Direct Answer
NERC CIP compliance architecture in Sparx EA begins with CIP-002 — the BES Cyber System (BES CS) categorisation that classifies every cyber asset as High, Medium, or Low impact. That categorisation drives every subsequent CIP requirement: which Electronic Security Perimeters apply, which security controls are mandated, what physical security standards govern the asset, and what audit evidence must be produced. Sparx EA holds this as a governed Application Component inventory with CIP-specific tagged values, Electronic Security Perimeters modelled in the ArchiMate Technology layer, and CIP control requirements mapped to technology elements via realisation relationships. EA GraphLink then exposes this model to Power BI, producing a live compliance dashboard that shows asset coverage, control implementation status, and upcoming audit obligations — accessible to compliance officers without requiring direct Sparx EA access.
NERC CIP: The Regulatory Context
What NERC CIP Requires
NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) is the mandatory cybersecurity standard for owners, operators, and users of the bulk electric system (BES) in North America. Compliance is enforced by NERC and the regional entities; violations carry significant financial penalties.
The standard comprises a suite of standards numbered CIP-002 through CIP-014, each addressing a specific domain of cybersecurity for bulk electric system assets:
- CIP-002: BES Cyber System Categorisation — the foundational standard. Every BES Cyber System is classified as High, Medium, or Low impact based on its functional role in the grid. Impact classification drives the applicability of all subsequent CIP requirements.
- CIP-003: Security Management Controls — security policies, leadership accountability, and governance for BES Cyber Systems.
- CIP-004: Personnel and Training — personnel risk assessments, training requirements, and access management.
- CIP-005: Electronic Security Perimeters — definition and protection of the ESP, ingress/egress points, and interactive remote access.
- CIP-006: Physical Security of BES Cyber Systems — physical security plans, visitor control, and monitoring for Physical Security Perimeters.
- CIP-007: Systems Security Management — patch management, malicious code prevention, security event monitoring, and system access controls.
- CIP-008: Incident Reporting and Response Planning — incident response plan requirements and mandatory NERC reporting.
- CIP-009: Recovery Plans — recovery plan requirements for BES Cyber Systems.
- CIP-010: Configuration Change Management and Vulnerability Assessments — baseline configuration management, change control, and vulnerability monitoring.
- CIP-011: Information Protection — BES Cyber System Information handling requirements.
- CIP-013: Supply Chain Risk Management — vendor risk management for BES Cyber Systems.
- CIP-014: Physical Security — physical security of transmission substations and control centres.
Why Architecture Matters for CIP Compliance
CIP compliance is fundamentally an architecture problem. The question “which controls apply to which assets?” depends on knowing what assets exist, how they are classified, what security perimeters they sit within, and what controls have been implemented against them. Without an architectural model, compliance teams work from spreadsheets that drift from reality, cannot answer auditor questions with confidence, and discover gaps only when they are already a compliance finding.
Sparx EA provides the platform to model this landscape precisely — and EA GraphLink makes that model accessible to compliance teams who do not work in Sparx EA.
Sparx EA Approach to NERC CIP Architecture
The CIP-002 BES Cyber System Inventory
CIP-002 categorisation is the foundational EA artefact for NERC CIP compliance. In Sparx EA, BES Cyber Systems are modelled as Application Components (using the Application layer in ArchiMate 3, or Technology System elements if modelling at the OT level). Each element carries CIP-specific tagged values that encode the compliance-critical metadata:
- Impact Classification (High / Medium / Low) — the CIP-002 categorisation determination
- BES Asset Association — the BES Reliability Operating Service or BES Facility that the Cyber System is associated with
- EACMS Flag (Electronic Access Control or Monitoring Systems — a distinct CIP category that triggers specific CIP-005 requirements)
- PACS Flag (Physical Access Control Systems)
- PCA Flag (Protected Cyber Assets — assets within an ESP that are not BES Cyber Systems but still require protection)
- ESP Membership — which Electronic Security Perimeter(s) the asset sits within
- Responsible Entity — the entity accountable under NERC for this asset
This inventory becomes the authoritative CIP-002 evidence artefact — the documented basis for impact classification decisions that auditors review.
Electronic Security Perimeter Modeling in ArchiMate
Electronic Security Perimeters (ESPs) are the fundamental boundary construct in CIP-005. In Sparx EA, ESPs are modelled in the ArchiMate Technology layer using Node elements configured with ESP boundary notation. The modelling approach:
- An ESP boundary is represented as a Technology Collaboration or grouping element with the CIP-ESP stereotype applied, enclosing the Node elements (representing servers, workstations, and control system components) that reside within the perimeter
- Electronic Access Points (EAPs) — the ingress/egress points of the ESP — are modelled as Technology Interface elements on the ESP boundary, with tagged values encoding the type (firewall, router, unidirectional gateway) and the CIP-005 control status
- Interactive Remote Access (IRA) paths are modelled as Technology Flows crossing the ESP boundary, tagged to indicate whether Intermediate Systems are used as required by CIP-005
- External Routable Connectivity (ERC) is captured as a tagged value on the ESP boundary — assets with ERC to the ESP trigger mandatory CIP-005 requirements
This visual representation means compliance officers can review a diagram and immediately understand the ESP structure. The model drives the compliance analysis: every BES Cyber System inside an ESP must have the CIP-005 controls documented; every EAP must have the corresponding firewall rule management evidence.
