Blog

NERC CIP Roadmap 2026: What’s Changing, What’s Next, and How Quantification Extends Sector Priorities into Entity-Specific Decisions

DeNexus | February 11, 2026

Perspective for OT cybersecurity leaders, CIP compliance teams, and senior decision makers

 

Executive takeaways

  • The Roadmap is not a new Reliability Standard; it is a risk-informed blueprint for how CIP-related standards work and guidance may evolve.[1]
  • NERC’s assessment is explicitly qualitative and reliability-focused—useful for sector prioritization, but not sufficient by itself for site-specific investment decisions.
  • Near-term emphasis areas include extending MFA for interactive remote access, strengthening foundational cyber hygiene baselines, and improving protections for telecom-dependent control communications.
  • Quantitative, entity-specific modeling can complement the Roadmap by translating sector priorities into scenario likelihood and impact distributions that support governance and capital allocation decisions.[4]

 

Why NERC issued the CIP Roadmap

In its January 2026 Critical Infrastructure Protection (CIP) Roadmap, NERC describes a Bulk Power System (BPS) that is becoming more dynamic, interconnected, and digitized—and therefore more exposed to sophisticated threats. NERC’s starting point is not that existing CIP requirements are failing; rather, it notes that “the sector’s operating environment has changed faster than the standards’ scope and cadence of revisions.”

A central implication is that many operational dependencies relevant to reliability are increasingly found in low-impact systems, third-party operated pathways, and technology categories that have historically sat outside the strongest baseline CIP requirements. This is a risk and governance issue: aggregation and interdependence can allow small compromises to create larger effects.

 

What the Roadmap does—and what it does not

The Roadmap is not a revision of enforceable CIP Reliability Standards. Instead, it summarizes a structured, risk-based process used to identify priority risks and map them to possible standards modifications, studies, and guidance development.

As Ampyx Cyber observes, the Roadmap is “not a compliance guide… [but] a forward-looking regulatory blueprint for how CIP must evolve.”[2]

The key artifacts are:

  • A risk registry supported by hypothetical scenarios (Appendix A, Table A.2).
  • A scoring framework built on Likelihood, Impact, and Mitigation maturity (Appendix B, Table B.1), including a scoring formula and results (Table B.2).
  • An industry survey used to validate prioritization and weight results (Appendix A).

NERC is explicit about limitations: “The framework is a qualitative model at its core…” and resulting scores should be treated as categorical indicators rather than precise rankings. NERC also states: “This assessment excluded financial or reputational effects to maintain focus on system reliability.”

 

Major themes and likely standards directions

From the risk analysis and survey results, NERC identifies cross-cutting control themes with broad mitigation value across multiple risk categories.

Multi-factor authentication (MFA)

NERC recommends near-term standards work to extend MFA for interactive remote access—particularly where low-impact systems and vendor-managed remote access paths remain outside minimum baselines.

Foundational cyber hygiene

NERC highlights persistent gaps in foundational controls such as asset identification, configuration/change management, defensible network topologies, vulnerability management, and disciplined patching. It also signals interest in evaluating whether baseline expectations should be strengthened for low-impact environments.

Protection of telecom-dependent control communications

NERC emphasizes risks tied to leased or carrier-provided telecom dependencies used for SCADA/AGC data, including legacy protocols that may traverse unencrypted links outside current CIP-012 scope.[6] In that context, NERC calls for expanding confidentiality and integrity protections beyond control-center-to-control-center links.

The Roadmap cautions that “improving grid security does not mean layering new compliance requirements indiscriminately,” emphasizing targeted, risk-driven evolution of CIP.

 

Compliance reality: standards are mandatory once adopted

One reason the Roadmap is consequential is that its recommended actions are designed to drive future standards development. For entities and assets that become in-scope through future Reliability Standards changes, compliance is not optional: it becomes a regulated obligation subject to audit and enforcement.

FERC notes that violations of mandatory Reliability Standards can be subject to civil penalties “of up to $1 million per day per violation.”[3]

This is why the Roadmap should be read primarily as a policy and standards trajectory document—not as a discussion of optional risk-reduction best practices.

 

Why sector-level scoring is not enough for entity-specific decisions

NERC’s industry survey and qualitative scoring are well-suited to initiating action and aligning the sector on what to address first. However, an industry-wide survey produces a thematic view of risk: it reflects average judgments across diverse operational contexts.

