The order requires all NERC-registered Bulk Electric System entities—transmission owners, operators, and other grid operators—to report exceptions and submit annual aggregated data to NERC. FERC raised transparency concerns during its September 2025 Notice of Proposed Rulemaking, specifically about reduced oversight from the exception language change. The final order addresses those concerns through added reporting directives to NERC, though the full scope of those oversight mechanisms remains to be detailed in regulatory guidance.
Utilities and grid operators should begin gap assessments immediately. The 24-month compliance window is tight for entities managing complex infrastructure, and the shift from technical feasibility to per-system capability language will require operational and compliance teams to reassess current CIP implementations. This represents the most significant grid cybersecurity update in years and reflects FERC's effort to balance innovation in virtualized infrastructure with reliability mandates as cyber threats to the power grid intensify.