CIP Control Mapping
CIP requirements are modelled as a Requirements package within Sparx EA, organised by CIP standard. Each requirement element references the specific CIP standard, requirement number, and requirement part. BES Cyber Systems and technology elements are linked to the CIP requirements they must satisfy using realisation relationships — creating the bidirectional traceability that enables gap analysis.
The control implementation evidence — policy documents, configuration baselines, audit logs — is linked to the requirement elements as artefact links or URL references, creating a complete evidence chain within the repository.
CIP-010 Configuration Management in Sparx EA
CIP-010 requires a documented baseline configuration for every High and Medium impact BES Cyber System. In Sparx EA, the baseline configuration is captured as a Configuration Item element linked to the BES Cyber System Application Component, carrying tagged values for:
- Operating system and version (the CIP-010 required fields)
- Installed software and version
- Logical network accessible ports
- Security patch level and last assessment date
CIP-010 change management is modelled by creating new Configuration Item versions when baselines change, using Sparx EA’s baseline and versioning features to maintain the configuration change history that CIP-010 requires.
MDG Design for NERC CIP
A governed MDG technology for NERC CIP creates two primary stereotypes:
CIP-Asset Stereotype
Applied to Application Component elements representing BES Cyber Systems and associated assets. Tagged values:
| Tagged Value | Values | Purpose |
|---|---|---|
cipimpactlevel |
High / Medium / Low / Not Applicable | CIP-002 classification |
esp_membership |
ESP name(s) | Links asset to ESP boundary |
eacms_flag |
Yes / No | EACMS classification |
pacs_flag |
Yes / No | Physical access control system |
pca_flag |
Yes / No | Protected Cyber Asset |
physical_location |
Site / Facility name | CIP-006 physical perimeter link |
responsible_entity |
Entity DUNS / name | NERC responsible entity |
lastcip002review |
Date | Review currency tracking |
CIP-Control Stereotype
Applied to Requirement elements representing specific CIP standard controls. Tagged values:
| Tagged Value | Values | Purpose |
|---|---|---|
standard_reference |
e.g., CIP-005-7 R1 Part 1.1 | Specific requirement identifier |
implementation_status |
Implemented / In Progress / Gap / Not Applicable | Compliance status |
evidence_pointer |
URL or document reference | Location of compliance evidence |
applicability |
High / Medium / Low / All | Impact levels to which control applies |
nextreviewdate |
Date | Scheduled compliance verification |
audit_finding |
Yes / No / Prior Finding | Audit history flag |
EA GraphLink: The CIP Compliance Dashboard
EA GraphLink connects the Sparx EA CIP repository to Power BI, producing a live compliance dashboard that compliance managers can access without opening Sparx EA. The dashboard surfaces:
Asset Coverage View: A count and status of all BES Cyber Systems by impact classification, ESP membership, and control implementation status. Gaps — assets with impact classification but incomplete control coverage — are flagged automatically.
Control Implementation Status: For each CIP standard (CIP-003 through CIP-014), the percentage of applicable BES Cyber Systems with controls in Implemented status. This becomes the compliance programme’s primary progress metric.
Upcoming Audit Obligations: CIP-010 requires periodic vulnerability assessments; CIP-007 requires periodic access reviews. Tagged values carrying review dates surface in a calendar view showing upcoming compliance obligations across the asset fleet.
ESP Integrity View: A per-ESP breakdown showing EAP count, IRA paths, and CIP-005 control status — enabling rapid identification of ESP boundary control gaps before an audit.
FAQ
What is NERC CIP and who must comply?
NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) is the mandatory cybersecurity standard for bulk electric system (BES) owners, operators, and users in North America. Compliance is mandatory for entities registered with NERC — including transmission owners, transmission operators, generator owners and operators, distribution providers connected to the BES, and reliability coordinators. The standard is enforced by NERC and its regional entities (WECC, SERC, RF, MRO, NPCC, and others). Non-compliance can result in penalties of up to $1 million per violation per day.
What is CIP-002 BES Cyber System categorisation and why is it foundational?
