If your organization operates or supports the North American bulk electric system, NERC CIP compliance is not optional — and neither is strong authentication for anyone accessing your critical cyber assets. Multi-factor Authentication (MFA) is explicitly required under CIP-005-7 for interactive remote access to High and Medium Impact BES Cyber Systems, and authentication management requirements in CIP-007-6 extend those obligations further.
Meeting these requirements means enforcing two-factor authentication across every remote access session to your Electronic Security Perimeter — covering VPNs, remote desktop, SCADA interfaces, and the operational technology environments that underpin grid reliability.
This guide covers what NERC CIP requires for authentication and MFA, who must comply, the consequences of violations, and how to build a deployment that holds up under audit.
June 17, 2026 • Victoria Savage
NERC CIP MFA Requirements at a Glance
MFA is mandatory for interactive remote access: CIP-005-7 Requirement R2.2 explicitly requires two-factor authentication for all interactive remote access sessions to High and Medium Impact BES Cyber Systems originating from outside the Electronic Security Perimeter.
An Intermediate System is required: CIP-005-7 R2.1 requires that all interactive remote access be routed through an Intermediate System — remote access that bypasses this is not compliant regardless of MFA status.
Authentication management applies broadly: CIP-007-6 Requirement R5 governs authentication for all user access to applicable BES Cyber Systems, including password policies, shared account controls, and authentication attempt limits.
Applies to High and Medium Impact systems: Two-factor authentication requirements apply to High and Medium Impact BES Cyber Systems. Low Impact systems have reduced requirements under CIP-003.
Penalties reach $1 million per day per violation: NERC has authority to fine registered entities up to $1 million per day for each violation of a reliability standard requirement.
Air-gapped and OT environments are in scope: NERC CIP requirements apply regardless of whether systems are internet-connected. OT environments, SCADA systems, and air-gapped infrastructure within the Electronic Security Perimeter are all subject to authentication requirements.
What is NERC CIP?
The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards are a mandatory set of cybersecurity and physical security requirements designed to protect the bulk electric system of North America. NERC itself was originally formed on June 1, 1968, as the National Electric Reliability Council following the catastrophic Northeast blackout of 1965, which left 30 million people without power. The current NERC entity was incorporated on March 28, 2006, as a not-for-profit international regulatory authority, succeeding the original voluntary organization and gaining mandatory enforcement authority under the Energy Policy Act of 2005. The first version of the CIP Reliability Standards was approved by the Federal Energy Regulatory Commission (FERC) in January 2008.
NERC CIP is a suite of individual standards — not a single document — each addressing a specific area of critical infrastructure protection. The standards most directly relevant to MFA and authentication are CIP-005 (Electronic Security Perimeter) and CIP-007 (System Security Management), currently at versions CIP-005-7 and CIP-007-6. Other standards in the suite govern physical security, personnel and training, incident response, configuration management, and supply chain risk. The standards are updated periodically, with FERC approval required for any changes.
Unlike frameworks such as NIST CSF that offer voluntary guidance, NERC CIP compliance is mandatory for all registered entities involved in operating the bulk electric system. Non-compliance is subject to enforcement by NERC’s regional entities and ultimately by FERC in the United States. Violations are a matter of public record, and the enforcement process is rigorous and audit-driven.
Who Does NERC CIP Apply To?
NERC CIP applies to any organization registered with NERC as a functional entity involved in operating or supporting the bulk electric system (BES) across the continental United States, Canada, and a portion of Baja California, Mexico. This includes:
Transmission Operators (TOPs): Organizations responsible for operating the transmission facilities that form the backbone of the bulk electric system.
Generation Operators (GOPs): Organizations that operate generation resources connected to the bulk electric system, including conventional and renewable generation facilities.
Balancing Authorities (BAs): Entities that maintain real-time load and generation balance within a defined area of the interconnected grid.
Reliability Coordinators (RCs): The highest level of reliability oversight, responsible for the real-time operating reliability of large portions of the interconnected transmission system.
Distribution Providers (DPs): Utilities that own or operate distribution facilities, where those facilities include certain types of systems that affect the bulk electric system.
Independent System Operators and Regional Transmission Organizations (ISOs/RTOs): Entities that manage the flow of electricity across large regions and coordinate regional transmission.
NERC CIP requirements are tiered by the impact level of a registered entity’s BES Cyber Systems — classified as High, Medium, or Low Impact based on their criticality to grid reliability. High and Medium Impact systems carry the most extensive requirements, including the explicit two-factor authentication mandate in CIP-005-7. Low Impact systems are governed by the lighter-touch requirements of CIP-003.
