The Federal Energy Regulatory Commission (FERC) on Sept. 18 advanced four reliability measures for the U.S. bulk power system (BPS), formalizing frameworks around supply chain risk, cloud computing and virtual infrastructure, cybersecurity, and extreme cold weather preparedness.
The commission finalized a new supply chain risk management rule—effective in 60 days—that expands protections against vulnerabilities stemming from outside threats. In addition, FERC issued two notices of proposed rulemaking (NOPRs): one to allow utilities to use cloud computing and virtual infrastructure while maintaining security standards, and another to strengthen cybersecurity requirements for low-impact systems against coordinated cyber-attacks. The commission also approved enhanced extreme cold weather preparedness standards, which, when effective on Oct. 1, will require improved generator winterization and clearer communication protocols during cold weather events.
On Thursday, FERC Chairman David Rosner asked six grid operators how they forecast large new electric loads from rapidly growing sectors such as artificial intelligence (AI) and data centers. The query, prompted by unprecedented electricity demand growth, will seek to examine whether existing load forecasting practices can keep pace with the accelerating deployment of high-capacity industrial and commercial customers, and to identify improved methods that better protect reliability and ratepayer value as the sector’s profile evolves.
A Suite of New Rules
At the commission’s open meeting on Thursday, FERC’s three commissioners— Chairman David Rosner, and Commissioners Lindsay See and Judy Chang—voted unanimously to approve four measures that they said were “focused on modernizing the reliability and security of the nation’s Bulk Power System in the face of threats.”
Final Rule on Supply Chain Risk Management Reliability Standards Revisions (RM24-4-000 and RM20-19-000). FERC finalized a new supply chain risk management rule for the U.S. bulk power system to address vulnerabilities in equipment and services supplied by entities deemed risks to national security. The rule directs the North American Electric Reliability Corp. (NERC) to develop revised reliability standards within 18 months that strengthen responsible entities’ supply chain risk management plans and extend protections to protected cyber assets (PCAs), which are ancillary devices inside electronic security perimeters that adversaries could exploit as pathways into bulk power system operations.
FERC has said the measure seeks to close gaps exposed by cyber incidents and compliance audits. It recognizes growing threats from nation-state actors and global supply chain insecurities that could compromise grid reliability and cybersecurity. However, owing to industry pushback, the finalized rule stops short of mandating validation of vendor-supplied data, instead encouraging voluntary or centralized approaches.
The supply chain rule traces back to FERC’s September 2020 Notice of Inquiry following heightened national security concerns about foreign equipment in critical infrastructure, particularly communication systems and other equipment, which U.S. security agencies identified as potential vectors for espionage and grid disruption. The initial inquiry drew over 25 industry comments on risks posed by potentially compromised vendors and whether existing Critical Infrastructure Protection (CIP) standards adequately addressed supply chain vulnerabilities. In September 2024, FERC issued a NOPR, which prompted NERC and regional reliability entities to submit formal comments by November 2024. FERC also held a March 2025 workshop focused on assessment protocols and vendor validation requirements, which generated additional input from more than 20 industry participants.
Notice of Proposed Rulemaking on Critical Infrastructure Protection Reliability Standard CIP-003-11 (RM25-8-000). FERC’s NOPR proposes to approve NERC’s CIP-003-11 standard to address the growing risk that coordinated cyberattacks on dispersed, low-impact bulk electric system (BES) cyber systems. “Most individual BES Cyber Systems within the bulk electric system are categorized as low impact,” the NOPR reads. “Individual low-impact BES Cyber Systems have less of an impact on bulk electric system reliability than medium or high-impact BES Cyber Systems and thus have fewer CIP Reliability Standard requirements. Nevertheless, low-impact BES Cyber Systems may still introduce reliability risks of a higher impact when distributed low-impact BES Cyber Systems are subjected to a coordinated cyber-attack.” The proposal stems from NERC’s December 20, 2024, petition, which incorporated recommendations from a Low Impact Criteria Review Team formed after the SolarWinds attack.
CIP-003-11 would require entities with low-impact BES Cyber Systems to:
- Authenticate all users prior to permitting access to networks containing low-impact BES Cyber Systems or shared cyber infrastructure;
- Protect authentication information while in transit; and
- Detect malicious communications to or between low-impact BES Cyber Systems with external routable connectivity.
The Commission is seeking comment to approve the standard as well as feedback on whether NERC should be directed to conduct a study or whitepaper examining evolving threats. If adopted, entities could face significant new documentation, training, and system architecture updates. NERC’s plan calls for a 36-month implementation period following FERC approval.
