| | |
|---|---|
| **Document ID** | CERG-GOV-JD-GOVCOMP-001 |
| **Version** | 1.0 |
| **Status** | Approved |
| **Classification** | Public |
| **Owner** | Governance Pillar Leader |
| **Parent Policy** | [`CERG-POL-001`](../../governance/CERG-POL-001_Cybersecurity_Policy.md) - Cybersecurity Policy |
| **Review Cycle** | Annual |
| **Frameworks** | NIST SP 800-181r1 (NICE) |
| **Regulations** | Cross-cutting |
| **Environments** | All CERG-managed workforce |

---

# NERC-CIP Compliance Manager

**Job Family:** JF-GOVCOMP — Governance & Compliance
**Job Level Range:** L1-L4 (CERG Grade S1-S4/M3)
**CERG Canonical Role:** NERC-CIP Compliance Manager ([CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) §6.1)

---

## 1. Role Summary

The NERC-CIP Compliance Manager owns the organization's compliance posture for NERC Critical Infrastructure Protection standards. They manage the NERC-CIP evidence library, coordinate regulatory exams and audits, track deviations and mitigation plans, and ensure that BES Cyber System compliance is a steady state, not a pre-audit scramble.

## 2. NICE Workforce Framework Mapping

| Mapping Level | NICE Work Role | NICE Work Role ID | NICE Work Role Category |
|---------------|----------------|-------------------|-------------------------|
| Primary | Security Control Assessor | OV-SCA-001 | OV |

**NICE Work Role Definition:** See [JF-002](../CERG-GOV-JF-002_NICE_Workforce_Framework_Crosswalk.md) for the official NICE Work Role definition and complete CERG-to-NICE mapping. The NICE TKS database is available at https://www.nist.gov/nice/framework/.

## 3. Job Family & Level Placement

| Family | JF-GOVCOMP — Governance & Compliance |
|--------|---------------------------|
| Level Range | L1 through L4 |
| CERG Grade Range | S1-S4/M3 |
| Terminal Grade | S4/M3 — see [JA-001 §7](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) for details |
| Track | SME / Dual-track |

## 4. Key Responsibilities

### 4.1 Core Responsibilities (All Grades)

- Own the NERC-CIP compliance program: CIP-002 through CIP-011, plus CIP-014 (physical security) where applicable - Maintain the NERC-CIP Operational Package: procedures, evidence requirements, compliance calendar, and self-assessment tools - Manage the NERC-CIP evidence library: ensure every CIP requirement has current, auditable evidence - Track CIP deviations and mitigation plans, ensuring timely remediation and regulatory reporting - Coordinate NERC-CIP audits and regulatory exams: auditor logistics, evidence production, subject-matter-expert coordination, and response drafting - Serve as the primary liaison to the Regional Entity and NERC for compliance matters - Monitor NERC-CIP standards development and prepare the organization for new and revised requirements - Partner with OT Security Engineer and OT Risk Analyst to ensure compliance activities reflect operational reality - Report CIP compliance posture to the Governance Pillar Leader and CISO - Manage the CIP compliance team in large organizations; operate as an individual contributor in small ones

### 4.2 Grade-Level Responsibility Differentiation

Grade-level responsibility differentiation for this role is defined in [JA-001 §7](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) (Role-to-Grade Mapping). The grade definitions (S1-S4 SME Track, M1-M4 Management Track) and leveling dimensions are in [CERG-GOV-JA-001](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) §4-5. Behavioral anchors at each grade are in [CMP-001](../../governance/CERG-GOV-CMP-001_Competency_Model_and_Behavioral_Anchors.md).

## 5. Required Knowledge, Skills, and Abilities (KSAs)

### 5.1 Domain Expertise

- Deep expertise in NERC-CIP standards (CIP-002 through CIP-011) and the NERC compliance monitoring and enforcement program - Evidence management and audit preparation for regulatory exams - OT/ICS operational awareness: understanding of BES Cyber Systems, ESP design, and OT operational constraints - Regulatory communication: ability to represent the organization to NERC, Regional Entities, and auditors - Experience with compliance documentation tools and evidence management platforms

### 5.2 Technical Skills

Technical skills for this role are documented in the original JD-001 content extracted into this file (see §5.1 Domain Expertise). Additional technical skill definitions aligned to NICE Skill Statements are maintained in [JF-002](../CERG-GOV-JF-002_NICE_Workforce_Framework_Crosswalk.md).

