresses the secure disposal of media containing BCSI through clearing, purging, or destruction. SC-28 protection of information at rest supports encryption and protection of stored BCSI. AC-03 access enforcement provides the logical access controls for BCSI in electronic form, restricting access to authorized personnel.
Gaps
CIP-011 defines BES Cyber System Information (BCSI) as a specific classification category encompassing network diagrams, floor plans, equipment layouts, IP addressing, and security configurations of BES Cyber Systems. The designated BCSI storage locations concept, BCSI access authorization and revocation procedures, and the requirement to prevent unauthorized retrieval of BCSI from disposed media are more specific than general SP 800-53 media protection. BCSI risk-based assessment for storage location changes is sector-specific.
CIP-012-1 Communications between Control Centers
Rationale
SC-08 transmission confidentiality and integrity directly addresses the protection of real-time Assessment and real-time monitoring data transmitted between Control Centers. SC-12 cryptographic key management covers the key establishment and management for encrypted control center communications. SC-13 cryptographic protection addresses the specific cryptographic mechanisms (encryption, hashing) used to protect data in transit. SC-23 session authenticity provides session integrity protections for communication channels between Control Centers.
Gaps
CIP-012 specifically addresses real-time data communications between Control Centers using protocols such as ICCP/TASE.2 (Inter-Control Center Communications Protocol). The standard focuses on real-time Assessment and real-time monitoring data availability requirements during cryptographic transitions, which must not disrupt BES reliability operations. The one-to-many communication topology of control center data exchange and the requirement to maintain real-time data availability during security mechanism changes are sector-specific requirements not addressed in SP 800-53.
CIP-013-2 Supply Chain Risk Management
Rationale
SR-01 supply chain risk management policy establishes the overarching supply chain cyber security risk management plan. SR-02 supply chain risk assessment addresses the identification and assessment of supply chain risks during procurement. SR-03 supply chain controls and processes covers the implementation of controls to mitigate identified supply chain risks. SR-05 acquisition strategies provides procurement-specific risk mitigation approaches. SR-06 supplier assessments and reviews supports ongoing vendor risk evaluation. SR-11 component authenticity covers software integrity and authenticity verification. SA-04 acquisition process addresses security requirements in procurement. SA-09 external system services covers vendor-provided services and third-party risk. SA-22 unsupported system components addresses end-of-life vendor product risks. CM-14 signed components ensures cryptographic verification of software and firmware integrity from vendors.
Gaps
CIP-013 requires BES-specific vendor notification obligations including vendor notification when remote/onsite access is no longer needed and vendor disclosure of known vulnerabilities. The standard requires a supply chain cyber security risk management plan that addresses six specific risk areas during procurement including software integrity/authenticity verification, vendor remote access controls, and vendor event notification processes. NERC supply chain risk assessment criteria specific to BES reliability impacts and the coordination with E-ISAC for supply chain threat intelligence are not captured in SP 800-53.
CIP-014-3 Physical Security
Rationale
PE-01 physical and environmental protection policy provides the physical security policy foundation. PE-03 physical access control addresses physical access controls at transmission stations and substations. PE-06 monitoring physical access covers the security monitoring and surveillance aspects. RA-03 risk assessment supports the threat and vulnerability assessment of identified critical facilities. RA-05 vulnerability assessment addresses the evaluation of physical security vulnerabilities. PM-12 insider threat program provides some coverage for the security personnel threat assessment aspects. However, significant sector-specific gaps reduce coverage substantially.
Gaps
CIP-014 is a transmission-specific physical security standard driven by FERC Order 802. It requires Transmission Owners to perform specific analyses: identification of critical Transmission stations/substations based on Instability, Uncontrolled Separation, or Cascading criteria (Section 501 of NERC Planning Standards). The mandatory third-party verification of physical security plans, the unaffiliated third-party threat assessment requirement, and geographic/electric system impact analysis for critical facilities are all sector-specific. The 120-day evaluation cycle and FERC-mandated risk criteria are unique to the electric sector and not addressed in SP 800-53.
CIP-015-1 Internal Network Security Monitoring (INSM)
Rationale
SI-04 system monitoring provides the general monitoring framework for detecting anomalous activity on internal networks. SC-07 boundary protection supports monitoring at network boundaries and internal segmentation points. CA-07 continuous monitoring addresses the ongoing assessment of security controls and network activity. IR-04 incident handling covers the response to anomalies detected through INSM. SC-48 sensor relocation supports the adaptive positioning of network monitoring sensors within BES trust zones. AU-06 audit review, analysis, and reporting covers the analysis of monitoring data for security events. While these controls address general monitoring concepts, INSM represents a significant expansion into east-west traffic analysis.
Gaps
CIP-015 is a new standard (approved 2024, compliance dates 2027-2030) requiring east-west traffic monitoring inside Electronic Security Perimeters that goes significantly beyond traditional boundary/perimeter monitoring. It mandates network visibility analytics for detecting lateral movement, anomalous internal traffic patterns, and unauthorized connections within BES trust zones. The BES-specific network baseline development, INSM data retention requirements, and the phased implementation timeline (high impact by 2027, medium impact by 2030) are sector-specific. The standard reflects lessons learned from sophisticated ICS-targeting threats (e.g., CRASHOVERRIDE, TRITON) that move laterally within OT networks after initial compromise. SP 800-53 monitoring controls focus primarily on boundary monitoring rather than comprehensive internal network traffic analysis.
Methodology and Disclaimer
This coverage analysis maps from NERC CIP clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.