A note for Canadian organizations: NERC CIP applies across Canada wherever organizations operate bulk electric system assets. In Canada, compliance is overseen by provincial regulatory bodies rather than FERC, but the underlying NERC standards are the same. Canadian entities subject to NERC CIP face the same authentication requirements and should apply the same implementation approach as their US counterparts.
What Are the NERC CIP Requirements?
NERC CIP is organized into over a dozen individual standards. The following table maps the standards and requirements most directly relevant to MFA and authentication.
NERC CIP Standard
Requirement
MFA Relevance
LoginTC Relevance
CIP-005-7 R2.1
Interactive remote access to High/Medium Impact BES Cyber Systems must be routed through an Intermediate System
Architecture requirement
LoginTC integrates with Intermediate System infrastructure via RADIUS
CIP-005-7 R2.2
Two-factor authentication required for all interactive remote access to High and Medium Impact BES Cyber Systems
Mandatory
MFA enforcement for all remote access sessions via RADIUS/LDAP
CIP-007-6 R5
Authentication management including unique user IDs, shared account controls, password policies, and authentication attempt limits
Mandatory
Centralized authentication policy enforcement and user management
CIP-007-6 R4
Logging of security events including authentication activity, with 90-day retention for High/Medium Impact systems
Audit evidence
Authentication event logs for NERC CIP audit support
CIP-004-7 R4
Access management — least privilege, periodic review, and timely revocation of electronic access
Access lifecycle management
Centralized user access controls and account management
CIP-005-7: Electronic Security Perimeter
CIP-005 governs the establishment and protection of the Electronic Security Perimeter (ESP) — the logical boundary around the network that contains High and Medium Impact BES Cyber Systems. All communication crossing the ESP boundary must be controlled, and interactive remote access from outside the ESP is subject to the most stringent requirements.
Requirement R2.1 requires that interactive remote access to High and Medium Impact BES Cyber Systems be facilitated through an Intermediate System — a system that sits between the remote user and the target BES Cyber System. Direct remote access to BES Cyber Systems is not permitted. The Intermediate System acts as a control point where authentication, monitoring, and session management can be enforced.
Requirement R2.2 is the explicit MFA mandate: all interactive remote access sessions originating from outside the ESP to High and Medium Impact BES Cyber Systems must use two-factor authentication. This requirement makes NERC CIP one of the few regulatory frameworks in North America to explicitly name and mandate two-factor authentication by that term, rather than leaving it implied by an authentication quality standard.
CIP-007-6: System Security Management
CIP-007 governs the security of individual BES Cyber Systems and their components. Requirement R5 addresses authentication in detail and applies to all interactive user access to applicable systems, not just remote access.
Key provisions under CIP-007-6 R5 include: each user must have a unique user ID (shared or generic accounts are not compliant for interactive access), the number of unsuccessful authentication attempts must be limited and monitored, default and unnecessary accounts must be removed or disabled, and shared accounts — where operationally necessary — must have documented authorization and management controls.
Requirement R4 requires security event logging for High and Medium Impact BES Cyber Systems, with a minimum retention period of 90 calendar days for generated logs. Authentication events — successful logins, failed attempts, and account management changes — are among the events that must be captured and retained.
CIP-003: Low Impact BES Cyber Systems
Low Impact BES Cyber Systems are subject to the lighter-touch requirements of CIP-003 rather than the full CIP-005 and CIP-007 requirements. CIP-003 requires documented cybersecurity policies, physical security controls, and controls for electronic access — including a requirement for electronic access controls for Low Impact systems. While CIP-003 does not explicitly mandate two-factor authentication, the access control requirements are broad enough that organizations implementing consistent MFA policies across all BES asset tiers strengthen their overall compliance posture significantly.
Is MFA Required by NERC CIP?
Yes. Under CIP-005-7 Requirement R2.2, multi-factor authentication is mandatory for all interactive remote access to High and Medium Impact BES Cyber Systems originating from outside the Electronic Security Perimeter. NERC CIP is one of the few regulatory frameworks in North America to use the term “two-factor authentication” explicitly — there is no ambiguity about whether the requirement applies or whether alternative controls can substitute for it.
This is a hard requirement, not a best practice or a risk-based option. Unlike frameworks that allow organizations to substitute alternative controls if they can justify the decision, CIP-005-7 R2.2 does not offer a risk-based bypass for the two-factor authentication requirement on qualifying systems. If a system is High or Medium Impact and has External Routable Connectivity, two-factor authentication for remote access is mandatory.
