Archer

Menu
Facebook Twitter Instagram Linkedin Youtube

On March 19, 2026, the Federal Energy Regulatory Commission issued Order No. 919, approving a sweeping set of updates to the North American Electric Reliability Corporation Critical Infrastructure Protection (CIP) standards.

The immediate headline is straightforward: virtualization is now formally supported within CIP-regulated environments.

But that framing only scratches the surface.

What FERC has really done is move the standards further toward a model that prioritizes flexibility in implementation, while simultaneously increasing expectations around accountability and justification.

Aligning the Standards with Operational Reality

For much of their history, CIP standards have been closely tied to physical infrastructure.  Systems were defined by hardware, security boundaries were relatively static, and compliance often centered on demonstrating that specific controls were applied to clearly defined assets.

That model still works.  In many environments, it remains appropriate.

What has changed is the operating reality.  Virtualization, shared infrastructure, and more dynamic system architectures are already in use across the industry.  Order No. 919 aligns the standards with that reality, allowing utilities to adopt these approaches without forcing them into interpretive gray areas.

Importantly, nothing in the order requires utilities to adopt virtualization.  Entities may continue operating within traditional architectures if that remains the best fit for their systems.

The shift is not about what utilities must do; it is about how they are expected to justify their choices.

From Prescriptive Controls to Defensible Outcomes

One of the more consequential aspects of this update is the continued movement away from prescriptive, control-specific requirements toward security objectives.

Under a prescriptive model, compliance often means demonstrating that a required control has been implemented.  Under an objective-based model, utilities are expected to demonstrate that their approach achieves the desired outcome, even if the implementation differs from traditional methods.

That change introduces both flexibility and variability.  Two utilities may take different approaches to the same requirement and both be compliant.  The difference will come down to whether those approaches are clearly reasoned, consistently applied, and well documented.

“Per System Capability”: Not New, But Newly Central

One of the most important clarifications in this order is around the use of “per system capability.”  This concept is not new to CIP.  Variations of it already exist within current standards and have been used in limited contexts to account for system limitations.

What is new is its expanded role.

Under the approved changes, “per system capability” is being used more broadly and, more importantly, is positioned to replace much of the formal Technical Feasibility Exception (TFE) process.

Instead of relying on a structured, approval-based exception process, utilities will increasingly make internal determinations that a system cannot meet a requirement and implement alternative mitigations accordingly.

Why FERC Slowed This Down, But Didn’t Stop It

FERC did not reject this approach, but it was clearly cautious.

The Commission raised concerns that expanding “per system capability” without structure could reduce transparency and lead to inconsistent oversight across the industry.

Instead of mandating a full return to the TFE process, FERC directed NERC to establish guardrails around its application.  These include setting criteria, requiring reporting, and increasing visibility into its use across registered entities.

The implication is clear: the process may be less formal, but it is not less accountable.

A Shift in Accountability

The practical effect of these changes is not the removal of accountability, but its relocation.

Previously, much of that burden was embedded in the structure of the standards themselves and in formal exception processes.  Under the updated model, that burden moves more directly onto the utility.

When a requirement is not implemented because a system is deemed incapable, the organization must be prepared to demonstrate:

  • – why the system cannot meet the requirement
  • – how that determination was made
  • – what alternative controls have been implemented
  • – and how those controls mitigate the associated risk

This is a more flexible model, but also a more demanding one.

Flexibility Paired with Visibility

At the same time, recent FERC actions make it clear that increased flexibility does not equate to reduced expectations.  In parallel with these changes, FERC has emphasized the importance of internal visibility (particularly in lower impact environments), reinforcing that utilities must be able to detect and understand activity within their networks, not just control access at the perimeter.

Taken together, these actions suggest that while implementation flexibility is expanding, expectations around situational awareness and security effectiveness are increasing.

Implications for Audit and Oversight

Because “per system capability” is being applied more broadly, there is limited precedent for how it will be evaluated in audits.

In the near term, utilities should expect audit discussions to focus heavily on decision-making and consistency.  Auditors will not simply be looking for the presence of controls, but for the reasoning behind them and how effectively they address risk.

Variation across regions and audit teams is likely in the early stages.  Over time, expectations will mature, but early implementations will help define how this concept is interpreted across the industry.

Virtualization as a Catalyst

Virtualization is what prompted these updates, but it is not the end state.

The broader objective is to enable utilities to operate securely in environments that are no longer defined by fixed hardware boundaries.  These environments introduce new considerations such as shared infrastructure, dynamic system placement, and evolving attack surfaces, but they also offer increased flexibility and resilience.

The updated standards recognize that reality.  The expectation is that utilities can manage these environments effectively and explain how they are doing so.

Looking Ahead

Order No. 919 demonstrates ongoing progress in the management of cybersecurity within the Bulk Electric System.  The standards are becoming more flexible and better aligned with modern technology, while also emphasizing the importance of thorough internal decision-making.

For utilities, the way forward is not just about adopting new technologies.  It’s about strengthening governance, making sure decisions are based on risk, and documenting them clearly, consistently, and in a way that can be defended.

Final Thought

FERC did not introduce flexibility without conditions.  It expanded flexibility while making it clear that clarity, consistency, and visibility will be expected in return.

Utilities now have more freedom in how they design and secure their environments.  The tradeoff is that they must be able to explain (and defend) those decisions at a much higher level than before.

That is the real shift.

This website uses cookies and asks for your personal data to enhance your browsing experience. We are committed to protecting your privacy and ensuring your data is handled in compliance with the General Data Protection Regulation (GDPR).
Ok, I agree Privacy Policy