On April 1, 2026, NERC CIP-003-9 moves from "coming soon" to "subject to enforcement."The NERC Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-9 becomes officially enforceable on April 1, 20261tenable.com For those leading identity, security, or compliance at a utility, this isn't just a calendar update-it shifts what regulators expect you to prove about who has access to what across your IT and OT environments.

CIP-003-9 tightens controls for low-impact BES Cyber Systems, focusing particularly on vendor electronic remote access.Requirements under CIP-003-9 related to vendor electronic remote access must be implemented by April 1, 20262abs-group.com At the same time, groups like Volt Typhoon have demonstrated how legitimate credentials and "living-off-the-land" methods enable attackers to quietly traverse critical infrastructure, evading legacy perimeter defenses.Volt Typhoon is a PRC state-sponsored APT that has targeted US critical infrastructure while relying on valid accounts and living-off-the-land techniques to evade detection3microsoft.com

This guide walks through a practical, step-by-step approach to:

  • Translate CIP-003-9 into actionable identity and access requirements
  • Design a zero-trust, identity-first architecture spanning IT and OT
  • Govern human, service, and automated accounts
  • Replace manual provisioning and offboarding with automation
  • Deliver the audit-ready evidence regulators now demand-without overextending your team

We'll show how platforms like Iden fill compliance gaps-especially if you're running Okta or Entra ID but also manage OT and SaaS apps that aren't SCIM-compatible.

Before You Start: Prerequisites

You'll move faster if you establish (or initiate) the following:

  • Clear CIP Scope

    • Up-to-date list of NERC registrations and in-scope low-impact BES Cyber Systems (BCS)
    • Clarity on which substations, control centers, and IT systems are "low-impact" and which are out of scope

  • Identity Data Sources

    • HRIS as system of record for personnel
    • Directory/IdP (AD, Okta, Entra ID) for authentication
    • Inventory of remote and vendor access paths (VPNs, jump hosts, remote access tools)

  • Baseline Tooling

    • Central SSO/IdP (Okta, Entra ID, etc.)
    • Logging or SIEM platform
    • Identity governance platform (or an adoption plan) capable of orchestrating provisioning, deprovisioning, and access reviews for both SCIM and non-SCIM apps-this is where Iden fits.

  • Executive Sponsorship

    • CIP Senior Manager designated (required under CIP-003-9 R3)4nerc.com
    • Leadership agreement that manual processes and spreadsheets are not sustainable or defensible

Step 1: Translate CIP-003-9 into Identity Requirements

CIP-003-9 is a policy and management-controls standard, but embedded within are clear identity requirements.

1.1 Know What CIP-003-9 Actually Requires

At a high level, CIP-003-9 compels you to:

  • Maintain documented cybersecurity policies for high- and medium-impact BCS and assets with low-impact BCS (R1)
  • Implement documented cybersecurity plans for low-impact BCS, including specified Attachment 1 sections (R2)
  • Designate a CIP Senior Manager (R3) and document delegated authority (R4)4nerc.com

For low-impact BCS, Attachment 1 requires topics on:

  • Cybersecurity awareness
  • Physical security
  • Electronic access controls
  • Cybersecurity incident response
  • Transient Cyber Assets & Removable Media
  • Vendor electronic remote access security controls (new in CIP-003-9)CIP-003-9 requires documented cyber security plans for assets containing low-impact BES Cyber Systems that include vendor electronic remote access security controls in Attachment 14nerc.com

Attachment 1, Section 6 addresses identity directly:

For assets with low-impact BES Cyber Systems that allow vendor electronic remote access, CIP-003-9 Attachment 1 Section 6 requires processes to determine vendor electronic remote access, disable it, and detect known or suspected malicious communications associated with that access4nerc.com

Identity implications:

  • You must identify all vendor accounts/sessions (no more shared VPN accounts labeled "vendor")
  • Disable vendor access quickly and reliably
  • Monitor those sessions for potential threats

1.2 Understand Enforcement and Penalties

CIP-003-9 enforcement for low-impact BES cyber systems begins April 1, 2026, with additional implementation milestones in 2028 and 20301tenable.com

NERC CIP violations can result in penalties up to US$1 million per day, per violation, increased audit frequency, and mandatory mitigation plans5infotech.com

You're moving from "best practice" to regulatory liability if:

  • Vendor access is managed by ad hoc VPNs and emails
  • Offboarding is based on memory rather than process
  • Identity evidence is scattered across spreadsheets and ticket logs

Common mistake
Treating CIP-003-9 as a paperwork update. Auditors increasingly require live evidence of how vendor access is granted, monitored, and revoked-not just a policy document.