Site-specific decision making is different. Individual Responsible Entities have unique architectures, remote access pathways, telecom dependencies, restoration capabilities, and compensating controls; those factors influence likelihood and impact for the same scenario.

Even within the Roadmap’s qualitative framework, NERC’s likelihood rubric explicitly considers exposure/attack surface and the degree of existing preventive control coverage—factors that vary materially between entities.

 

DeNexus perspective: extending the Roadmap with cyber risk quantification

This section reflects DeNexus perspective. It does not represent NERC guidance or a NERC requirement.

A practical way to extend the Roadmap for governance and investment decisions is to preserve its scenario-based structure (risk registry, impact framing, and emphasis on aggregation) while replacing the qualitative 1–5 scoring with probabilistic modeling and calibrated estimation.

In quantitative cyber risk models, likelihood is not a single point estimate. It is a distribution that captures both high-frequency/low-impact events and low-frequency/high-impact tail events. Impact is likewise represented as a distribution rather than a single severity label

Short-tail vs long-tail (illustrative framing)

  • Short-tail (high-frequency/low-impact): frequent credential misuse attempts against remote access systems that are usually contained quickly, producing limited operational effect.

 

  • Long-tail (low-frequency/high-impact): rare but severe events involving correlated compromise across shared vendors, telecom dependencies, or common remote access tooling—creating the aggregation effects NERC emphasizes. This is also the domain where rare (aka., black swan), equipment damage, human damage, and other catastrophic events are modelled.

 

  • NIST’s risk assessment guidance recognizes that risk assessments can be implemented using qualitative, quantitative, or semi-quantitative methods depending on purpose, assumptions, and constraints. For entity-specific investment tradeoffs, financial quantitative methods can provide decision-grade comparisons when supported by appropriate data and expert calibrated estimation.

 

Conclusion

NERC’s CIP Roadmap provides a structured, reliability-centered assessment of emerging risk and a targeted plan for evolving the CIP framework. Its value is clearest as a sector alignment instrument: it identifies where grid operating realities are outpacing existing baselines and where standards work is most likely to focus next.

For Responsible Entities and senior decision makers, the next step is translating sector priorities into site-specific decisions. Quantification can complement the Roadmap by producing scenario likelihood and impact distributions that reflect each entity’s controls, exposures, and operational constraints—and by making aggregation and tail risk explicit in a form leaders can govern.

 

Relevant DeNexus Products

DeNexus’ CRQ platform provides cyber risk quantification methods and analytics for operational technology environments. In the context of the Roadmap, our objective is to extend a sound, structured sector framework into entity-specific, decision-ready risk analysis—that allows entities to think about the real risk to their business, the financial impacts to their bottom-line, ahead of mandatory compliance requirements placed upon them.

 

References

[1] NERC, “NERC Critical Infrastructure Protection Roadmap,” January 2026. URL: https://www.nerc.com/globalassets/our-work/reports/special-reports/nerc_cip_roadmap_01122026.pdf

[2] Patrick Miller, Ampyx Cyber, “NERC’s CIP Roadmap and the Future of Grid Cybersecurity,” January 13, 2026. URL: https://ampyxcyber.com/blog/nercs-cip-roadmap-and-the-future-of-grid-cybersecurity

[3] Federal Energy Regulatory Commission (FERC), “Enforcement Reliability.” URL: https://www.ferc.gov/enforcement-reliability

[4] NIST, Special Publication 800-30 Rev. 1, “Guide for Conducting Risk Assessments,” 2012. URL: https://csrc.nist.gov/pubs/sp/800/30/r1/final

[5] NERC Reliability Standard CIP-005-7, “Cyber Security — Electronic Security Perimeter(s).” URL: https://www.nerc.com/globalassets/standards/reliability-standards/cip/cip-005-7.pdf

[6] NERC Reliability Standard CIP-012-1, “Cyber Security — Communications between Control Centers.” URL: https://www.nerc.com/globalassets/standards/reliability-standards/cip/cip-012-1.pdf

[7] CISA, Cybersecurity Advisory AA25-239A (Salt Typhoon). URL: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a

[8] NERC Newsroom, “Targeting Actions to Address Emerging Risks is Focus of CIP Roadmap.” URL: https://www.nerc.com/newsroom/targeting-actions-to-address-emerging-risks-is-focus-of-cip-roadmap