by Sean Thompson, NERC Supervisor
Each year, the ERO Enterprise CMEP Implementation Plan signals the reliability, and compliance risks that Compliance Enforcement Authorities (CEAs) are most likely to probe. For Generator Owners (GOs) and Generator Operators (GOPs), the goal isn’t guessing what you’ll be audited on—it’s translating those themes into requirement-level controls and being able to produce clear, traceable evidence on demand.
Remote Connectivity: Prove the Pathway Is Controlled
Remote connectivity remains a high-interest area because it expands cyber exposure and operational complexity. If you have applicable BES Cyber Systems, be ready to show that governance and implementation match: program direction under CIP-003-9 R2, electronic access control and monitoring under CIP-005-7 R2, and interactive remote access management under CIP-005-7 R3. Where applicable, demonstrate protections for communications links consistent with CIP-012-1 R1. Start with a defensible inventory of every remote pathway (VPNs, jump hosts, vendor/OEM tools, cloud portals, break-glass methods), then be ready to show who approves access, how access is revoked, and how monitoring outputs are reviewed and retained.
Supply Chain: Where Low Impact Programs See It Most
Supply chain risk is often most visible at generation through vendor support: remote diagnostics, software updates, managed services, and “temporary” access that becomes permanent. While CIP-013 is the standard that directly addresses supply chain risk management, CIP-003-9 also plays a meaningful role—especially for Low Impact programs—because it drives how you govern and control vendor electronic remote access. Your cyber security policies should address vendor electronic remote access security controls (CIP-003-9 R1 Part 1.2.6), and you should be able to demonstrate a documented, implemented process aligned to CIP-003-9 R2 Attachment 1 Section 6: identify where vendor access exists (6.1), disable it when not in use (6.2), and detect known or suspected inbound and outbound malicious communications associated with that access (6.3). The most defensible posture is simple: vendor access is normally disabled, deliberately enabled when needed, and continuously visible through logs or detections you can explain.
Physical Security: Tighten Perimeters, Access, and Reviews
Physical security remains a practical reliability focus because incidents can disrupt operations even when they aren’t cyber-related. For Medium/High Impact sites, be prepared to demonstrate physical access controls under CIP-006-6 R1, supported by program governance under CIP-003-9 R2. CEAs commonly test whether Physical Security Perimeter (PSP) boundaries match reality, whether access lists are defensible, and whether reviews and exceptions are documented and repeatable.
Grid Transformation: Settings, Testing, and Coordination
Grid transformation themes increasingly intersect with generation performance during disturbances. Many GO/GOPs should expect deeper questions around generator testing and modeling evidence where applicable (MOD-025-2 R1–R3; MOD-026-1 R2/R6; MOD-027-1 R5; MOD-031-3 R1/R2; MOD-032-1 R1–R4). On the protection side, be ready to show a defensible basis for voltage/frequency protection settings (PRC-024-3 R1/R2), maintenance/test execution (PRC-005-6 R3/R5), and coordination evidence where applicable (PRC-027-1 R1–R3).
Moving Forward
The bottom line for 2026 is simple: read the CMEP Implementation Plan, translate its focus areas into what applies to your fleet, and build a deliberate plan to assess and close gaps. Use it to prioritize internal reviews, validate control effectiveness, and stage the evidence you’d need to demonstrate you’ve addressed the highest-risk areas—before those topics show up in monitoring, enforcement, or an event.
