Senior NERC CIP Compliance Analyst

Description

The Sr. NERC CIP Compliance Specialist provides critical on-site leadership to protect and maintain the integrity of control and business networks at our Low and medium-impact generating stations. This role drives continuous compliance with NERC CIP cybersecurity standards, leads site security initiatives, and serves as the primary subject matter expert for station personnel. Operating as a key liaison, this position partners with cross-functional stakeholders to enforce a secure operational environment and ensure continuous audit readiness through rigorous evidence management.

Essential Duties and Responsibilities

• Program Ownership: Build, optimize, and maintain on-site processes and documentation to ensure continuous adherence to NERC CIP standards.
• Asset & Baseline Management: Maintain accurate cyber asset inventories and manage baseline change control workflows.
• Audit Leadership: Lead RSAW/ERT preparation and submission for Regional Entity audits, spot checks, and compliance investigations.
• Access Control: Maintain compliant physical and electronic security perimeters and access controls for all site assets.
• Routine Compliance: Execute daily, monthly, quarterly, and annual CIP compliance activities in accordance with program procedures.
• Liaison & RFI Coordination: Serve as the primary site contact for Regional Entities; coordinate cross-functional teams to fulfill RFIs and remediate findings.
• Training Delivery: Deliver and support mandatory NERC CIP cybersecurity compliance training programs for site personnel.
• Patch Management: Direct the end-to-end patch management lifecycle, ensuring BES Cyber Assets are monitored and updated within regulatory timelines.
• Incident Response & Drills: Lead the annual testing, documentation, and reporting of the Cyber Security Incident Response Plan (CIP-008) and Recovery Plans (CIP-009).
• Vulnerability Assessments (CIP-010): Orchestrate annual Critical Vulnerability Assessments (CVAs) while ensuring zero adverse impact tooperational BES infrastructure.
• Information Protection: Oversee the identification, classification, and secure handling of Bulk Electric System (BES) Cyber System Information (BCSI) to prevent unauthorized disclosure.
• Supply Chain Risk (CIP-013): Lead supply chain risk assessments and collaborate with procurement/legal to enforce cybersecurity contract clauses.
• Self-Assessments & Mitigation: Conduct proactive internal compliance self-assessments; manage the identification, self-logging, and mitigation of compliance deviations.

Requirements

• Bachelor's degree in Engineering, Computer Science, IT, Cybersecurity, or a related technical discipline (equivalent direct experience considered).
• Minimum of 7-10 years of professional experience in regulatory compliance, power utility operations, or industrial cybersecurity.
• At least 5 years of hands-on experience implementing and managing a NERC CIP compliance program across Medium or High-impact assets.
• Demonstrated success drafting RSAWs, preparing ERT responses, and managing RFIs during Regional Entity audits or spot-checks.
• Deep operational understanding of the 35-day patch/baseline lifecycle (CIP-007/010), security perimeters (CIP-005/006), and supply chain management (CIP-013).
• Ability to successfully pass a mandatory NERC CIP-004 Personnel Risk Assessment and background check.
• Ability to work full-time on-site at the designated facility, travel up to 25% as needed, and safely navigate physical plant environments.
• Ability to perform physical job duties, including lifting to 25 pounds, climbing, bending, and working in industrial environments (Use of PPE is required).

Preferred Skills and Certifications

• Prior experience working directly within a power generation plant, transmission control center, or EMS/GMS environment.
• NERC Certified Compliance Professional (NCCP) designation.
• CISSP (Certified Information Systems Security Professional), CISA (Certified Information Systems Auditor), or CISM (Certified Information Security Manager).
• SANS GIAC certifications, specifically GCIP (GIAC Critical Infrastructure Protection) or GICSP (Global Industrial Cyber Security Professional).
• Established working relationships and direct audit experience with our specific Regional Entity (e.g., SERC, WECC, NPCC, RF, MRO, Texas RE).
• Commitment to cybersecurity excellence and regulatory compliance is a must.