NERC CIP VERSION 7 CRITICAL INFRASTRUCTURE PROTECTION
STANDARDS COMPLETE REAL EXAM QUESTIONS AND 100%
CORRECT ANSWERS LATEST VERSION 2026/2027
Q1: What is the purpose of CIP-002?
ANSWER CIP-002 requires responsible entities to identify and categorize BES
Cyber Systems and their associated BES Cyber Assets based on the impact they could
have on the reliable operation of the Bulk Electric System (BES). It establishes a risk-
based framework for categorizing assets as High, Medium, or Low impact.
Q2: What are the three impact categories under CIP-002?
ANSWER The three impact categories are: (1) High Impact BES Cyber Systems, (2)
Medium Impact BES Cyber Systems, and (3) Low Impact BES Cyber Systems. These
categories determine the level of security controls required under the subsequent CIP
standards.
Q3: What is a BES Cyber Asset (BCA)?
ANSWER A BES Cyber Asset is a Cyber Asset that if rendered unavailable,
degraded, or misused would, within 15 minutes of its required operation,
misoperation, or non-operation, adversely impact one or more Facilities, systems, or
equipment which, if destroyed, degraded, or otherwise rendered unavailable when
needed, would affect the reliable operation of the Bulk Electric System.
Q4: What is a BES Cyber System (BCS)?
ANSWER A BES Cyber System is one or more BES Cyber Assets logically grouped
by a responsible entity to perform one or more reliability tasks for a functional entity.
Grouping is at the discretion of the responsible entity to facilitate security
management.
Q5: What are High Impact BES Cyber Systems?
ANSWER High Impact BES Cyber Systems are those associated with Control
Centers and backup Control Centers of Reliability Coordinators; Control Centers of
Transmission Operators that control 300 kV or higher; Control Centers of Balancing
Page 1 | NERC CIP v7 Compliance Study Guide
, Authorities; and other assets identified in Attachment 1 of CIP-002, such as
generation resources above 1,500 MW in a single Interconnection.
Q6: What defines a Medium Impact BES Cyber System?
ANSWER Medium Impact BES Cyber Systems include those associated with
transmission substations at 500 kV or higher, certain generation resources, reactive
resources, and Control Centers not qualifying as High Impact. The criteria are defined
in Attachment 1, Criterion 2 of CIP-002.
Q7: What is the review cycle requirement for CIP-002 asset identification?
ANSWER Responsible entities must review their identification and categorization of
BES Cyber Systems at least once every 15 calendar months. Additionally, a review
must be triggered by changes that could affect the categorization of BES Cyber
Systems.
Q8: Who must approve the BES Cyber System categorization list under CIP-002?
ANSWER The CIP Senior Manager or delegate must review and approve the list of
categorized BES Cyber Systems. This approval must occur at least once every 15
calendar months as part of the required review cycle.
Q9: What is Attachment 1 in CIP-002?
ANSWER Attachment 1 is the Impact Rating Criteria document embedded in CIP-
002 that lists specific criteria for categorizing BES Cyber Systems as High, Medium,
or Low impact. It covers Control Centers, transmission substations, generation
resources, and other BES elements.
Q10: What happens if no BES Cyber Assets are identified at a facility?
ANSWER If a responsible entity determines that it has no BES Cyber Assets
associated with a particular asset, it must document that determination. Low Impact
categorization applies by default to BES Cyber Systems that do not meet the High or
Medium criteria, or the entity must document the basis for no applicable BES Cyber
Assets.
CIP-003-8: Security Management Controls
Q11: What is the primary purpose of CIP-003?
ANSWER CIP-003 requires responsible entities to specify consistent and sustainable
security management controls that establish responsibility and accountability to
Page 2 | NERC CIP v7 Compliance Study Guide
, protect BES Cyber Systems against compromise that could lead to misoperation or
instability of the BES.
Q12: What is a CIP Senior Manager?
ANSWER A CIP Senior Manager is a single senior management official with overall
responsibility and authority for leading and managing the entity's implementation of
and adherence to NERC CIP Standards. This individual has organizational authority
to set, approve, and enforce CIP security policies.
Q13: What must a CIP security policy contain under CIP-003?
ANSWER CIP security policies must address: personnel and training, physical
security of BES Cyber Systems, electronic security of BES Cyber Systems, incident
reporting and response planning, recovery plans, and configuration change
management. Policies must be approved by the CIP Senior Manager.
Q14: How frequently must CIP security policies be reviewed?
ANSWER CIP security policies must be reviewed at least once every 15 calendar
months. The CIP Senior Manager must approve any changes and must perform at least
one review per the 15-month cycle to confirm the policies remain appropriate.
Q15: What controls apply specifically to Low Impact BES Cyber Systems under CIP-
003?
ANSWER For Low Impact BES Cyber Systems, CIP-003 Requirement R2
mandates: (1) a cyber security policy or policies for Low Impact assets, (2) physical
security controls, (3) electronic access controls, (4) a cyber security incident response
plan, and (5) transient cyber asset and removable media usage controls.
