Industry Mandates

IAM Maturity Assessment for NERC CIP

NERC CIP standards are mandatory for operators of the North American bulk electric system. CIP-004 covers personnel risk assessment and access management, and CIP-007 covers system security management, including access authorization, revocation, and monitoring for critical cyber assets. The threshold reflects the automated-controls bar of critical infrastructure.

Maturity threshold
3.0 / 4.0
Mapped questions
11
IAM domains
5
Assessment scope
Workforce
Identity Expectations

What NERC CIP Expects from Identity Programs

The identity-relevant themes below reflect the AXIS capabilities mapped to NERC CIP citations in the question bank. They paraphrase where identity fits, not the legal text itself.

  • Protection of administrative credentials, secrets, and privileged sessions for critical cyber assets
  • Access reviews, entitlement discovery, and timely revocation for personnel with authorized access
  • Identity threat detection, behavioral analytics, and identity resilience for operational continuity
  • Phishing-resistant authentication for access to critical systems
Question Mapping

AXIS Questions Mapped to NERC CIP

11 of the 37 questions in the AXIS bank carry NERC CIP citations, including 3 domino controls (foundational capabilities that cap the overall score when weak).

AXIS assessment questions mapped to NERC CIP, with domain, capability, and framework references
QuestionDomainCapabilityNERC CIP references
IGA-04IGARole-Based Access Control (RBAC) & Access ModelingNERC-CIP 004-7
IGA-05IGAEntitlement Discovery and ClassificationNERC-CIP 011-3
PAM-01
Domino
PAMAdmin Credential ProtectionNERC-CIP 007-6
PAM-02
Domino
PAMSecrets Management (Non-Human & Application Credentials)NERC-CIP 007-6
PAM-04PAMJust-In-Time (JIT) Cloud & Infrastructure AccessNERC-CIP 007-6
PAM-05PAMSession Management and RecordingNERC-CIP 007-6
AUTH-04Auth/SSOPhishing-Resistant MFA & Session IntegrityNERC-CIP 007-6
SEC-01
Domino
SecurityIdentity Threat Detection & Response (ITDR)NERC-CIP 008-6
SEC-02SecurityIdentity Resilience & Disaster RecoveryNERC-CIP 007-6
SEC-03SecurityUser Behavioral Analytics (UBA)NERC-CIP 007-6
CIAM-PAM-01CIAM × PAMCustomer-Admin Privilege GovernanceNERC-CIP 007-6
Scoring Model

How AXIS Scores NERC CIP Alignment

A threshold model: each mapped control either meets the NERC CIP maturity bar or it does not, and the alignment percentage is the share that does.

Threshold: 3.0 of 4.0

Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For NERC CIP, a mapped control counts as passing when its answered maturity level reaches 3.0: automated and measured. The alignment percentage is the share of mapped controls at or above that bar.

Citations live on individual answer options, so the exact set of controls counted for NERC CIP in a given assessment reflects the answers selected. The table above lists every question whose answer options carry NERC CIP citations.

80%+

Aligned

60-79%

At Risk

<60%

Non-Compliant

Scope and Industry Awareness

NERC CIP is scored in the workforce and full assessment scopes, where its mapped controls are assessed.

It is shown when the assessed organization operates in: Energy & Utilities. Other industries see only the frameworks relevant to them.

Indicative Alignment, Not Certification

This page describes how the AXIS assessment maps its question bank to NERC Critical Infrastructure Protection (CIP). Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how NERC CIP applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.

See Where You Stand Against NERC CIP

Run the AXIS assessment and get your maturity score, NERC CIP alignment, and a prioritized roadmap in one pass. No signup required to start.