Several requirements within the suite of NERC Critical Infrastructure Protection (CIP) Reliability Standards mandate periodic implementation of preventative and detective controls to strengthen the security posture of BES Cyber Systems (BCS).
This article identifies the CIP requirements that contain recurring controls and clarifies initial performance expectations to help ensure those controls are performed on or before the date new BCS become applicable.
Requirements with Recurring Controls
CIP requirements that contain performance intervals such as:
- “at least once every 15 calendar months,” or
- “at least once every 35 calendar days.”
The following sections will walk through two specific examples of initial performance for recurring control requirements. Table 1 below provides a broader catalog.
While the ERO Enterprise has previously released guidance to define the ongoing periodicity used in recurring requirements, this article reviews how the initial compliance dates are established when new BCS are first introduced.
The key to compliance with recurring requirements is:
On the commissioning date of a new applicable BCS, or the effective date of a new requirement, an entity must be able to demonstrate that it has implemented the required controls.
Example 1: CIP-10-4 R2, Part 2.1:
Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes.
Baseline monitoring helps detect unauthorized changes to a BCS.
When a new BCS is commissioned (the date the BCS became an applicable system), the expectation is that the baseline must already be under monitoring. That means baseline monitoring must occur on or within the 35 calendar days before the BCS is placed into service.
Commissioning a new BCS or a new requirement becoming effective does not start the compliance clock for the recurring interval. Instead, the first instance of a recurring requirement must be satisfied at or before commissioning.
Example 2: CIP-006-6 R3, Part 3.1
Maintenance and testing of each Physical Access Control System and locally mounted hardware or devices at the Physical Security Perimeter at least once every 24 calendar months to ensure they function properly.
Maintenance and testing of Physical Access Control Systems (PACS) is a preventative control to secure BCS against unauthorized physical access.
Consider the installation of a new applicable PACS.
On the date of commissioning, an entity must be able to demonstrate that maintenance and testing to ensure proper function has already occurred within the prior 24 months. Here it is evident that a PACS cannot operate for 24 months without first ensuring proper function.
Understanding Compliance Expectations Associated with Initial Performance
Recurring requirements will help an entity mitigate the risk of vulnerabilities being introduced when onboarding BES Cyber Assets. Entities should review onboarding processes for alignment with this guidance for the currently effective standards and requirements listed in Table 1.
Security considerations when onboarding new cyber assets was a topic of discussion at MRO’s 2025 RAM Conference. The onboarding presentation can be found here.
Table 1 – CIP Recurring Interval Requirements
NERC standards are subject to revision and this table may not be considered exhaustive. CIP-004 has been excluded from this list as those recurring intervals target personnel and access management, rather than BCS.
| REQUIREMENT | Recurring Interval Language |
|---|---|
| CIP-002-5.1a R2 | Review the identifications in Requirement R1 and its parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and Have its CIP Senior Manager or delegate approve the identifications required by Requirements R1 at least once every 15 calendar months, even if it has no identified items in Requirement R1. |
| CIP-003-8 R1 | Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics: [see 1.1 and 1.2] |
| CIP-006-6 R3.1 | Maintenance and testing of each Physical Access Control System and locally mounted hardware or devices at the Physical Security Perimeter at least once every 24 calendar months to ensure they function properly. |
| CIP-007-6 R2.2 | At least once every 35 calendar days, evaluate security patches for applicability that have been released since the last evaluation from the source or sources identified in Part 2.1. |
| CIP-007-6 R5.6 | Where technically feasible, for password-only authentication for interactive user access, either technically or procedurally enforce password changes or an obligation to change the password at least once every 15 calendar months. |
| CIP-008-6 R2.1 | Test each Cyber Security Incident response plan(s) at least once every 15 calendar months: By responding to an actual Reportable Cyber Security Incident;With a paper drill or tabletop exercise of a Reportable Cyber Security Incident; orWith an operational exercise of a Reportable Cyber Security Incident |
| CIP-009-6 R2.1 | Test each of the recovery plans referenced in Requirement R1 at least once every 15 calendar months: By recovering from an actual incident;With a paper drill or tabletop exercise; orWith an operational exercise |
| CIP-009-6 R2.2 | Test a representative sample of information used to recover BES Cyber System functionality at least once every 15 calendar months to ensure that the information is useable and is compatible with current configurations. An actual recovery that incorporates the information used to recover BES Cyber System functionality substitutes for this test. |
| CIP-009-6 R2.3 | Test each of the recovery plans referenced in Requirement R1 at least once every 36 calendar months through an operational exercise of the recovery plans in an environment representative of the production environment. An actual recovery response may substitute for an operational exercise. |
| CIP-010-4 R2.1 | Monitor at least once every 35 calendar days for changes to the baseline configuration (as described in Requirement R1, Part 1.1). Document and investigate detected unauthorized changes. |
| CIP-010-4 R3.1 | At least once every 15 calendar months, conduct a paper or active vulnerability assessment. |
| CIP-010-4 R3.2 | Where technically feasible, at least once every 36 calendar months: 3.2.1 Perform an active vulnerability assessment in a test environment, or perform an active vulnerability assessment in a production environment where the test is performed in a manner that minimizes adverse effects, that models the baseline configuration of the BES Cyber System in a production environment; and 3.2.2 Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures use to account for any differences in operation between the test an production environments |
| CIP-013-2 R3 | Each Responsible Entity shall review and obtain CIP Senior Manager or delegate approval of its supply chain security risk management plan(s) specified in Requirement R1 at least once every 15 calendar months. |
| CIP-014-3 R1 | Each Transmission Owner shall perform an initial risk assessment and subsequent risk assessments of its Transmission stations and Transmission substations (existing and planned to be in service within 24 months) that meet the criteria specified in Applicability Section 4.1.1. The initial and subsequent risk assessments shall consist of a transmission analysis or transmission analyses designed to identify the Transmission station(s) and Transmission substation(s) that if rendered inoperable or damaged could result in instability, uncontrolled separation, or Cascading within an Interconnection. 1.1. Subsequent risk assessments shall be performed: • At least once every 30 calendar months for a Transmission Owner that has identified in its previous risk assessment (as verified according to Requirement R2) one or more Transmission stations or Transmission substations that if rendered inoperable or damaged could result in instability, uncontrolled separation, or Cascading within an Interconnection; or • At least once every 60 calendar months for a Transmission Owner that has not identified in its previous risk assessment (as verified according to Requirement R2) any Transmission stations or Transmission substations that if rendered inoperable or damaged could result in instability, uncontrolled separation, or Cascading within an Interconnection. 1.2. The Transmission Owner shall identify the primary control center that operationally controls each Transmission station or Transmission substation identified in the Requirement R1 risk assessment. |
Initial performance of recurring CIP requirements is not optional – it must occur on or before the date a new BCS or system becomes applicable.
By aligning onboarding processes with this expectation, entities ensure continuous compliance from the moment systems enter service and reduce exposure to security vulnerabilities.
For further questions or clarification, please contact [email protected].