Step 2: Build a Single Pane of Glass for Identities (Human and Non-Human)

Zero-trust control starts with full visibility of who and what has access.

2.1 Inventory All Identities and Access Paths

Include:

  • Human identities

    • Employees (operations, engineering, SOC, GRC, IT)
    • Contractors and vendors (field techs, OEM support, integrators)

  • Non-human identities

    • Service accounts for OT applications
    • API keys and integration accounts
    • Monitoring tools, agents, automation scripts

  • Access paths

    • Corporate VPNs and OT jump hosts
    • Cloud/hosted HMI or SCADA dashboards
    • SaaS systems with engineering or operational data (Jira, Confluence, Git, CMMS)

Identity sprawl-decades of one-off accounts, local RTU passwords, and poorly tracked vendor tools-is the chief obstacle here.

2.2 Consolidate into a Single Identity Governance View

Your aim is a single pane of glass displaying for each identity:

  • Accessible systems (IT, OT, SaaS)
  • Roles/entitlements
  • Access approval trail
  • Last use

An identity governance platform like Iden delivers this across SaaS, IdPs (Okta), and legacy apps lacking SCIM or API support.Iden's universal connector technology automates provisioning for more than 175 apps-including non-SCIM tools like Notion, Slack, Figma, Linear, and GitHub-without enterprise-plan upgrades

Tip
Start with systems combining high impact + low visibility: vendor remote access tools, OT jump hosts, and SaaS platforms holding operational data. That's where CIP-003-9 and real risk converge.

Step 3: Design Least-Privilege Access Control Policies

In utilities, zero trust means every session is explicitly authorized, least-privilege, and time-bound-no implicit trust behind the VPN.

3.1 Define Roles and Entitlements

Collaborate with operations, engineering, and vendors to define:

  • Standard roles (e.g., "Protection Engineer," "Substation Technician," "OEM Remote Support," "SOC Analyst")
  • For each role:
    • Required BES Cyber Systems
    • Approved actions (view, change settings, upload firmware, scripts)
    • Necessary SaaS/IT systems

Translate to enforceable access policies in your IGA/IdP:

  • Role-based groups (Okta/Entra/AD)
  • Fine-grained permissions in OT tools
  • Time-bound, just-in-time (JIT) elevation for high-risk tasks

Iden enables fine-grained control-down to channel, repository, and project-so you move beyond simple "access/no access."

3.2 Layer in Adaptive Access and Risk Management

Not every session carries the same risk. Employ adaptive access rules:

  • Step-up MFA for:
    • External remote access
    • Privileged actions (firmware uploads, relay changes)
  • Shorter session durations for vendor/emergency access
  • Additional approvals for production changes at critical locations

Your IGA layer should automate these controls-issuing short-lived entitlements instead of granting standing privileges.

Common mistake
Treating CIP-003-9 as "low-impact only." The identity architecture you build here should support your broader zero-trust strategy, as attackers don't follow your asset tiering.

Step 4: Lock Down Vendor and Remote Access (CIP-003-9 Attachment 1 Section 6)

This is often the decisive factor in a CIP-003-9 audit.

Attachment 1, Section 6 requires processes to:

  1. Identify vendor electronic remote access (who, from where, to what)
  2. Disable said access
  3. Detect known or suspected malicious communicationsCIP-003-9 Attachment 1 Section 6 requires documented and implemented processes to identify, disable, and monitor vendor electronic remote access for assets with low-impact BES Cyber Systems4nerc.com

4.1 Replace Shared VPNs with Identity-Centric Brokered Access

Move away from:

  • Shared/generic VPN accounts
  • Persistent OT tunnels
  • Vendor laptops as the exclusive audit trail

Shift to:

  • Individual accounts for every vendor and contractor
  • Central brokering (PAM/remote access gateways)
  • Mandatory MFA and JIT elevation for privileged tasks
  • Full session recording and metadata

Vendors such as BeyondTrust stress this model because it supports audit traceability: CIP-003-9 updates effective April 1, 2026 require organizations to provide granular evidence of who accessed BES systems, when, and under what approvals6beyondtrust.com

4.2 Orchestrate Vendor Access via Identity Governance

Leverage your IGA platform as the front door:

  • Vendors request access via structured workflow (ticketing, portal, chatbot)
  • Explicit approval with defined access scope and time window
  • IGA automatically:
    • Creates or enables the vendor account
    • Assigns appropriate role/group in IdP or OT gateway
    • Activates time-bound entitlement
  • Upon expiry, revokes entitlement automatically

Iden manages these workflows across SaaS and legacy/custom apps, including those without SCIM or API capabilities.

