IAM Maturity Assessment for NERC CIP
NERC CIP standards are mandatory for operators of the North American bulk electric system. CIP-004 covers personnel risk assessment and access management, and CIP-007 covers system security management, including access authorization, revocation, and monitoring for critical cyber assets. The threshold reflects the automated-controls bar of critical infrastructure.
- Maturity threshold
- 3.0 / 4.0
- Mapped questions
- 11
- IAM domains
- 5
- Assessment scope
- Workforce
What NERC CIP Expects from Identity Programs
The identity-relevant themes below reflect the AXIS capabilities mapped to NERC CIP citations in the question bank. They paraphrase where identity fits, not the legal text itself.
- Protection of administrative credentials, secrets, and privileged sessions for critical cyber assets
- Access reviews, entitlement discovery, and timely revocation for personnel with authorized access
- Identity threat detection, behavioral analytics, and identity resilience for operational continuity
- Phishing-resistant authentication for access to critical systems
AXIS Questions Mapped to NERC CIP
11 of the 37 questions in the AXIS bank carry NERC CIP citations, including 3 domino controls (foundational capabilities that cap the overall score when weak).
| Question | Domain | Capability | NERC CIP references |
|---|---|---|---|
| IGA-04 | IGA | Role-Based Access Control (RBAC) & Access Modeling | NERC-CIP 004-7 |
| IGA-05 | IGA | Entitlement Discovery and Classification | NERC-CIP 011-3 |
| PAM-01 Domino | PAM | Admin Credential Protection | NERC-CIP 007-6 |
| PAM-02 Domino | PAM | Secrets Management (Non-Human & Application Credentials) | NERC-CIP 007-6 |
| PAM-04 | PAM | Just-In-Time (JIT) Cloud & Infrastructure Access | NERC-CIP 007-6 |
| PAM-05 | PAM | Session Management and Recording | NERC-CIP 007-6 |
| AUTH-04 | Auth/SSO | Phishing-Resistant MFA & Session Integrity | NERC-CIP 007-6 |
| SEC-01 Domino | Security | Identity Threat Detection & Response (ITDR) | NERC-CIP 008-6 |
| SEC-02 | Security | Identity Resilience & Disaster Recovery | NERC-CIP 007-6 |
| SEC-03 | Security | User Behavioral Analytics (UBA) | NERC-CIP 007-6 |
| CIAM-PAM-01 | CIAM × PAM | Customer-Admin Privilege Governance | NERC-CIP 007-6 |
How AXIS Scores NERC CIP Alignment
A threshold model: each mapped control either meets the NERC CIP maturity bar or it does not, and the alignment percentage is the share that does.
Threshold: 3.0 of 4.0
Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For NERC CIP, a mapped control counts as passing when its answered maturity level reaches 3.0: automated and measured. The alignment percentage is the share of mapped controls at or above that bar.
Citations live on individual answer options, so the exact set of controls counted for NERC CIP in a given assessment reflects the answers selected. The table above lists every question whose answer options carry NERC CIP citations.
80%+
Aligned
60-79%
At Risk
<60%
Non-Compliant
Scope and Industry Awareness
NERC CIP is scored in the workforce and full assessment scopes, where its mapped controls are assessed.
It is shown when the assessed organization operates in: Energy & Utilities. Other industries see only the frameworks relevant to them.
Indicative Alignment, Not Certification
This page describes how the AXIS assessment maps its question bank to NERC Critical Infrastructure Protection (CIP). Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how NERC CIP applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.
See Where You Stand Against NERC CIP
Run the AXIS assessment and get your maturity score, NERC CIP alignment, and a prioritized roadmap in one pass. No signup required to start.