Grid cybersecurity rules only matter if they apply to the right equipment. Lock down too little and attackers find an unguarded path into the power system; demand protection of everything and utilities drown in compliance paperwork that adds little real security. The standard that draws that crucial line is NERC CIP-002, and a June 12, 2026 Federal Register notice shows the Federal Energy Regulatory Commission turning its attention to the latest version of it. The notice, filed under Docket Nos. IC26-16-000 and RD25-8-000, solicits public comment on the FERC-725B information collection, described as the Mandatory Reliability Standards for Critical Infrastructure Protection, and states that the submission is for an extension request and for changes to CIP-002-8.

The notice is procedurally a Paperwork Reduction Act exercise. In compliance with the requirements of that 1995 statute, FERC must periodically justify the burden it imposes on industry to collect information and give the public a chance to weigh in. The notice explains that this is an extension request and notes a detail that speaks to how these things usually go: no comments were received on the earlier 60-day notice. It sets a new deadline, stating that comments on the collection of information are due July 13, 2026. That FERC received nothing on the first notice is common for technical reliability filings, but the substance underneath this one is anything but routine.

What CIP-002 actually does

The Critical Infrastructure Protection family of standards, developed by the North American Electric Reliability Corporation and enforced under FERC authority, is the backbone of mandatory cybersecurity for the North American bulk power system. CIP-002 is the foundational standard in that family because it performs the categorization step. Before a utility can apply controls for access management, electronic security perimeters, incident response, or recovery planning, it first has to identify and classify its cyber systems by their potential impact on the grid, sorting them into high, medium, and low impact categories. Every downstream CIP requirement keys off that classification.

This makes CIP-002 quietly one of the most consequential standards in the entire framework. The bright lines it draws determine how much protection a given control center, substation, or generation facility must receive. Shift those lines and you change the compliance obligations, and the security posture, of utilities across the continent. A revision to CIP-002, advancing it to a version labeled CIP-002-8, signals that NERC and FERC have decided the existing categorization criteria need updating, whether to capture newly significant facilities, to clarify ambiguous thresholds, or to reflect how the grid and its threats have evolved.

Why the scope question keeps getting harder

The reason CIP-002 must keep evolving is that the perimeter it tries to define keeps moving. The grid is becoming more digital and more distributed at once. Inverter-based resources like solar, wind, and battery storage rely on software controls; distributed energy resources are proliferating at the grid edge; and the communications networks tying it all together expand the attack surface every year. Facilities that once seemed too small to threaten bulk-power reliability can, in aggregate or through interdependence, matter more than the old thresholds assumed. Keeping the categorization criteria current is a continuous effort to make sure the protective standards reach the assets that actually carry risk.

The threat environment reinforces the stakes. Electric utilities face persistent probing from sophisticated state-linked actors who treat grid intrusion as both an espionage objective and a potential wartime capability. Federal officials have repeatedly warned that adversaries have pre-positioned in critical-infrastructure networks. Against that backdrop, the seemingly dry work of revising CIP-002-8 is part of how the system tries to stay ahead, ensuring that the assets which could enable a damaging attack fall inside the scope of mandatory, auditable controls rather than outside it.

How the paperwork connects to real security

It is easy to dismiss a Paperwork Reduction Act notice as bureaucratic noise, but the information-collection framework is the connective tissue between policy and enforcement. The FERC-725B collection quantifies the burden the CIP standards place on registered entities, and that burden estimate shapes how the rules are written and what compliance evidence utilities must maintain. The comment opportunity that closes July 13, 2026 is a genuine, if narrow, channel for utilities, vendors, and security professionals to tell the Commission whether the proposed changes to CIP-002-8 are workable, whether the burden estimate is realistic, and whether the categorization criteria will capture the right assets.

The dual docket numbers in the notice, IC26-16-000 and RD25-8-000, reflect the two tracks running in parallel: the information-collection review on one side and the reliability-standard development that produced CIP-002-8 on the other. Together they show the machinery by which a cybersecurity requirement moves from NERC's standards-drafting process into a federally enforceable obligation with measured compliance costs. For the millions of customers who depend on the bulk power system, that machinery is what turns the abstract goal of a secure grid into concrete duties for the operators who run it. The fact that the first comment window drew silence does not make the underlying standard any less central; it simply means the experts paying attention found little to object to, this time around.

What gives the CIP-002-8 revision added weight is its position at the head of the entire CIP cascade. A facility that gets classified as high or medium impact inherits a long list of mandatory protections, from multi-factor access controls to logging, patch management, and tested recovery plans; a facility left in the low-impact bucket faces a far lighter touch. Get the criteria too loose and genuinely critical assets escape rigorous protection; draw them too tight and utilities pour scarce security staff into paperwork for equipment that poses little real risk. Each revision to CIP-002 is an attempt to keep that balance calibrated as the grid digitizes, and the comment window closing July 13, 2026 is the public's narrow chance to tell FERC whether the latest calibration is right.