The requirement extends to all interactive remote access — including vendor access, contractor access, and third-party support connections to BES Cyber Systems. Any session initiated from outside the ESP that involves interactive access to a qualifying system must go through the Intermediate System and must use two-factor authentication. Unmonitored, single-factor remote access connections are a common source of NERC CIP violations.
For organizations with Low Impact systems, the authentication requirements are less prescriptive but electronic access controls are still required. Many organizations choose to extend their two-factor authentication deployment to Low Impact systems as well, both for operational consistency and to reduce the risk of a compliance gap as systems are reclassified or as the standards evolve.
Why OT MFA Deployments Are Different from IT
Most MFA guidance is written for enterprise IT environments: cloud-connected workstations, smartphones, and modern operating systems. NERC CIP environments present a fundamentally different set of constraints that require a different deployment approach.
Legacy systems and unsupported operating systems: Many BES Cyber Systems run operating systems that are no longer receiving security updates — Windows XP, Windows Server 2003, and embedded proprietary platforms are common in operational technology environments. Industrial control systems from vendors such as Siemens, GE Grid Solutions, Schneider Electric, and Rockwell Automation may have been deployed a decade or more ago and cannot be upgraded without significant operational risk. MFA solutions that require modern OS support, browser plugins, or cloud connectivity will not work in these environments. RADIUS integration is the practical standard because it operates at the network layer, independently of the endpoint operating system.
Air-gapped and internet-isolated networks: NERC CIP’s Electronic Security Perimeter architecture is specifically designed to isolate BES Cyber Systems from external networks. Many of the most critical systems — energy management systems, SCADA platforms, historians such as AVEVA PI System — have no internet connectivity by design. Cloud-dependent MFA solutions cannot function in these environments. Authentication must work entirely within the customer’s own infrastructure, with credentials generated and validated locally without any external call.
No smartphones on the plant floor: Energy workers operating in substations, control rooms, and generation facilities frequently work in environments where personal mobile devices are prohibited or where cellular coverage is unavailable. Push notification apps and SMS-based OTPs are not viable authentication factors for these users. Hardware OTP tokens and passcode grids — which generate credentials locally with no connectivity required — are the appropriate factor types for the NERC CIP operational environment.
Operational continuity requirements: In IT environments, an MFA outage is an inconvenience. In a bulk electric system environment, an authentication failure that prevents an operator from accessing a critical control system during an incident can have consequences that extend far beyond the organization. NERC CIP MFA deployments must be designed with high availability, tested recovery procedures, and documented fallback processes — and those fallback processes must themselves be auditable and not create a bypass of the two-factor authentication requirement.
Consequences of NERC CIP Non-Compliance
NERC CIP violations carry some of the most significant financial consequences of any cybersecurity compliance framework in North America. NERC has statutory authority to issue fines of up to $1 million per day per violation of a reliability standard requirement. Each individual requirement violation is assessed separately, meaning a single enforcement action can involve multiple violations and accumulate penalties quickly.
The largest single NERC CIP enforcement action to date resulted in a $10 million penalty — a figure that industry observers noted added “another decimal place” to previous record fines. The 2003 Northeast blackout, which left 55 million people without power across eight US states and Ontario and caused an estimated $6 billion in economic damage, remains the defining event that drove the creation of mandatory CIP standards and continues to shape FERC’s approach to enforcement.
Beyond financial penalties, NERC CIP violations carry significant operational and reputational consequences. Violations are documented in publicly available NERC enforcement filings, which means non-compliance becomes part of an organization’s regulatory record. Repeat violations or patterns of non-compliance attract increased scrutiny, more frequent audits, and the potential for mandatory reliability improvement programs. For utilities operating under state public utility commission oversight, NERC CIP violations can also trigger separate state-level regulatory proceedings.
How to Implement MFA for NERC CIP Compliance
1. Classify Your BES Cyber Systems by Impact Level
NERC CIP requirements vary by impact level. Before deploying MFA, confirm the classification of your BES Cyber Systems — High, Medium, or Low Impact — using the criteria in CIP-002. High and Medium Impact systems with External Routable Connectivity trigger the two-factor authentication requirement in CIP-005-7 R2.2. Document your classifications thoroughly — this is the foundation of your entire NERC CIP compliance posture and the first thing auditors will review.
