Skip to main content
Perspective:
Perspective

Cloud meets compliance: NERC CIP standards in action

Managing risk and reliability in the era of cloud

As critical infrastructure evolves amid mounting cyber risk, the landscape for compliance and resilience is changing fast. This guide reveals the latest strategies for harnessing cloud innovation while staying ahead of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements. Deloitte and ServiceNow share perspectives on navigating shifting regulations—and the risks and opportunities that come with them.

As the Electric Reliability Organization (ERO) for North America, NERC operates under the oversight of the Federal Energy Regulatory Commission (FERC) and Canadian governmental authorities. NERC develops and enforces Reliability Standards; annually assesses seasonal and long-term reliability; monitors the bulk power system through system awareness; and educates, trains, and certifies industry personnel.

Matt Barbera
Sam Icasiano
Dave Nowak
NERC CIP Implementation Guide
Download PDF (1MB) View PDF

Among NERC’s many critical initiatives are the NERC CIP standards—a set of regulations and guidelines designed to safeguard essential services and assets vital to national security, public health, safety, and economic stability. These standards are continually reviewed and updated to address emerging threats and technological advancements, reflecting the dynamic nature of the electric utility industry. Particularly with the adoption of cloud services, NERC continues to evolve its reliability standards to meet the demands of modern computing. This transformation brings new opportunities for modernization but also introduces new risks that Registered Entities should carefully navigate. As more Registered Entities seek to implement cloud services, NERC is refining its CIP requirements to further clarify and support secure cloud adoption while maintaining compliance. Explore how Deloitte and ServiceNow’s capabilities can be leveraged to help you stay ahead.

Registered Entities are responsible for maintaining security in the cloud and the protection of their regulated assets. This includes managing the configuration of application software. They should carefully evaluate the products they choose, as the Registered Entity’s responsibilities vary based upon the characteristics of the products themselves, how those products get integrated into their IT environments, and the applicable laws and regulations affecting those products.

In this particular shared responsibility model, while the cloud provider (such as ServiceNow) delivers baseline controls—like physical data center security and certain infrastructure safeguards—Registered Entities should actively configure, manage, and document compliance-specific controls within their own cloud instances.

In the cloud, certain security controls can be inherited from the service provider, such as physical access restrictions and monitoring at the data center level. However, Registered Entities remain accountable for implementing logical access controls, managing encryption keys, and complying with NERC CIP Standards.

As Registered Entities adopt cloud solutions, maintaining compliance with NERC CIP Standards requires a clear understanding of evolving responsibilities and risks. The following high-level considerations are some of the areas Registered Entities should focus on for enhancing compliance and protecting Bulk Electric System (BES) Cyber Assets and information:

  • Customer responsibility considerations: Registered Entities are responsible for implementing and documenting controls that address NERC CIP requirements in the cloud. Registered Entities need to maintain evidence generation, access management, and data protection in accordance with the standards. Registered Entities should also regularly review and adapt controls and documentation in response to the rapidly evolving landscape of cyber threats and regulatory audits, maintaining readiness for both compliance and emerging risk scenarios. 
  • Access management and BES Cyber System Information (BCSI) security: It is the Registered Entity’s responsibility to enforce role-based access, encrypt data at rest, and securely delete information when no longer needed. 
  • Network security: Registered Entities are responsible for implementing instance security hardening. 
  • System security management: Registered Entities should implement technical, operational, and procedural controls to protect BES Cyber Systems from compromise. 
  • Incident response and recovery: Entities are responsible for managing and responding to incidents involving data stored in the cloud and malicious activity originating from or targeting cloud services. Effective incident response plans should be implemented to analyze and mitigate threats before they impact the BES. 
  • Configuration change management and vulnerability assessments: When using cloud services, Registered Entities should analyze whether configurations affecting BES Cyber Assets remain aligned with security and compliance requirements. 
  • Third-party risk management: Registered Entities need to create and implement documented supply chain risk management plans that address procurement and contract management processes. The related NERC requirements seek to safeguard against third-party products and services introducing vulnerabilities into the BES, strengthening the overall security and reliability of critical infrastructure. 
  • Internal network security monitoring: When utilizing cloud services, the Registered Entity’s role in complying with the CIP-015 standard, effective October 1, 2028, remains the same as when using non-cloud services. The Registered Entity will need to monitor network traffic inside the Electronic Security Perimeters in the cloud.

ServiceNow and Deloitte offer Registered Entities a strategic approach to meeting NERC CIP compliance requirements in the cloud. ServiceNow provides cloud-based solutions designed to support CIP, including advanced encryption, access management, and network security capabilities that align with NERC CIP Standards. These tools help enable Registered Entities to streamline compliance processes, enhance visibility, and strengthen their security posture.

Deloitte brings deep industry experience and regulatory knowledge to help Registered Entities navigate the complexities of NERC CIP compliance, delivering tailored advisory, implementation, operate, and integration services that help organizations increase the value of ServiceNow’s platform while aligning to compliance requirements and maintaining operational resilience. Together, Deloitte and ServiceNow assist Registered Entities to confidently adopt cloud technologies, address evolving regulatory requirements, and safeguard the reliability and security of the BES.

In a climate where threats, regulations, and technology change fast, proactive collaboration, ongoing risk assessment, and continual enhancement are essential to achieving audit-ready, resilient, and secure operations.

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Connect with us

Matt Barbera

Matt Barbera

Energy, Resources & Industrials
212 436 3487
Sam Icasiano

Sam Icasiano

Managing Director | Risk and Financial Advisory
+1 973 602 6091
Dave Nowak

Dave Nowak

US Cyber & Strategic Risk Principal
+1 312 622 6735

Recommended articles

Power, Utilities & Renewables

We provide renewable energy consulting and power industry knowledge to help you anticipate and respond to complex market challenges and resulting opportunities. 
Industry
12 minute read

2026 Power and Utilities Industry Outlook

Deloitte explores strategies that can help the power and utility industry transform to meet the demands of the AI economy while keeping prices affordable for customers.
Article