NERC CIP-013-4 and the Next Wave of Supply Chain Risk
Supply chain exposure across the grid is no longer static. It is expanding in scale and velocity, driven less by new rules and more by how fast previously unseen vulnerabilities surface across vendor-connected systems. This briefing covers the regulatory signals utilities need to act on now.
In this update: the proposed CIP-013-4 supply chain changes, the NERC 2026 Summer Reliability Assessment, a federal warning on automatic tank gauge systems, and industry feedback on CIRCIA.
CIP-013-4: What Is Changing in Supply Chain Risk Management
NERC has proposed updates to CIP-013 to address FERC Order No. 912, which directed NERC to close gaps around Protected Cyber Assets and reassessment timelines. The proposed CIP-013-4, developed alongside CIP-010-6 under Project 2025-06, expands scope and tightens how often utilities must reassess supply chain risk.
Scope expansion
Requirement R1 applicability now explicitly covers high and medium impact BES Cyber Systems plus their associated systems:
- Electronic Access Control or Monitoring Systems (EACMS)
- Physical Access Control Systems (PACS)
- Protected Cyber Assets (PCAs)
- Shared Cyber Infrastructure (SCI)
Reassessment timelines
Utilities would need to re-run the risk assessment before deploying products or services, including spare equipment and emergency repairs, when the most recent assessment is older than:
- 24 calendar months for high impact systems
- 36 calendar months for medium impact systems
The proposal also calls for periodic reassessment of vendors, products, and services under existing contracts, so supply chain risks that develop after a contract begins are captured rather than missed.
Tracking and auditable evidence
Every identified supply chain risk must be documented, tracked, and responded to. That response trail becomes auditable evidence, which raises the bar for programs still relying on point-in-time assessments or fragmented tracking.
Comment period: Draft 1 of CIP-013-4 is open for formal comment and initial ballot. Deadlines shift as the project moves through the standards process, so confirm the current window directly with NERC before you plan your submission.
Frequently Asked Questions
What is NERC CIP-013-4?
CIP-013-4 is a proposed revision to NERC's supply chain risk management standard. Developed under Project 2025-06 to address FERC Order No. 912, it expands applicability to associated EACMS, PACS, PCAs, and Shared Cyber Infrastructure, and adds defined reassessment timelines for high and medium impact systems.
What are the CIP-013-4 reassessment timelines?
Under the proposal, utilities re-run the supply chain risk assessment before deploying products or services when the most recent assessment is older than 24 months for high impact systems or 36 months for medium impact systems, including for spare equipment and emergency repairs.
Which systems does CIP-013-4 apply to?
Requirement R1 applies to high and medium impact BES Cyber Systems and their associated Electronic Access Control or Monitoring Systems, Physical Access Control Systems, Protected Cyber Assets, and Shared Cyber Infrastructure.
What did the NERC 2026 Summer Reliability Assessment find?
NERC found adequate anticipated resources for normal summer peak conditions but elevated risk under extreme conditions, citing more than 11 GW of peak-demand growth, more than 58 GW of new resources, and heightened exposure from heat, drought-driven hydropower reductions, and large-load growth.
How should utilities prepare for CIP-013-4 now?
Review asset inventories to bring associated PCAs under the supply chain plan, map spare and long-lead deployment timelines against the assessment windows, set a vendor reassessment cadence tied to contract milestones, and maintain a single risk register with an audit trail.
