What is the NERC CIP violations tracker?

It is a free, sortable tool that organizes public NERC CIP Notices of Penalty by the CIP standard cited, the NERC Regional Entity, the filing year, and the penalty amount. Each entry links back to its FERC eLibrary docket and the source NERC filing so you can verify it. The tracker covers Critical Infrastructure Protection standards, the cyber and physical security reliability standards that apply to owners and operators of the North American bulk electric system.

How large can a NERC CIP penalty be?

Under the Federal Power Act, NERC and FERC can assess civil penalties of up to a statutory maximum per violation per day, and a single matter can involve many violations over many days. In practice most filed Notices of Penalty settle for far less, and many issues are resolved through Find, Fix, Track and Report with no monetary penalty at all. We report the penalty amount stated in each filing and never extrapolate a total.

What is the difference between a Notice of Penalty and Find, Fix, Track?

A Notice of Penalty is a filed enforcement action that usually carries a monetary penalty. Find, Fix, Track and Report is a streamlined disposition for lower-risk issues that an entity has already remediated, typically with no monetary penalty. You can filter the tracker by either disposition.

Where does the data come from?

From NERC's public enforcement program, including filed Notices of Penalty and the monthly spreadsheet Notices of Penalty, and from the FERC eLibrary docket for each matter. Every figure shown is taken from those primary filings. Nothing on this page is fabricated, and when the underlying data set has not yet been ingested the tracker says so plainly.

Free resource

NERC CIP violations tracker

Name: NERC CIP Notices of Penalty tracker
Creator: RiskWatch
License: https://www.nerc.com/Pages/Terms-of-Use.aspx

A sortable, filterable tracker of NERC CIP Notices of Penalty by standard, region, year, and penalty amount, with each entry linked to its FERC eLibrary docket.

See energy and utilities solutions Get the CIP-014 toolkit

The short version

What the NERC CIP enforcement record shows

The NERC Critical Infrastructure Protection standards govern how owners and operators of the North American bulk electric system protect their cyber and physical assets. When an entity falls short, NERC and FERC can act, and under the Federal Power Act penalties can run up to a statutory maximum per violation per day. This tracker organizes the public Notices of Penalty so you can see which CIP standards draw the most enforcement, how penalties trend by year, and which Regional Entities filed them, with every row linked to its FERC eLibrary docket.

Last reviewed June 2026. Every figure is taken from a primary NERC or FERC filing. Nothing is invented. The most common CIP shortfalls map directly to the controls you can manage in a platform. If you are scoping a physical security program, start with the free CIP-014 risk assessment toolkit, and use the free NERC CIP compliance checklist to pressure-test your program.

Loading the tracker…

Methodology and sources

Every row in this tracker comes from a primary filing. Notices of Penalty and the monthly spreadsheet Notices of Penalty are drawn from the NERC enforcement and mitigation program, and each matter is linked to its docket in the FERC eLibrary. We normalize each filing into a consistent schema: filing date, Regional Entity, the CIP standards cited, the penalty in US dollars or a clear label when there is no monetary penalty, the violation type, the NERC risk designation, the entity, the FERC docket, and the source link.

Redaction discipline.NERC withholds the identity of the violating entity on most public CIP Notices of Penalty, because publishing the specific security weaknesses of a named bulk-electric-system facility could itself create risk. Where NERC has redacted the name, this tracker shows “Unidentified Registered Entity” and never guesses, infers, or cross-references a real name. Any other detail NERC has not published reads “not disclosed.” We do not name an entity NERC has not publicly named.

No fabricated figures. We report the penalty stated in each filing and never extrapolate a total from the statutory per-violation, per-day maximum. Find, Fix, Track and Report dispositions are labeled as carrying no monetary penalty. When the underlying data set has not yet been ingested, the tracker says so plainly rather than showing placeholder numbers.

Primary sources: NERC Enforcement and Mitigation (filed Notices of Penalty and monthly spreadsheet NOPs) and the FERC eLibrary docket for each matter.

FAQ

Frequently asked questions

Built for utilities and critical infrastructure

Turn the CIP enforcement record into a managed program

RiskWatch helps energy and utility teams assess facilities, track CIP controls, and document the physical and cyber security plans that hold up under NERC scrutiny. Start a free trial or request a quote.