North American Electric Reliability Corporation (NERC)

About the NERC

The North American Electric Reliability Corporation (NERC) is a nonprofit regulatory authority whose mission is to ensure the reliability of the North American bulk power system. NERC is subject to oversight by the US Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. In 2006, FERC granted the Electric Reliability Organization (ERO) designation to NERC in accordance with the Energy Policy Act of 2005 (US Public Law 109-58). NERC develops and enforces reliability standards known as NERC Critical Infrastructure Protection (CIP) standards.

Microsoft and the NERC CIP standard

The North American Electric Reliability Corporation (NERC) is a nonprofit regulatory authority whose mission is to ensure the reliability of the North American bulk power system. NERC is subject to oversight by the US Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. In 2006, FERC granted the Electric Reliability Organization (ERO) designation to NERC in accordance with the Energy Policy Act of 2005 (US Public Law 109-58). NERC develops and enforces reliability standards known as NERC Critical Infrastructure Protection (CIP) standards.

All bulk power system owners, operators, and users must comply with NERC CIP standards. These entities are required to register with NERC. Cloud Service Providers and third-party vendors are not subject to NERC CIP standards; however, the CIP standards include goals that should be considered when Registered Entities use vendors in the operation of the Bulk Electric System (BES). Microsoft customers operating Bulk Electric Systems are wholly responsible for ensuring their own compliance with NERC CIP standards. Neither Microsoft Azure nor Microsoft Azure Government constitutes a BES or BES Cyber Asset.

As stated by NERC in the current set of CIP standards and the NERC Glossary of Terms, BES Cyber Assets perform real-time functions of monitoring or controlling the BES, and would affect the reliable operation of the BES within 15 minutes of being impaired. To properly accommodate BES Cyber Assets and Protected Cyber Assets in cloud computing, existing definitions in NERC CIP standards would need to be revised. However, there are many workloads that deal with CIP sensitive data and do not fall under the 15-minute rule, including the broad category of BES Cyber System Information (BCSI).

Azure and Azure Government are suitable for Registered Entities deploying certain workloads subject to NERC CIP standards, including BCSI workloads. Microsoft makes the following documents available to Registered Entities interested in deploying data and workloads subject to NERC CIP compliance obligations in Azure or Azure Government:

  • NERC CIP Standards and Cloud Computing is a white paper that discusses compliance considerations for NERC CIP requirements based on established third-party audits that are applicable to cloud service providers such as FedRAMP. It covers background screening for cloud operations personnel and answers common question about logical isolation and multitenancy that are of interest to Registered Entities. It also addresses security considerations for on-premises vs. cloud deployment.
  • Cloud Implementation Guide for NERC Audits is a guidance document that provides control mapping between the current set of NERC CIP standards requirements and the NIST SP 800-53 Rev 4 control set that forms the basis for FedRAMP. It is designed as technical how-to guidance to help Registered Entities address NERC CIP compliance requirements for assets deployed in the cloud. The document contains pre-filled Reliability Standard Audit Worksheets (RSAWs) narratives that help explain how Azure controls address NERC CIP requirements, and guidance for Registered Entities on how to use Azure services to implement controls that they own.

The NERC ERO Enterprise released a Compliance Monitoring and Enforcement Program (CMEP) practice guide to provide guidance to ERO Enterprise CMEP staff when assessing a Registered Entity's process to authorize access to designated BCSI storage locations and any access controls the Registered Entity implemented. Moreover, NERC reviewed Azure control implementation details and FedRAMP audit evidence related to NERC CIP-004-6 and CIP-011-2 standards that are applicable to BCSI. Based on the ERO-issued practice guide and reviewed FedRAMP controls to ensure that Registered Entities encrypt their data, no additional guidance or clarification is needed for Registered Entities to deploy BCSI and associated workloads in the cloud. However, Registered Entities are ultimately responsible for compliance with NERC CIP standards according to their own facts and circumstances. Registered Entities should review the Cloud Implementation Guide for NERC Audits for help with documenting their processes and evidence used to authorize electronic access to BCSI storage locations, including encryption key management used for BCSI encryption in Azure and Azure Government.

Microsoft in-scope cloud services

Audits, reports, and certificates

Microsoft is required to recertify its cloud services each year to maintain its P-ATOs and ATOs. To do so, Microsoft must monitor and assess its security controls continuously, and demonstrate that it remains in compliance.

How to implement

NERC CIP Standards and Cloud Computing

Addresses compliance for Registered Entities considering cloud adoption for workloads subject to NERC CIP standards.

Learn more

Cloud Implementation Guide for NERC Audits

Technical guidance helps Registered Entities with NERC audits of assets deployed in Azure or Azure Government.

Learn more

Frequently asked questions

Who is responsible for compliance with NERC CIP standards?

All bulk power system owners, operators, and users must comply with NERC CIP standards. These entities are required to register with NERC. Cloud Service Providers and third-party vendors are not subject to NERC CIP standards; however, the CIP standards include goals that should be considered when Registered Entities use vendors in the operation of the Bulk Electric System (BES). Microsoft customers operating Bulk Electric Systems are wholly responsible for ensuring their own compliance with NERC CIP standards. Neither Azure nor Azure Government constitutes a BES or BES Cyber Asset.

To assess the suitability of Azure and Azure Government for data and workloads subject to NERC CIP standards, Registered Entities should consult with their own compliance officers and NERC auditors. They should review the Cloud Implementation Guide for NERC Audits for help with documenting their processes and evidence for assets deployed in the cloud.

What workloads can Registered Entities deploy on Azure and Azure Government?

The NERC CIP standards and Glossary of Terms state that BES Cyber Assets perform real-time functions of monitoring or controlling the BES, and that if impaired would, within 15 minutes, affect the reliable operation of the BES. To properly accommodate BES Cyber Assets and Protected Cyber Assets in cloud computing, existing definitions in NERC CIP standards would need to be revised. However, there are many workloads that deal with CIP sensitive data and do not fall under the 15-minute rule, including the broad category of BES Cyber System Information (BCSI).

The NERC ERO Enterprise released a Compliance Monitoring and Enforcement Program (CMEP) practice guide to provide guidance to ERO Enterprise CMEP staff when assessing a Registered Entity's process to authorize access to designated BCSI storage locations and any access controls the Registered Entity implemented. Moreover, NERC reviewed Azure control implementation details and FedRAMP audit evidence related to NERC CIP-004-6 and CIP-011-2 standards that are applicable to BCSI. Based on the ERO issued practice guide and reviewed FedRAMP controls to ensure that Registered Entities encrypt their data, no additional guidance or clarification is needed for Registered Entities to deploy BCSI and associated workloads in the cloud. However, Registered Entities are ultimately responsible for compliance with NERC CIP standards according to their own facts and circumstances.

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Resources