NERC posts updated RSAWs for 11 CIP cybersecurity standards—effective July 1, 2028
NERC says its July 6–12 bulletin posted updated RSAWs for revised CIP cybersecurity standards tied to virtualization—11 standards, effective July 1, 2028.
NERC is updating a key part of the grid’s cyber compliance process: Reliability Standard Audit Worksheets (RSAWs). In its July 6–12, 2026 NERC Standards, Compliance, and Enforcement Bulletin edition, the organization says updated RSAWs were posted for revised Critical Infrastructure Protection (CIP) cybersecurity reliability standards tied to virtualization considerations—covering 11 CIP standards—with the revised standards set to take effect July 1, 2028.
For the public, this isn’t a day-one announcement about outages. But it can still mean real work inside utilities and other “registered entities” that must document, test, and retain audit-ready evidence as compliance cycles roll forward.
What changed in NERC’s July 6–12 bulletin
NERC’s bulletin says it posted updated RSAWs for revised CIP cybersecurity reliability standards. It also identifies 11 CIP standards as affected by the updated worksheet set and points to July 1, 2028 as the effective date for the revised standards.
RSAWs matter because they help turn complex, acronym-heavy reliability requirements into the practical “show your work” materials that compliance reviewers can verify—such as control documentation, assessment/testing records, and other audit-ready evidence.
Why “virtualization” shows up in cyber compliance
NERC’s framing links the revised CIP cybersecurity standards (and the updated RSAWs) to virtualization considerations. In plain terms, that reflects the reality that modern grid IT often uses virtual machines and virtualized environments—so cybersecurity controls and evidence may need to be organized in ways that match how systems are built and operated.
Who is affected—and the planning timeline
The bulletin is aimed at entities responsible for demonstrating compliance with mandatory reliability standards under the U.S. bulk power system framework—where FERC explains how NERC-developed standards become mandatory and how compliance and enforcement fit into oversight.
With an effective date of July 1, 2028, the practical “what to watch next” is mainly preparedness:
- Registered entities may need to align internal evidence collection and testing records to what the updated RSAWs call for.
- Organizations may also need to adjust documentation practices for controls where virtualization-related implementation details matter.
The key caution for residents: the bulletin itself is procedural and planning-focused, not a claim that reliability has failed.
Bottom line
NERC’s July 6–12 bulletin is a reminder that grid resilience depends on both engineering and compliance readiness. Even worksheet updates can change the workload and documentation expectations inside grid cyber programs—especially as revised CIP cybersecurity requirements take effect on July 1, 2028.
Sources
- NERC — Standards, Compliance, and Enforcement Bulletin (July 6–12, 2026) (PDF)
- FERC — Reliability explainer
Discover more from Interactive News
Subscribe to get the latest posts sent to your email.