### 5.3 CERG-Specific Knowledge

CERG-specific knowledge requirements for this role are defined in [OM-001 §6](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) (Canonical Role Roster) and [RAC-001 §7](../../governance/CERG-GOV-RAC-001_Consolidated_Roles_and_RACI_Instrument.md) (Role Descriptions). See §12 (Related CERG Documents) for the complete list of standards and procedures relevant to this role.

## 6. NICE TKS Statement References

The following Task, Knowledge, and Skill statements are extracted from the NIST NICE Framework v2.2.0 Work Role [OG-WRL-012 — NERC-CIP Compliance Manager primary mapping] and filtered by relevance to this CERG role. The full TKS database is maintained at https://www.nist.gov/nice/framework/.

| NICE TKS Type | Statement ID | Statement Summary | Relevance to This Role |
|---------------|-------------|-------------------|------------------------|
| Task | T1328 | Verify implementation of software, network, and system cybersecurity postures | Core work activity for this NICE Work Role |
| Task | T1339 | Develop cybersecurity compliance processes for external services | Core work activity for this NICE Work Role |
| Task | T1340 | Develop cybersecurity audit processes for external services | Core work activity for this NICE Work Role |
| Task | T1361 | Determine the impact of new system and interface implementations on organization's cybersecurity posture | Core work activity for this NICE Work Role |
| Task | T1362 | Document impact of new system and interface implementations on organization's cybersecurity posture | Core work activity for this NICE Work Role |
| Knowledge | K0680 | Knowledge of cybersecurity principles and practices | Foundational knowledge for this role |
| Knowledge | K0681 | Knowledge of privacy principles and practices | Foundational knowledge for this role |
| Knowledge | K0685 | Knowledge of access control principles and practices | Foundational knowledge for this role |
| Knowledge | K0687 | Knowledge of business operations standards and best practices | Foundational knowledge for this role |
| Knowledge | K0689 | Knowledge of network infrastructure principles and practices | Foundational knowledge for this role |
| Skill | S0136 | Skill in network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), an... | Core capability for this role |
| Skill | S0465 | Skill in identifying critical infrastructure systems | Core capability for this role |
| Skill | S0642 | Skill in identifying evidence of past intrusions | Core capability for this role |
| Skill | S0015 | Skill in conducting test events | Core capability for this role |
| Skill | S0097 | Skill in applying security controls | Core capability for this role |

> **Full TKS Reference:** The complete TKS statement set for the primary NICE Work Role (OV-SCA-001 → OG-WRL-012) is in the NICE Framework Components v2.2.0 dataset ([download](https://csrc.nist.gov/csrc/media/Projects/cprt/documents/nice/v2-2-0_nf_components.json)). JF-002 contains the complete CERG-to-NICE crosswalk with secondary role mappings.

## 7. Typical Qualifications

### 7.1 Education

- 7-15+ years in NERC compliance, OT cybersecurity, or regulated energy-sector organization operations - Bachelor's degree or equivalent experience in the regulated energy-sector organization industry - Relevant certifications: CISSP, CISA, NERC-specific training credentials, or equivalent

### 7.2 Certifications

Certifications for this role are defined in [TRN-001 §3](../../governance/CERG-GOV-TRN-001_Training_Development_and_Certification_Framework.md) (Certification Matrix). The matrix specifies Required, Recommended, and Aspirational certifications per role and grade.

### 7.3 Experience

Typical experience ranges by grade are defined in [JA-001 §4-5](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md). See §7.1 (Education) above for education requirements.