CIP-002 requires registered entities to identify their BES Cyber Systems and classify each as High, Medium, or Low impact based on Attachment 1 criteria, which consider the system’s role in grid reliability. High impact systems include control centres that perform reliability tasks for a large interconnection; Medium impact includes generation and transmission assets that meet specific MW and voltage thresholds; Low impact is a catch-all for BES Cyber Systems not meeting High or Medium criteria. Impact classification is foundational because it determines which subsequent CIP requirements apply — High impact systems are subject to all CIP requirements while Low impact systems have a more limited requirement set. Errors in CIP-002 categorisation therefore affect the entire compliance programme.
How does Sparx EA model Electronic Security Perimeters?
Electronic Security Perimeters are modelled in the ArchiMate Technology layer in Sparx EA. The ESP boundary is represented as a grouping or collaboration element with the CIP-ESP stereotype applied, enclosing the Node elements (servers, workstations, control system components) that reside within the perimeter. Electronic Access Points — the firewall and gateway ingress/egress points — are modelled as Technology Interface elements on the ESP boundary with tagged values capturing the device type and CIP-005 control status. Interactive Remote Access paths crossing the ESP boundary are modelled as Technology Flows with Intermediate System usage captured. This visual model serves as a diagram that auditors can review directly.
What evidence does Sparx EA produce for CIP auditors?
Sparx EA produces several evidence artefacts that directly support CIP audits: (1) the BES Cyber System inventory with CIP-002 impact classifications and the documented basis for each classification decision; (2) ESP topology diagrams showing BES Cyber Systems within their security perimeters and Electronic Access Points; (3) CIP control traceability — a requirements matrix linking each CIP requirement to the BES Cyber Systems it applies to and the implementation status of each; (4) CIP-010 configuration baselines for High and Medium impact BES Cyber Systems with change history; (5) a requirements coverage report showing which requirements have evidence attached and which represent gaps. These artefacts are generated directly from the repository, not assembled manually.
What is EACMS and how is it modelled differently from BES Cyber Systems?
EACMS (Electronic Access Control or Monitoring Systems) are systems that perform access control or monitoring functions for BES Cyber Systems within an Electronic Security Perimeter — including firewalls, authentication servers, security information and event management (SIEM) systems, and intrusion detection systems. CIP-005 and CIP-007 impose specific requirements on EACMS that differ from BES Cyber System requirements. In Sparx EA, EACMS assets carry the CIP-Asset stereotype with the eacms_flag tagged value set to Yes, which drives separate reporting in the compliance dashboard and ensures their distinct CIP requirements are tracked in the control mapping package.
How does Sparx EA support CIP-010 configuration management requirements?
CIP-010 requires documented baseline configurations for High and Medium impact BES Cyber Systems, with a change management process for any deviation from baseline and periodic vulnerability assessments. In Sparx EA, baselines are captured as Configuration Item elements linked to BES Cyber System components, with tagged values for OS version, installed software, network ports, and patch level. When a baseline changes, a new configuration item version is created, preserving the change history. The review date tagged value on each configuration item feeds the compliance dashboard’s upcoming obligations calendar, ensuring vulnerability assessment deadlines do not slip.
Can EA GraphLink support multiple NERC registered entities in one repository?
Yes. Sparx EA’s package structure supports multi-entity repositories where each registered entity has its own package branch with entity-specific asset inventories, ESPs, and control requirements. Shared infrastructure that supports multiple entities — common control centres, shared network infrastructure — is modelled in a shared package with entity relationships captured. The responsible_entity tagged value on CIP-Asset elements ensures reporting can be filtered by entity. EA GraphLink Power BI dashboards can be filtered by registered entity, allowing a holding company or regional transmission organisation to view compliance status entity by entity while maintaining a unified architecture repository.
What is the recommended Sparx Services engagement path for NERC CIP architecture?
The recommended path is Amplify — the compliance architecture practice engagement. Amplify builds a governed MDG for NERC CIP assets and controls, establishes the BES Cyber System inventory as the authoritative CIP-002 artefact, models existing ESPs and control mappings, and deploys EA GraphLink with the CIP compliance Power BI dashboard. For organisations starting without a Sparx EA deployment, a Discover engagement first assesses the asset landscape and compliance posture. For organisations that have Sparx EA but lack MDG governance, a Deploy engagement establishes the CIP MDG before compliance architecture work begins. Contact Sparx Services for a scoped estimate based on your registered entity count and BES Cyber System fleet size.
Next Step: Build Your CIP Compliance Architecture
NERC CIP audits are predictable — the requirements are known, the evidence expected is documented, and the gaps that regulators find are findable before an audit if you have the right architectural model in place.
An Amplify engagement from Sparx Services builds the CIP compliance architecture: BES Cyber System inventory, ESP models, control mapping, and the live compliance dashboard that keeps your team audit-ready year-round.
Talk to Sparx Services about a CIP compliance architecture engagement
Amplify engagements start at $45K. Discover first if you need a compliance posture baseline before scoping the architecture work.