2. Map All Interactive Remote Access Paths
Identify every remote access path into your Electronic Security Perimeter — VPN connections, remote desktop, vendor access portals, and any other mechanism through which users outside the ESP can initiate interactive sessions with High or Medium Impact BES Cyber Systems. Each of these paths must pass through an Intermediate System and must enforce two-factor authentication. Any path that doesn’t is a violation waiting to be found.
3. Select an MFA Solution Compatible with OT Environments
NERC CIP environments present unique deployment challenges that distinguish them from typical IT infrastructure. Many BES Cyber Systems run legacy operating systems, have no internet connectivity, operate in air-gapped networks, and cannot support smartphone-dependent authentication methods. Platforms from Siemens, GE Grid Solutions, Schneider Electric, Rockwell Automation, and historians such as AVEVA PI System are common in these environments, and many predate modern authentication standards by years or decades. Your MFA solution must support RADIUS integration — the authentication protocol most widely supported across SCADA platforms, historians, industrial control systems, and VPN gateways in energy environments. Evaluate whether you need cloud-based, on-premises, or air-gapped MFA deployment, and confirm that the solution supports non-smartphone authentication factors such as hardware tokens, passcode grids, or FIDO2 security keys.
4. Deploy MFA Through Your Intermediate System
CIP-005-7 R2.1 requires that interactive remote access be routed through an Intermediate System. Implement MFA enforcement at this point in the access flow — authenticate users at the Intermediate System before sessions are permitted to proceed to BES Cyber Systems. This architecture satisfies both R2.1 and R2.2 simultaneously and creates a single, auditable control point for all remote access.
5. Configure Authentication Management per CIP-007-6 R5
Beyond the remote access requirement, CIP-007-6 R5 requires authentication management across all interactive user access to applicable BES Cyber Systems. Configure your systems to enforce unique user IDs, limit unsuccessful authentication attempts, disable default and unnecessary accounts, and document any shared accounts with appropriate management controls. These requirements apply to local interactive access as well as remote sessions.
6. Enable and Retain Security Event Logs
CIP-007-6 R4 requires 90-day log retention for security events on High and Medium Impact systems. Enable authentication event logging from day one and ensure logs include successful authentications, failed attempts, account changes, and session terminations. Ensure logs are stored securely and are available for NERC CIP audits. If your environment uses a SIEM, configure MFA event forwarding from day one.
7. Document, Test, and Review
NERC CIP is an evidence-based compliance framework. Your documentation must demonstrate that you have implemented the required controls, that those controls are functioning, and that you review them on the schedule the standards require. Test your MFA deployment before an audit — verify that no interactive remote access session can reach a BES Cyber System without passing through the Intermediate System and completing two-factor authentication. Schedule periodic access reviews per CIP-004-7 R4 and update documentation whenever your infrastructure or access model changes.
NERC CIP MFA Best Practices
Extend two-factor authentication beyond the minimum scope: CIP-005-7 R2.2 mandates MFA for interactive remote access to High and Medium Impact systems. A stronger posture applies consistent two-factor authentication to all access to BES Cyber Systems — including local interactive sessions where operationally feasible — reducing the risk of a gap if a system is reclassified or if the standards evolve.
Use non-smartphone authentication factors: Energy environments frequently involve workers without reliable mobile coverage, air-gapped networks with no internet access, and legacy systems that cannot support app-based authentication. Hardware OTP tokens, passcode grids, and FIDO2 security keys are the appropriate factor types for these environments — they work without cellular or internet connectivity and are fully compatible with air-gapped deployments.
Treat your Intermediate System as a security control, not just an architecture requirement: CIP-005-7 R2.1 requires the Intermediate System, but it is also your primary enforcement point for MFA, session monitoring, and session termination. Configure it to log all sessions, enforce authentication policy, and support session termination capabilities as required by CIP-005-7 R2.3.
Audit vendor and contractor access rigorously: Third-party remote access is one of the most frequently cited sources of NERC CIP violations. Ensure all vendor and contractor accounts have unique user IDs, use two-factor authentication, are disabled when not in active use, and are reviewed on the schedule required by CIP-004.
Build your documentation in parallel with your deployment: NERC CIP auditors assess documentation as much as they assess technical controls. As you deploy MFA, simultaneously create and maintain the policies, procedures, and evidence records that demonstrate compliance. A technically sound deployment with poor documentation is still a finding.
Test recovery procedures under compliance conditions: Account lockout and MFA device loss recovery procedures must themselves be secure and auditable. Ensure recovery processes don’t create a backdoor that bypasses the two-factor authentication requirement, and document the authorized recovery procedures so auditors can verify they meet the standard.
