What to Expect When You’re Expecting… a NERC CIP Audit (Part 1)

Aaron Crow

Host at PrOTect IT All Podcast || Web

Aaron Crow is an executive leader with more than 20 years of experience in the technology field. He has expertise in technical architecture and design, data migration, network and application security, major network system rollouts, reorganizations, and technology refreshes. Aaron has an analytical mind that enables him to quickly grasp new concepts and communicate technical details to both technical and non-technical audiences. He builds consensus for reliable standardized deployment of enabling technologies by building strong relationships with management teams and staff members at all levels. His extensive leadership skills enable him to influence others while maintaining focus on his objectives.

This is the first part of a two-part series that pulls back the curtains on NERC CIP audits, sharing what really happens before, during, and after the assessment, what the Regional Entities look for, how to prepare, and how to respond when it’s over. In this article, we’ll explore what the audit process and timeline look like and how you can best prepare for it. Next week, I’ll get into the standards themselves and discuss the how and why of incorporating them into your daily operations, so the audit doesn’t feel like such a burden.

Look, I’ve been through more than a few NERC CIP audits. First one? I thought we had it all figured out. Every document printed, every signature in place, network diagrams that looked like works of art. 

We were ready, right?

Thirty minutes into that opening session, the auditors started asking questions that went way beyond the paperwork. Not aggressive questions, just ones that tested whether we actually lived what we wrote. That’s when it hit me. This isn’t about documentation. It’s about discipline.

If you’re running generation plants, transmission facilities, or any piece of the Bulk Electric System, you know NERC CIP compliance isn’t optional. But here’s the thing (and I tell this to every organization I work with): compliance is a great foundation. It’s one of the reasons power utilities are further along than other critical infrastructures when it comes to cybersecurity maturity. But compliant doesn’t mean secure.

Think about it this way. You can be 100% compliant with every NERC CIP standard for your registered assets and still have massive cyber risks in your organization. Compliance covers what’s in scope, not your entire facility. It’s the baseline, the minimum bar. What matters is how you build on top of that foundation.

And here’s something else that’s critical: 99.999% compliant is not compliant. NERC and FERC aren’t hunting for minor mistakes to punish organizations, but precision matters. If something’s undocumented or unjustified, it can and will be used against you. That’s just the reality we operate in.

Let me walk you through what really happens in these audits. Not just the timeline and requirements, but what auditors are actually looking for and, most importantly, how to turn compliance from a checkbox exercise into something that actually strengthens your operations.

Why Compliance Actually Matters (And Where It Falls Short)

When I talk to plant managers and engineers about compliance, I see two reactions. Either they roll their eyes because they think it’s just paperwork, or they’re terrified they’re going to miss something and get hammered with a fine.

Both perspectives are completely understandable responses, but both also miss the point…

Compliance helps organizations find and maintain budgets for cybersecurity. It justifies headcount. It keeps security on the radar when competing priorities would otherwise push it aside. Without NERC CIP, I guarantee you’d have control systems running Windows XP directly connected to the internet with no one batting an eye. 

Why? Because people typically don’t truly understand or quantify risk until someone forces them to look at it. Most operators are focused on making the system or process work right now and aren’t always aware of the risks they brought in with an off-the-cuff workaround, a Walmart router, or a used system bought off of eBay.

That said, be clear about what compliance is and isn’t. It’s about consistency. It’s about doing the right things all the time. It’s about showing your work, proving you’re doing what you say you’re doing. 

But compliance doesn’t mean rigidity. The standards give you flexibility in how you implement them. They’re not telling you which firewall to buy or where to put your systems. They’re saying here are the minimum things you need to do to protect reliability.

Used correctly, that flexibility is actually a gift. When compliance is incorporated into your broader cyber program, tools, and systems, it does way more than check off boxes. I don’t patch systems just to be compliant. I patch to maintain healthy, reliable systems. I don’t test patches just to document that the tests were completed. I test so I don’t break things in production. I don’t change passwords because an auditor might ask. I change them because it reduces the risk of a former employee or contractor causing problems six months down the road.

Getting Ready for the Audit: The Real Timeline

Audits happen annually, scheduled by your Regional Entity. If you’re a major player in generation or transmission, expect an in-person visit. Smaller co-ops might get remote assessments, but everyone gets tested.

90 Days Out – The Clock Starts

When that Audit Notification Letter hits your inbox, treat it like an operations order. Don’t just file it away. The ANL tells you exactly what the audit team will focus on, who’s coming, and what they expect to see.

Here’s what successful organizations do immediately: 

• Assign ownership for every single standard and requirement 
• Map out who owns what documentation 
• Identify your subject matter experts for each area 
• Start gathering evidence (now, not 30 days from now).

60 Days Out – Evidence Submission

This is where the rubber meets the road. This phase involves submitting Level 1 information, including your programs, processes, and procedures. The auditors want to see:

• Security awareness training records (and not just sign-in sheets)
• Access control logs that actually show reviews happened
• Network diagrams that match reality
• Incident response plans that people have actually tested

Pro tips: 

Volume doesn’t impress auditors. Precision does. If they ask for evidence of quarterly reviews, don’t send daily logs for the entire year. Send them only the documents that prove you conducted quarterly reviews, clearly labeled and easy to follow. 

Remember, when it comes to your audit, it’s quality over quantity. Provide the auditors with exactly what they requested, ensuring it meets the requirements; nothing more. Adding more documents won’t help you (and can actually hurt you).

30 Days Out – Level 2 Requests

This is where weak programs start to show any cracks. Level 2 isn’t about whether policies exist. It’s about whether you’re actually following them. Auditors will ask questions like:

• Show me the last five times you reviewed vendor access
• Prove this patch was tested before deployment
• Who approved this firewall change, and where’s the risk assessment?

Strong programs handle this phase smoothly because they’ve been collecting evidence continuously and aren’t left scrambling to create it after the fact.

During the Audit: What Really Happens

That first morning always feels tense. People shuffle papers, test their laptops, and try not to say the wrong thing. Here’s my advice to every team: Stay calm, answer directly, and never speculate. If you don’t know something, say, “I don’t know, but I’ll find out.”

Auditors aren’t expecting perfection. They’re expecting ownership. They want to see that you understand your environment and take responsibility for protecting it.

They’ll test your team’s actual understanding. Not just whether documents exist, but whether your engineers can explain why a firewall rule exists or who approved a specific change. When your team can answer confidently, the audit’s whole tone shifts. It becomes a professional conversation between peers, not a high-stakes interrogation.

After the Audit: Managing Findings

About 30 days after the audit wraps up, you’ll get the draft report. There will be findings. There always are, for everyone. Some will be minor, others might make you uncomfortable. Take them all seriously.

You’ve got 30 days to respond with corrective actions. This isn’t the time to argue or make excuses. It’s time to demonstrate accountability. For each finding:

• Acknowledge it clearly
• Explain exactly what you’re doing to fix it
• Provide evidence of the fix or a realistic timeline during which you’ll execute the fix 
• Show how you’ll prevent it from happening again 

If the Regional Entity accepts your response, the audit closes, usually about 115 days from when the process began. If the Regional Entity needs more information, provide it quickly and professionally. Every interaction either builds or erodes your credibility for the next audit.

Now that you know exactly what to expect during your NERC CIP audit, it hopefully feels less overwhelming. Especially since you’ll be incorporating those standards into your daily operations now, the audit itself will seem more like a cursory overview of normal operations.  

In the next article, I’ll delve further into the standards themselves and explain why it’s so important to incorporate them on a day-to-day basis.