Notice of Proposed Rulemaking on Virtualization Reliability Standards (RM24-8-000). In a parallel effort to modernize cybersecurity oversight, FERC issued a NOPR based on NERC’s July 10, 2024, filing to revise eleven CIP standards and glossary definitions to accommodate virtualization and cloud computing in bulk power operations explicitly. An errata filed May 20, 2025, adjusted five of those proposals.
The NOPR proposes to approve four new and 18 modified glossary definitions along with the eleven revised standards, clarifying how protections apply to virtual machines, cloud platforms, and software-defined networks used in EMS, SCADA, and other critical functions. The revisions aim to replace prescriptive controls with objective-based criteria, reduce the compliance documentation burden, and provide flexibility for entities to adopt protections aligned with their chosen technology stacks.
FERC is seeking comment on NERC’s proposed technical feasibility exception program to address implementation challenges unique to virtualization.
Order Approving Extreme Cold Weather Reliability Standard and Directing Data Collection (RD25-7-000). FERC approved NERC’s revised Reliability Standard EOP-012-3 (Extreme Cold Weather Preparedness and Operations), which will become effective on Oct. 1, 2025. The enhanced standard, developed in response to the Commission’s June 2024 directives clarifies how to calculate unit-specific Extreme Cold Weather Temperatures, updates the definition and validation process for Generator Cold Weather Constraints, and strengthens corrective action plan timelines so that failures are addressed before the following December. It sets 24- to 48-month deadlines and mandatory compliance enforcement authority (CEA) pre-approval for extensions
New provisions require generators entering commercial operation on or after October 1, 2027, either to meet freeze-protection measures or to declare a constraint preventing operation until mitigations are complete. A standardized, auditable list of “known” and “case-by-case” constraint circumstances (such as design limits on wind turbine towers or cost-prohibitive retrofits) is codified. Entities must also conduct 36-month reviews of all validated constraint declarations to confirm ongoing validity.
FERC also directed NERC to file biennial informational reports from October 2026 through October 2034, detailing by region: the total submitted and approved constraint declarations, the aggregate MVA of constrained capacity, and the rationale for approvals. Each filing must also include a narrative analyzing notification practices to reliability coordinators, timelines for corrective actions, and the system-wide risks of allowing up to three years for freeze mitigation.
Load Forecasting Scrutiny Targets AI-Driven Demand
On Thursday, Chairman Rosner dispatched letters to six regional transmission organizations (RTOs) and independent system operators (ISOs)—CAISO, ISO-NE, MISO, NYISO, PJM, and SPP—asking for standardized feedback on large load forecasting practices, particularly for data centers supporting artificial intelligence operations. The inquiry appears to address growing concerns about forecast accuracy as utilities project hundreds or thousands of megawatts in new demand growth.
Rosner’s letter stresses the critical importance of accurate forecasting, noting that improvements of “even a few percentage points in the right direction—up or down—can impact billions of dollars in investments and customer bills. Put simply, we cannot efficiently plan the electric generation and transmission needed to serve new customers if we don’t forecast how much energy they will need as accurately as possible,” he wrote.
Rosner asked each RTO/ISO, along with their utilities and state regulators, for their perspective on:
- “How do you, the utilities in your footprint, and state regulators obtain information that verifies when and whether prospective large loads in your region will reach commercial operation?
- To what extent are prospective large load requests subject to consistent, objective screening criteria before they are included in the load forecast?
- How do you forecast how the actual electricity consumption of a large load will compare to its requested level of interconnection service?
- How do you coordinate with utilities at the regional or interregional level to share best practices on large load forecasting and ensure that large load interconnection requests are not double-counted?”
Notably, Rosner suggested RTOs and ISOs could borrow from the generator interconnection process, which applies observable milestones (such as signed contracts, financial security deposits, and site control) as objective thresholds before speculative projects are factored into regional load forecasts.
“Our experience to date tells us that large loads, such as data centers, have characteristics that call for new and improved forecasting methods,” he wrote. “Given the size and volume of new large load interconnection requests, I’m optimistic that utilities have an opportunity to apply similar criteria to those currently used to assess the commercial readiness of large projects in the generator interconnection queue.”
The timing reflects mounting pressure from consumer advocates and state regulators concerned about cost allocation for speculative projects. Recent analysis suggests data center electricity demand projections remain highly uncertain. Inherent bias usually steers toward overestimating the number of facilities that will achieve commercial operation.
As both the digital infrastructure industry and power sector grapple with these challenges, the upcoming Data Center Power Exchange (DPX) Summit on Oct. 28 in Denver offers a critical forum for utilities, grid operators, hyperscalers, and regulators to forge practical solutions. Former FERC Chairman Mark Christie will headline the event and deliver opening remarks, setting the stage for discussions on the power demand question, forecasting algorithms, streamlined interconnection processes, and coordinated investment strategies.
—Sonal Patel is a POWER senior editor (@sonalcpatel, @POWERmagazine).
