CMEP IP: Physical Security

The 2026 Electric Reliability Organization (ERO) Enterprise Compliance Monitoring and Enforcement Program (CMEP) Implementation Plan (IP) identifies six major risk elements to the Bulk Electric System (BES). One major risk element identified that continues to be an area of focus is physical security, which was broadened in 2026 to include CIP-006-6, R1.

This addition includes ten requirement parts that collectively are designed to protect BES Cyber Systems (BCS) from compromise through implementation of physical security plans. Some of the essential requirement parts are outlined below:

• Operational or procedural controls to restrict physical access
• Documenting controls that monitor Physical Access Control Systems (PACS)
• Restricting and monitoring physical access into applicable Physical Security Perimeters (PSPs)
• Maintaining accurate physical access logs for applicable PSPs
• Restricting and monitoring of cabling and other nonprogrammable communication components in relation to an identified Electronic Security Perimeter (ESP) or PSP

Registered entities may want to consider implementing additional internal controls to strengthen their physical security posture. For example, conducting periodic reviews of your organization’s physical security plan and associated controls can identify areas of improvement and validate that security controls are working as designed.

For more information and further guidance on implementing best practices related to physical security controls, Texas RE encourages registered entities to review the physical and environmental (PE) protection family of security controls documented in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 5