NERC CIP-014 requirements explained

The six CIP-014 requirements (R1-R6)

CIP-014 is structured as a sequence. R1 identifies the critical facilities, R2 independently verifies that list, R3 coordinates with other operators, R4 evaluates threats and vulnerabilities, R5 builds the protection, and R6 independently reviews the result. The same framing drives the free CIP-014 risk assessment toolkit.

R1 — Risk assessment to identify critical stations

Perform a risk assessment to identify the Transmission stations, Transmission substations, and primary control centers that, if rendered inoperable or damaged, could result in instability, uncontrolled separation, or cascading outages on the bulk power system. R1 is the gate for the whole standard: only the facilities it identifies fall under the remaining requirements. NERC is actively refining the R1 risk-assessment expectations through Project 2023-06, so the documentation discipline matters as the clarification requirements evolve.

R2 — Unaffiliated third-party verification

Have an unaffiliated third party verify the R1 risk assessment. The reviewer must be independent of the owner, and the entity must address recommendations from the verification or document the technical basis for not doing so. This independent verification is what gives the R1 list its credibility.

R3 — Notification of identified facilities

For facilities identified in R1 that are operated by a different Transmission Operator or control center operated by a different entity, notify that operator so they know the facility is in scope and can coordinate. R3 makes sure responsibility is clear when ownership and operation are split.

R4 — Threat and vulnerability evaluation

Evaluate potential threats and vulnerabilities to the physical security of each facility identified under R1. In practice this is a threat, vulnerability, and risk assessment (a TVRA): it considers the threats a facility could face, the weaknesses that could be exploited, and prior history, so the eventual security plan is built on real risk rather than assumption.

R5 — Documented physical security plan

Develop and implement a documented physical security plan that addresses the threats and vulnerabilities identified in R4. The plan covers physical security measures such as resiliency or security design, law-enforcement coordination, and a timeline for implementation. It is the operational core of CIP-014: the protections that actually defend the critical facilities.

R6 — Unaffiliated third-party review

Have an unaffiliated third party review the R4 evaluation and the R5 physical security plan. As with R2, the reviewer must be independent, and the entity must either act on the recommendations or document the technical basis for not doing so. R6 closes the loop: the plan that protects the most critical facilities is independently checked.

What is NERC CIP-014?

NERC CIP-014 is the physical security reliability standard for the bulk power system in North America. It requires transmission owners and operators to identify their most critical Transmission stations, substations, and primary control centers, the ones whose loss could cause instability, uncontrolled separation, or cascading outages, and to protect them with a documented physical security plan. It was developed after a coordinated physical attack on a transmission substation exposed a gap in how the grid's most important physical facilities were protected.

Unlike most of the NERC CIP family, which focuses on cyber security, CIP-014 is squarely about physical security: fences, barriers, surveillance, access, lighting, law-enforcement coordination, and the resilience of the equipment itself. Its scope is deliberately narrow. It applies only to the highest-consequence facilities, identified through a risk assessment and independently verified.

Who CIP-014 applies to

CIP-014 applies to Transmission Owners that own a Transmission station or substation meeting the standard's applicability criteria, and to the Transmission Operator for the associated primary control center. The applicability is defined by voltage and by the configuration of the facility rather than by a fixed list.

The criteria center on higher-voltage facilities. They reach certain Transmission stations and substations operating at 500 kV or higher, and at 200 kV to 499 kV facilities they apply based on a weighting and connectivity test described in the standard (broadly, stations interconnecting multiple transmission lines that meet the standard's aggregate-weight threshold), along with the primary control centers that operationally control those facilities. The exact thresholds, weightings, and exclusions are set out in the applicability section of the standard itself, and the R1 risk assessment is what determines which of an owner's in-scope facilities are actually critical. Confirm your specific facilities against the current enforceable standard text rather than a summary.

The unaffiliated third-party review rule

A defining feature of CIP-014 is that it requires independent review twice. Under R2, an unaffiliated third party verifies the R1 risk assessment that identifies the critical facilities. Under R6, an unaffiliated third party reviews the R4 threat and vulnerability evaluation and the R5 physical security plan.

Unaffiliated means the reviewer must be genuinely independent of the entity being reviewed, not a member of the same corporate organization, so the verification carries weight. In both cases the entity must either implement the reviewer's recommendations or document the technical basis for not doing so. This independent-review requirement is unusual among the CIP standards and is one of the reasons CIP-014 compliance takes real planning.

The R4 evaluation that the R6 reviewer checks is, in practice, a threat, vulnerability, and risk assessment (TVRA), and it pairs naturally with a full physical security assessment of each in-scope facility.

Cadence and re-assessment

CIP-014 is not a one-time exercise. The standard sets periodic re-assessment expectations: the R1 risk assessment is revisited on a recurring cycle, with the interval depending on whether the entity has identified critical facilities, and the physical security plan and supporting evaluations are reviewed and updated as conditions change. Because grid topology, threats, and facilities evolve, treating CIP-014 as a living program rather than a filed report is essential. Confirm the exact re-assessment intervals against the current enforceable standard text.

FERC Project 2023-06 and the evolving standard

CIP-014 is being actively refined. FERC directed NERC to evaluate the adequacy of the R1 risk assessment, and NERC opened Project 2023-06 to study and revise it, the effort associated with the next CIP-014 version. The aim is to sharpen how owners identify critical facilities so the risk assessment is consistent and defensible.

For owners, the practical takeaway is to build R1 documentation that holds up as those clarification requirements evolve, rather than treating the current text as final. Frame the standard as the current enforceable baseline with active, FERC-directed improvement underway, and confirm the latest version designation and effective dates against NERC and FERC sources before relying on them.

CIP-014 vs CIP-015

CIP-014 and CIP-015 address different problems and should not be confused. CIP-014 is a physical security standard: it protects specific high-consequence Transmission facilities from physical attack through risk assessment, threat and vulnerability evaluation, and a documented physical security plan.

CIP-015 addresses internal network security monitoring (INSM) within trusted network zones, a cyber security control born from the broader push to detect malicious activity that has bypassed perimeter defenses. In short, CIP-014 is about the physical protection of critical stations and substations, while CIP-015 is about monitoring inside the cyber networks of in-scope systems. An owner can be subject to both, but they are separate obligations with separate scopes. Confirm the current status and applicability of CIP-015 against NERC sources, as cyber standards in this area continue to develop.

From the standard to a managed program

Reading the requirements is the start. Meeting them means scoping the R1 risk assessment, running the R4 threat and vulnerability evaluation, building and implementing the R5 physical security plan, and managing the R2 and R6 unaffiliated reviews and the re-assessment cadence, with evidence you can defend in an audit. The RiskWatch physical security assessment platform, configured for energy and utilities, turns CIP-014 into a live, auditable program. To get started by hand, the free CIP-014 risk assessment toolkit maps directly to R1 through R6.