Q16: What are the requirements for delegating CIP Senior Manager responsibilities?
ANSWER A CIP Senior Manager may delegate specific security functions to other
individuals. The delegation must be documented, including the delegated function and
the individual's name or title. However, the CIP Senior Manager retains overall
accountability and responsibility.
Q17: What is required when a new CIP Senior Manager is appointed?
ANSWER When a new CIP Senior Manager is appointed, the entity must notify its
Reliability Coordinator, Transmission Operator, and Balancing Authority, as
applicable, within 30 calendar days of the appointment.
Q18: What must Low Impact cyber security policies address per CIP-003 R2?
Page 3 | NERC CIP v7 Compliance Study Guide
, ANSWER Low Impact cyber security policies must address: (1) physical security
controls to restrict unauthorized access, (2) electronic access controls such as dial-up,
remote, and interactive remote access, (3) cyber security incident response, and (4)
transient cyber assets and removable media.
Q19: What is Attachment 1 in CIP-003?
ANSWER Attachment 1 in CIP-003 provides the security controls for Low Impact
BES Cyber Systems, detailing minimum requirements for physical security, electronic
access, incident response, and transient device management that must be addressed in
the entity's policies.
Q20: Can a CIP security policy be a single document covering all requirements?
ANSWER Yes, the security policy may be a single document or a collection of
multiple documents, provided that together they address all required elements for each
applicable BES Cyber System category. The entity must ensure internal consistency
across all policy documents.
CIP-004-6: Personnel and Training
Q21: What is the purpose of CIP-004?
ANSWER CIP-004 establishes requirements to minimize the risk posed to BES
Cyber Systems from individuals accessing those systems. It covers security
awareness, training, personnel risk assessments (PRAs), and access management for
people with authorized electronic or physical access.
Q22: How often must security awareness training be conducted?
ANSWER Security awareness training must be conducted at least once every 15
calendar months for all personnel with authorized electronic or unescorted physical
access to High and Medium Impact BES Cyber Systems and their associated
Electronic Access Control or Monitoring Systems (EACMS) and Physical Access
Control Systems (PACS).
Q23: What topics must be covered in a CIP cyber security training program?
ANSWER Training must cover: (1) applicable NERC CIP Standards and their
requirements, (2) the entity's security policies, (3) physical security of BES Cyber
Systems, (4) electronic access controls, (5) responses to cyber security incidents, (6)
the risk of social engineering attacks, and (7) handling of BES Cyber System
information.
Page 4 | NERC CIP v7 Compliance Study Guide
STANDARDS COMPLETE REAL EXAM QUESTIONS AND 100%
CORRECT ANSWERS LATEST VERSION 2026/2027
Q1: What is the purpose of CIP-002?
ANSWER CIP-002 requires responsible entities to identify and categorize BES
Cyber Systems and their associated BES Cyber Assets based on the impact they could
have on the reliable operation of the Bulk Electric System (BES). It establishes a risk-
based framework for categorizing assets as High, Medium, or Low impact.
Q2: What are the three impact categories under CIP-002?
ANSWER The three impact categories are: (1) High Impact BES Cyber Systems, (2)
Medium Impact BES Cyber Systems, and (3) Low Impact BES Cyber Systems. These
categories determine the level of security controls required under the subsequent CIP
standards.
Q3: What is a BES Cyber Asset (BCA)?
ANSWER A BES Cyber Asset is a Cyber Asset that if rendered unavailable,
degraded, or misused would, within 15 minutes of its required operation,
misoperation, or non-operation, adversely impact one or more Facilities, systems, or
equipment which, if destroyed, degraded, or otherwise rendered unavailable when
needed, would affect the reliable operation of the Bulk Electric System.
Q4: What is a BES Cyber System (BCS)?
ANSWER A BES Cyber System is one or more BES Cyber Assets logically grouped
by a responsible entity to perform one or more reliability tasks for a functional entity.
Grouping is at the discretion of the responsible entity to facilitate security
management.
Q5: What are High Impact BES Cyber Systems?
ANSWER High Impact BES Cyber Systems are those associated with Control
Centers and backup Control Centers of Reliability Coordinators; Control Centers of
Transmission Operators that control 300 kV or higher; Control Centers of Balancing
Page 1 | NERC CIP v7 Compliance Study Guide
, Authorities; and other assets identified in Attachment 1 of CIP-002, such as
generation resources above 1,500 MW in a single Interconnection.
Q6: What defines a Medium Impact BES Cyber System?
ANSWER Medium Impact BES Cyber Systems include those associated with
transmission substations at 500 kV or higher, certain generation resources, reactive
resources, and Control Centers not qualifying as High Impact. The criteria are defined
in Attachment 1, Criterion 2 of CIP-002.
Q7: What is the review cycle requirement for CIP-002 asset identification?
ANSWER Responsible entities must review their identification and categorization of
BES Cyber Systems at least once every 15 calendar months. Additionally, a review
must be triggered by changes that could affect the categorization of BES Cyber
Systems.