Tip
Include a simple vendor access matrix in your evidence folder: Vendor -> Systems -> Access method -> Disable mechanism. Auditors appreciate clear and direct answers to "How do you disable this session?"

Step 5: Automate Joiner-Mover-Leaver Across IT, OT, and SaaS

CIP-003-9 is part of a broader compliance tapestry. CIP-004 expects prompt access revocation on personnel departure or role change.Under NERC CIP-004, utilities must revoke access from employees within 24 hours of termination, in addition to enforcing periodic background checks and training7assurx.com Manual offboarding almost always misses accounts-especially in OT and long-tail SaaS.

5.1 Link Provisioning to HR and Role Data

Adopt identity automation so:

  • HRIS triggers workflows for new hires, role changes, or terminations
  • Birthright access is granted by role, location, function
  • Sensitive access requires extra approval

Iden excels at automating the full identity lifecycle: immediate birthright access, zero-touch offboarding, and time-bound privileged access.

5.2 Make Offboarding Deterministic, Not Best-Effort

A systematic offboarding process should:

  • Disable IdP (Okta/Entra) and AD accounts
  • Terminate VPN and brokered remote sessions
  • Remove OT accounts (local HMI/SCADA, engineering workstations)
  • Revoke SaaS tool access (ticketing, CMMS, repos)
  • Transfer or deactivate non-human identities owned by the user (service accounts, API keys)

Common mistake
Stopping at IdP and AD, assuming this removes all access. Local OT, vendor portals, and SaaS logins with separate authentication often remain, creating orphaned accounts and potential audit findings.

Iden was designed to address this-governing human, AI agent, and service accounts in one system. Customers note significantly fewer zombie accounts after implementing full lifecycle automation.

Step 6: Instrument Evidence: Audit Trails, Access Reviews, and Retention

CIP-003-9 mandates you prove what you did-not just your intent.

CIP-003-9 requires responsible entities to retain evidence of each requirement for three calendar years, with longer retention when non-compliance occurs until mitigation is complete and approved8nerc.com

6.1 Centralize Audit Trails for Identity Activity

At a minimum, you should track for any in-scope system:

  • Who had access?
  • Who approved and when?
  • Last access date?

Operationally, this means:

  • Feeding IdP, IGA, PAM, and OT logs into your SIEM
  • Tagging identity events by asset (high/medium/low BCS), vendor vs. internal
  • Enabling session recording for privileged and vendor activity

Iden generates comprehensive audit trails for provisioning, deprovisioning, and access reviews-even for non-SCIM, non-API apps-so you're not left piecing together evidence from disparate files.

6.2 Automate User Access Reviews

Regulators now expect evidence-based compliance. For identity, this means:

  • Regular reviews for critical system access
  • Managers certifying access appropriateness
  • Evidence that excessive/unused access has been removed

Teams using Iden have automated user access reviews and report saving around 120 hours per quarter on manual review and evidence collection for compliance audits like SOC 2 and ISO 27001

For CIP-003-9, continuous review demonstrates that vendor access is limited and not open-ended.

Tip
Schedule access reviews to serve multiple frameworks-CIP, SOC 2, ISO 27001, even NIS2. Tagging systems and controls by framework in your IGA tool provides multi-framework evidence from a single campaign.

Step 7: Test Against a Volt Typhoon-Style Scenario and Prepare for Audit

A "zero-trust identity architecture" must be validated against likely regulator scenarios.

7.1 Run a Volt Typhoon Tabletop Exercise

Simulate:

  • Attacker acquires valid vendor credentials
  • Connection via approved remote access path
  • Lateral movement toward OT using built-in tools

Assess:

  • Which controls spot or block activity with otherwise valid credentials?
  • Can you observe the session in identity governance and logging platforms?
  • How fast can you revoke all access for that identity?
  • What audit evidence can you provide to show steps taken?

7.2 Build Your CIP-003-9 "Identity Binder"

Maintain a concise package (physical or digital) containing:

  • Architecture diagrams (IdP, IGA, OT remote access, logging)
  • Mapping of CIP-003-9 R1-R4 and Attachment 1 to implemented identity controls
  • Sample artifacts:
    • Vendor access request to revocation
    • Joiner-mover-leaver workflows
    • Access review campaigns and follow-up
  • Evidence retention/backups for three-year compliance windows

Common mistake
Waiting for auditors to request evidence, leading to reactive scrambling. Treat "always-on audit readiness" as an architectural goal-if it's not captured and reproducible, it didn't happen.

