NERC applies to companies that generate, provide, or transmit energy.

• NERC is subject to Federal Energy Regulatory Commission (FERC) mandates and control. NRC (Nuclear Regulatory Commission), is a related commission for nuclear power.
• The primary focus of NERC is on SCADA, which stands for supervisory control and data acquisition devices and networks.
• The majority of IT related policies will be found in the Critical Infrastructure Protection Standards (CIP) standards.
• Standard CIP-002-3 requires the identification and documentation of the Critical Cyber Assets associated with the Critical Assets and outlines the key controls relative to IT.
• A key unique issue addressed in NERC is the requirement to monitor log devices with no gap exceeding 7 days. This can be a critical audit finding with serious repercussions.
• Annual reviews of assets, policies, and procedures are mandated.