How LoginTC Helps with NERC CIP MFA Compliance
LoginTC is purpose-built for the kind of environments NERC CIP governs — complex, mixed IT and OT infrastructure where authentication must work reliably across SCADA systems, historians, legacy platforms, and air-gapped networks that can’t depend on cloud connectivity or smartphones.
For CIP-005-7 R2.2 compliance, LoginTC enforces two-factor authentication for all interactive remote access sessions through RADIUS integration — the authentication protocol natively supported across VPN gateways, remote desktop infrastructure, and the SCADA platforms most commonly deployed in energy environments. This means MFA can be added to existing infrastructure without replacing systems or disrupting operations. For CIP-007-6 R5, LoginTC’s centralized administration supports unique user ID enforcement, authentication attempt controls, and account management policies that align directly with the requirement’s specifications.
For energy organizations with air-gapped OT networks or strict data residency requirements, LoginTC’s on-premises deployment option keeps all authentication infrastructure within the customer’s own environment — no external connectivity required. Authentication factors including hardware OTP tokens, passcode grids, and FIDO2 security keys generate credentials locally, making them fully compatible with air-gapped BES Cyber System environments. Detailed authentication event logs support CIP-007-6 R4’s 90-day retention requirement and give compliance teams the audit trail they need for NERC CIP assessments. LoginTC is also ISO 27001 certified, providing an additional layer of assurance for organizations operating under rigorous regulatory oversight.
Yes. CIP-005-7 Requirement R2.2 explicitly requires two-factor authentication for all interactive remote access sessions originating from outside the Electronic Security Perimeter to High and Medium Impact BES Cyber Systems. This is one of the few regulatory frameworks in North America to use the term “two-factor authentication” explicitly. The requirement is mandatory — there is no risk-based alternative for qualifying systems.
Who does NERC CIP apply to?
NERC CIP applies to all registered entities involved in operating or supporting the bulk electric system across the continental United States, Canada, and a portion of Baja California, Mexico. This includes transmission operators, generation operators, balancing authorities, reliability coordinators, distribution providers, and independent system operators. The level of requirements depends on the impact classification of each entity’s BES Cyber Systems.
What types of MFA are acceptable under NERC CIP?
NERC CIP does not mandate specific MFA technologies, but requires two distinct authentication factors. Acceptable methods include hardware OTP tokens, authenticator apps, passcode grids, smart cards, and FIDO2 security keys. For operational technology environments with no internet connectivity or mobile coverage, non-smartphone factors such as hardware tokens and passcode grids are the practical standard. SMS-based OTPs are technically permitted but are generally discouraged for critical infrastructure access due to known vulnerabilities.
Does NERC CIP apply to Canadian organizations?
Yes. NERC CIP standards apply across Canada wherever organizations operate bulk electric system assets. In Canada, compliance is overseen by provincial regulatory bodies rather than FERC, but the underlying NERC standards — including the two-factor authentication requirements in CIP-005-7 — are the same as in the United States.
Does LoginTC need to be deployed on-premises to comply with NERC CIP?
NERC CIP does not mandate on-premises MFA deployment explicitly, but the framework’s requirements for air-gapped environments, External Routable Connectivity controls, and data handling practices make on-premises deployment the practical standard for many energy organizations. LoginTC’s on-premises deployment option keeps all authentication infrastructure within the customer’s environment and operates without external connectivity, making it fully compatible with air-gapped BES Cyber System networks and the strict perimeter controls NERC CIP requires.
Does NERC CIP apply to Low Impact BES Cyber Systems?
Low Impact BES Cyber Systems are subject to the lighter-touch requirements of CIP-003 rather than the full CIP-005 and CIP-007 requirements. CIP-003 requires documented cybersecurity policies and electronic access controls, but does not include the explicit two-factor authentication mandate that applies to High and Medium Impact systems under CIP-005-7 R2.2. Many organizations choose to extend their MFA deployment to Low Impact systems for operational consistency and to reduce future compliance risk.
Get a Free NERC CIP MFA Strategy Session
Deploying two-factor authentication across operational technology environments, legacy SCADA systems, and air-gapped infrastructure requires a different approach than standard IT MFA projects. The Intermediate System architecture required by CIP-005-7 adds another layer of complexity that many organizations underestimate before their first NERC CIP audit.
Our team has experience helping energy organizations deploy MFA that satisfies NERC CIP requirements without disrupting the operational reliability that grid operations demand. If you’re preparing for a NERC CIP audit or building out your CIP-005 and CIP-007 compliance program, we’re ready to help.
