Powering Resilience: Operationalizing Supply Chain Security Under FERC Order No. 912

How electric utilities and automation providers can move from compliance to continuous resilience under FERC’s new supply chain risk management directive.

Article

November 7, 2025

When the Federal Energy Regulatory Commission (FERC) released Order No. 912, it marked a turning point in how the energy industry defines, and defends, resilience. The directive marks a shift from static compliance to active stewardship, treating supply chain risk management as a living process that evolves with every stage of an asset’s life.

For utilities and their suppliers, it represents both a regulatory imperative and an opportunity: to modernize procurement, strengthen cybersecurity, and align with a new era of operational accountability.

The New Rules of Power Resilience

Effective November 24, 2025, FERC’s Order No. 912 directs the North American Electric Reliability Corporation (NERC) to update its Critical Infrastructure Protection (CIP) standards—specifically CIP-005, CIP-010, and CIP-013—to reflect today’s evolving threat landscape.

The rule expands traditional supply chain risk management (SCRM) obligations beyond procurement to encompass ongoing monitoring, lifecycle reassessment, and transparent documentation across every stage of an asset’s existence, from sourcing to emergency replacement.

That shift fundamentally changes the game:

For utilities: Compliance becomes continuous.
For suppliers: Transparency and cyber maturity are now baseline expectations.
For the industry: Security, resilience, and reliability converge into one unified framework.

For utilities, this means a fundamental shift from compliance to continuous operational vigilance.

From Static Compliance to Continuous Vigilance

Adversaries have evolved, and so must the grid. Order No. 912 recognizes that the weakest links often lie in third-party vendors, patch servers, or auxiliary systems once considered peripheral to core operations. These indirect pathways have become high-value targets for cyber attackers.

By extending oversight to Protected Cyber Assets (PCAs), the systems that support and surround bulk electric infrastructure, FERC is closing the “indirect risk” gap in grid defense. The result is a model that prizes visibility, intelligence, and agility as prerequisites for reliability.

The regulation introduces five interlocking dimensions of resilience:

Expanded Scope: Includes PCAs and associated IT/OT assets, broadening the universe of covered vendors.
Lifecycle Awareness: Periodic reassessments become mandatory throughout an asset’s operational life.
Emergency Preparedness: Even spares and emergency replacements must undergo rapid risk evaluation.
Auditability: Documented, traceable risk responses are now a compliance requirement.
Risk-Based Tailoring: Entities can adjust monitoring cadence based on criticality—empowering data-driven resource allocation.

Together, these pillars elevate resilience from a static process to a living system of intelligence and accountability.

The Utility Imperative: Prepare Now

For procurement and security leaders at utilities and automation firms, preparation starts today. Managing sprawling, multi-tiered supply chains (often encompassing thousands of vendors), demands more than spreadsheets and attestations. It requires AI-driven automation, continuous monitoring, and digital documentation ecosystems that scale with regulatory and operational complexity.

FERC Order No. 912 expands expectations across the entire supply base:

New Requirement	Impact on Utilities	Impact on Suppliers
PCA Inclusion	Expands oversight to new systems and teams	Brings IT, OT, and cybersecurity vendors into scope
Time-Bound Reassessment	Enforces reassessment before deployment	Requires suppliers to maintain live risk data
Lifecycle Reassessment	Mandates continuous visibility	Demands proactive risk posture updates
Emergency/Spare Coverage	Requires pre-deployment validation	Necessitates rapid supplier and origin verification
Risk Tracking & Documentation	Calls for audit-ready evidence	Encourages cooperation in remediation
Risk-Based Tailoring	Allows adaptive reassessment intervals	Rewards suppliers with strong risk maturity

The message is clear: compliance under Order 912 is no longer a back-office function—it’s a strategic capability.

Managing that scale demands technology-enabled approaches that combine AI, big data, and continuous monitoring to identify critical suppliers and evolving risks efficiently.

Technology as a Force Multiplier

Exiger’s AI-powered supply chain risk management platform is built to turn FERC’s regulatory expectations into measurable, operational outcomes. Our tools automate the intelligence, documentation, and decision-making workflows that utilities need to thrive under the new standard.

Regulatory Need	Exiger Capability	Example Use Case
PCA Inclusion	Tier-N supply chain mapping & automated risk assessment	Continuous screening of IT/OT suppliers
Time-Bound & Periodic Reassessments	Automated refresh cycles & monitoring	Trigger reassessments after ownership or incident changes
Emergency/Spare Coverage	Supplier illumination and instant verification	Vetting replacement parts during restoration
Continuous Risk Tracking	Automated mitigation workflows & audit trails	Demonstrating actions to regulators in real-time
Risk-Based Tailoring	Dynamic reassessment based on criticality	Aligning effort to threat exposure

Why Exiger

Continuous Intelligence: Real-time visibility into millions of risk sources.
Sub-Tier Mapping: Deep insight into hidden dependencies.
Automated Audit Trail: Compliance-ready documentation aligned to CIP-013.
Operational Agility: Instant supplier vetting for spare parts and crises.
Collaborative Transparency: Secure data exchange across ecosystems.

For a detailed breakdown of regulatory timelines, compliance actions, and implementation models, download the full Exiger white paper: Operationalizing Supply Chain Resilience Under FERC Order No. 912.

Building a Culture of Continuous Resilience

Operationalizing Order 912 requires more than technology, it demands a mindset shift. Utilities must integrate risk monitoring into procurement, cybersecurity, and operations, creating a shared culture of vigilance.

Exiger partners with utilities and automation leaders to design and implement lifecycle SCRM frameworks that blend automation with accountability. Through tailored onboarding, governance design, and cross-functional training, we help organizations:

Map PCA-related assets and vendors
Define reassessment cadences and triggers
Integrate continuous monitoring into daily workflows
Automate evidence collection
Build transparent supplier partnerships

By aligning with industry peers like the North American Transmission Forum (NATF) and collaborating directly with FERC and NERC, Exiger helps the power sector implement regulation with precision, and without disrupting reliability.

The Future of Energy Security Starts Now

As the grid grows smarter and more connected, the stakes for supply chain resilience have never been higher. Order 912 offers a blueprint not just for compliance, but for transformation. For CPOs and CISOs tasked with powering America’s energy future, now is the moment to operationalize intelligence, automate trust, and institutionalize resilience.

Compliance is the floor. Resilience is the standard.