Q8: Who must approve the BES Cyber System categorization list under CIP-002?
ANSWER The CIP Senior Manager or delegate must review and approve the list of
categorized BES Cyber Systems. This approval must occur at least once every 15
calendar months as part of the required review cycle.
Q9: What is Attachment 1 in CIP-002?
ANSWER Attachment 1 is the Impact Rating Criteria document embedded in CIP-
002 that lists specific criteria for categorizing BES Cyber Systems as High, Medium,
or Low impact. It covers Control Centers, transmission substations, generation
resources, and other BES elements.
Q10: What happens if no BES Cyber Assets are identified at a facility?
ANSWER If a responsible entity determines that it has no BES Cyber Assets
associated with a particular asset, it must document that determination. Low Impact
categorization applies by default to BES Cyber Systems that do not meet the High or
Medium criteria, or the entity must document the basis for no applicable BES Cyber
Assets.
CIP-003-8: Security Management Controls
Q11: What is the primary purpose of CIP-003?
ANSWER CIP-003 requires responsible entities to specify consistent and sustainable
security management controls that establish responsibility and accountability to
Page 2 | NERC CIP v7 Compliance Study Guide
, protect BES Cyber Systems against compromise that could lead to misoperation or
instability of the BES.
Q12: What is a CIP Senior Manager?
ANSWER A CIP Senior Manager is a single senior management official with overall
responsibility and authority for leading and managing the entity's implementation of
and adherence to NERC CIP Standards. This individual has organizational authority
to set, approve, and enforce CIP security policies.
Q13: What must a CIP security policy contain under CIP-003?
ANSWER CIP security policies must address: personnel and training, physical
security of BES Cyber Systems, electronic security of BES Cyber Systems, incident
reporting and response planning, recovery plans, and configuration change
management. Policies must be approved by the CIP Senior Manager.
Q14: How frequently must CIP security policies be reviewed?
ANSWER CIP security policies must be reviewed at least once every 15 calendar
months. The CIP Senior Manager must approve any changes and must perform at least
one review per the 15-month cycle to confirm the policies remain appropriate.
Q15: What controls apply specifically to Low Impact BES Cyber Systems under CIP-
003?
ANSWER For Low Impact BES Cyber Systems, CIP-003 Requirement R2
mandates: (1) a cyber security policy or policies for Low Impact assets, (2) physical
security controls, (3) electronic access controls, (4) a cyber security incident response
plan, and (5) transient cyber asset and removable media usage controls.
Q16: What are the requirements for delegating CIP Senior Manager responsibilities?
ANSWER A CIP Senior Manager may delegate specific security functions to other
individuals. The delegation must be documented, including the delegated function and
the individual's name or title. However, the CIP Senior Manager retains overall
accountability and responsibility.
Q17: What is required when a new CIP Senior Manager is appointed?
ANSWER When a new CIP Senior Manager is appointed, the entity must notify its
Reliability Coordinator, Transmission Operator, and Balancing Authority, as
applicable, within 30 calendar days of the appointment.
Q18: What must Low Impact cyber security policies address per CIP-003 R2?
Page 3 | NERC CIP v7 Compliance Study Guide
, ANSWER Low Impact cyber security policies must address: (1) physical security
controls to restrict unauthorized access, (2) electronic access controls such as dial-up,
remote, and interactive remote access, (3) cyber security incident response, and (4)
transient cyber assets and removable media.
Q19: What is Attachment 1 in CIP-003?
ANSWER Attachment 1 in CIP-003 provides the security controls for Low Impact
BES Cyber Systems, detailing minimum requirements for physical security, electronic
access, incident response, and transient device management that must be addressed in
the entity's policies.
Q20: Can a CIP security policy be a single document covering all requirements?
ANSWER Yes, the security policy may be a single document or a collection of
multiple documents, provided that together they address all required elements for each
applicable BES Cyber System category. The entity must ensure internal consistency
across all policy documents.
CIP-004-6: Personnel and Training
Q21: What is the purpose of CIP-004?
ANSWER CIP-004 establishes requirements to minimize the risk posed to BES
Cyber Systems from individuals accessing those systems. It covers security
awareness, training, personnel risk assessments (PRAs), and access management for
people with authorized electronic or physical access.
Q22: How often must security awareness training be conducted?
ANSWER Security awareness training must be conducted at least once every 15
calendar months for all personnel with authorized electronic or unescorted physical
access to High and Medium Impact BES Cyber Systems and their associated
Electronic Access Control or Monitoring Systems (EACMS) and Physical Access
Control Systems (PACS).
Q23: What topics must be covered in a CIP cyber security training program?
ANSWER Training must cover: (1) applicable NERC CIP Standards and their
requirements, (2) the entity's security policies, (3) physical security of BES Cyber
Systems, (4) electronic access controls, (5) responses to cyber security incidents, (6)
the risk of social engineering attacks, and (7) handling of BES Cyber System
information.
Page 4 | NERC CIP v7 Compliance Study Guide