## 8. Key Performance Indicators (KPIs)

KPIs for this role are defined in [MTR-001](../../governance/CERG-GOV-MTR-001_Metrics_Dashboard_and_Reporting.md) (Metrics, Dashboard, and CISO/Board Reporting). KPI allocation by job family and grade-level thresholds are documented in [PERF-001](../../governance/CERG-GOV-PERF-001_Performance_Management_and_Promotion_Framework.md). Each role's evaluation criteria are embedded in the per-role JD document structure defined by [JF-001](../CERG-GOV-JF-001_Job_Families_Overview.md).

## 9. Competency Expectations by Grade

Competency expectations for this role follow the Governance pillar behavioral anchors from [CERG-GOV-CMP-001](../../governance/CERG-GOV-CMP-001_Competency_Model_and_Behavioral_Anchors.md). Each cell describes observable behavior demonstrating the competency at that grade. Anchors are cumulative: an L3 expectation includes the L1 and L2 anchors.

| Competency Domain (CMP-001) | L1 Expectation | L2 Expectation | L3 Expectation | L4 Expectation |
|-----------------------------|----------------|----------------|----------------|----------------|
| Technical Depth | Operates the Governance pillar's tools (document management system, evidence library, GRC platform). Executes evidence collection, control testing, or policy review tasks from established procedures. Reads and correctly interprets CERG standards and regulatory requirements in their assigned domain. | Owns a compliance domain. Independently collects, organizes, and presents evidence for audits and assessments. Maps regulatory requirements to CERG controls and identifies gaps. Authors compliance documentation that requires minimal revision. | Shapes the organization's compliance strategy for their domain. Designs evidence collection workflows that survive auditor scrutiny. Interprets ambiguous regulatory guidance and produces defensible organizational positions. | Sets the compliance and governance bar for the entire Governance pillar. Called upon for the hardest regulatory interpretation questions. Represents the organization to regulators, assessors, and auditors as the authoritative technical voice. |
| Cross-Pillar Fluency | Understands the basic functions of Engineering and Risk pillars. Reads engineering architecture outputs and risk assessments that affect their compliance work. | Engages Engineering and Risk as partners in compliance, not subjects of it. Understands the technical reality behind the controls they are assessing. Requests evidence in terms the providing pillar understands. | Translates between regulatory language and technical reality in both directions. Anticipates which engineering or risk decisions will have compliance implications before they are made. | Operates fluently across all three pillars. Engages with Engineering on architecture and Risk on exposure posture as a peer. |
| Risk Judgment | Applies the risk taxonomy when documenting compliance findings. Understands the relationship between control failures and organizational risk. | Assesses the risk implication of control gaps in their domain. Prioritizes compliance findings by actual risk to the organization, not by framework numbering. | Evaluates the risk impact of regulatory changes. Advises leadership on the risk trade-offs of compliance decisions. Correlates compliance findings with vulnerability and threat data. | Shapes organizational risk decisions through the compliance lens. Advises the CISO on the risk implications of regulatory strategy. |
| Communication | Writes clear evidence descriptions, control test results, and compliance status updates. Communicates evidence requests to Engineering and Risk without ambiguity. | Presents compliance status and findings to pillar leadership. Translates regulatory requirements into language project teams can act on. Writes policy and standard sections that are clear and enforceable. | Represents the organization to auditors, assessors, and regulators as a primary point of contact. Writes regulatory responses and compliance positions adopted by leadership. | Communicates the organization's compliance posture to the board, regulators, and external stakeholders. Shapes the organization's regulatory narrative. |
| Operational Discipline | Follows evidence management procedures. Documents compliance activities in the designated systems. Meets regulatory filing deadlines. Maintains organized, retrievable evidence packages. | Owns the compliance calendar for their domain. Ensures evidence is collected, reviewed, and stored on schedule. Maintains audit-ready evidence packages at all times. | Designs compliance operations that are sustainable year-round. Ensures the Governance pillar's operational cadence is documented, measured, and improving. | Sets operational standards for the Governance pillar. Defines what "audit-ready" means in measurable terms. |
| Influence and Mentorship | Learns from senior Governance staff. Asks good questions about regulatory interpretation and evidence standards. Supports peers during audit preparation. | Trains new Governance staff on compliance domains and evidence procedures. Peer-reviews compliance documentation. Their regulatory knowledge is sought by Engineering and Risk staff. | Mentors Governance staff across compliance domains. Influences how the organization approaches regulatory compliance, moving from reactive to proactive. | Develops the compliance capability of the entire Governance team and the broader organization. Sets the quality bar for regulatory interpretation, evidence standards, and auditor engagement. |
| Compliance and Regulatory Literacy | Knows the regulatory frameworks in the organization's scope. Can describe the structure and key requirements of each. Correctly applies framework terminology. | Deep knowledge of the regulatory frameworks in their domain. Independently interprets regulatory requirements and maps them to organizational controls. | Authority on their regulatory domain. Interprets ambiguous regulatory guidance and produces defensible positions. Anticipates regulatory changes. | Shapes the organization's regulatory strategy. Engages directly with regulators and industry bodies on regulatory development. |
| Continuous Learning | Completes assigned training. Pursues foundational certifications. Learns the organization's regulatory landscape. | Maintains current certifications. Tracks regulatory developments and framework updates relevant to their domain. | Pursues advanced certifications. Contributes to the Governance body of knowledge through documented regulatory analysis. | Recognized externally for regulatory or compliance expertise. Contributes to regulatory development, industry standards, or professional certification bodies. |