Where Iden Fits in a CIP-003-9 Zero-Trust Identity Architecture

A pragmatic utility architecture includes:

  • IdP (Okta/Entra) for authentication and MFA
  • Iden as the identity governance and orchestration layer:
    • Connects to SaaS, OT, custom tools-whether SCIM-compatible or not
    • Enforces policy-based provisioning, deprovisioning, JIT access for all account types
    • Automates access reviews and evidence collection across the stack
    • Integrates with SIEM for centralized audit trails and adaptive security
  • Remote access/PAM for vendor and privileged session brokering
  • SIEM/logging for monitoring and forensics

With this combination, lean IT and security teams can meet the strict identity, access, and evidence demands of CIP-003-9-without kludging spreadsheets and scripts onto an outdated perimeter model.

More about Iden

Next Steps: A 90-Day Action Plan

If the April 1, 2026 deadline is looming, prioritize momentum over perfection:

  • Next 30 days

    • Confirm CIP scope and inventory all vendor remote access paths
    • Establish your identities inventory for both human and non-human users
    • Select your IGA/orchestration platform if needed

  • Days 31-60

    • Define least-privilege roles for operators, engineers, vendors
    • Implement brokered access for the most critical vendor paths
    • Automate termination workflows for your top 10 critical systems

  • Days 61-90

    • Activate automated access reviews for in-scope systems
    • Run a Volt Typhoon-style tabletop
    • Assemble your CIP-003-9 identity binder and test with internal audit

Iden is purpose-built for teams facing real deadlines, lean staffing, and too many manual tickets. If you want to see "complete identity governance" in practice across IT, OT, and SaaS, now is the time to evaluate it alongside your CIP-003-9 program.

FAQ

1. Is SSO (Okta/Entra) enough to satisfy NERC CIP-003-9 identity requirements?

No. SSO/IdP is necessary, but not sufficient.

CIP-003-9 requires policy enforcement, vendor remote access controls, and audit evidence that go far beyond basic authentication:

  • Documented cybersecurity plans for low-impact BCS, including vendor remote controls
  • Demonstrated ability to determine, disable, and monitor vendor electronic remote access
  • Evidence retention for a minimum of three years

An IdP alone cannot automate lifecycle, vendor workflows, or access reviews-those are governance tasks.

2. How is a zero-trust identity architecture different from traditional perimeter-based security in a NERC environment?

Perimeter security trusts everything behind the VPN or OT network; zero trust assumes no implicit trust:

  • Every session: strong authentication and authorization
  • Access: least-privilege and time-bound
  • Vendor access: brokered, observable, easily revoked
  • Identity is the control plane-even within the OT network

This approach meets both the letter of CIP-003-9 and the realities exposed by Volt Typhoon-style campaigns.

3. Can we build this with scripts and spreadsheets instead of a full IGA platform?

You can script pieces-provisioning, reports-but scalability is limited:

  • Scripts don't scale to many OT and SaaS apps, particularly non-SCIM
  • Spreadsheets lack real-time visibility and tamper-resistance
  • Manual processes falter under turnover and audits

A platform like Iden offers a single pane of glass for all identities and access, universal connectors (including non-SCIM), and built-in reviews and evidence collection. That's difficult to replicate reliably with ad hoc tools.

4. How should we treat non-human identities (service accounts, OT system accounts) under CIP-003-9?

Treat them as first-class citizens:

  • Inventory alongside human accounts
  • Assign owners and document purposes
  • Apply least-privilege and time-bound controls where feasible
  • Include in access reviews and evidence

Iden centrally manages human, service, and machine identities, allowing you to demonstrate to auditors that you have no blind spots with automated actions.

5. How does this help with other frameworks (SOC 2, NIS2, HIPAA, etc.)?

Modern frameworks converge on identity foundations:

  • Central governance
  • Least-privilege access
  • Strong authentication
  • Periodic access reviews
  • Audit-ready evidence

If you center your CIP-003-9 strategy on automated governance, lifecycle management, and continuous evidence, you cover much of SOC 2, ISO 27001, NIS2, HIPAA, CMMC, and DORA. The key is tagging systems and controls by framework in your IGA platform to maximize compliance overlap.

Book a call