> **Full Reference:** See [CERG-GOV-CMP-001](../../governance/CERG-GOV-CMP-001_Competency_Model_and_Behavioral_Anchors.md) for the complete competency model, including the Management Track addendum (§7) and guidance on using the model for hiring, development, and promotion (§8).

## 10. Success Profile

A NERC-CIP Compliance Manager is successful when compliance is a continuous operational state, not a periodic audit event. Key indicators: evidence packages are audit-ready at all times, not just during audit windows; NERC-CIP non-compliance findings are trending down; the evidence collection burden on Engineering is stable or decreasing year over year; the compliance calendar is accurate to within a week for every filing deadline. The manager ensures that the answer to "can you prove compliance?" is always yes, with a single click.

## 11. Career Path

### 11.1 Within-Family Progression

Within JF-GOVCOMP, this role can progress on either a senior SME path or a management path depending on organizational scale. The SME path follows L2/S2 through L4/S4 as the role gains deeper regulatory interpretation authority, audit representation capability, policy authorship, and cross-framework judgment. The management path generally runs from M1 to M3 when the role leads analysts, owns a compliance function, manages calendars and evidence operations, and contributes to budget and staffing decisions. See [JF-001 §9.3](../CERG-GOV-JF-001_Job_Families_Overview.md#93-jf-govcomp--governance--compliance-levels) and [JA-001 §7.4](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md#74-governance-pillar).

---

### 11.2 Cross-Family Movement

Cross-family movement options are defined in the [Family-to-Family Career Lattice (JF-001 §4)](../CERG-GOV-JF-001_Job_Families_Overview.md#4-family-to-family-career-lattice). The Left-Right Knowledge Model ([FRM-001 §9.2](../../governance/CERG-GOV-FRM-001_CERG_Framework.md)) and cross-training expectations ([OM-001 §10.4](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md)) operationalize cross-family career movement.

### 11.3 Management Track Option

At L3+ (SME track), a Management track option may be available per [CERG-GOV-JA-001](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) §8.1 (SME to Management Transition). Readiness indicators include: consistently sought out for guidance by junior team members, leading cross-functional initiatives without formal authority, and communicating clearly with non-technical stakeholders. The transition is a track change, not a grade promotion — an S3 Advisor moving to M1 Manager carries their technical credibility into the management role. Management competencies are defined in [CERG-GOV-CMP-001](../../governance/CERG-GOV-CMP-001_Competency_Model_and_Behavioral_Anchors.md) §7. See [CERG-GOV-JA-001](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) §5 for Management grade definitions (M1-M4) and §9 (Span of Control and Team Design) for when to create a management role.

## 12. Related CERG Documents

| Document | ID | Relevance |
|----------|-----|-----------|
| Operating Model | [`CERG-GOV-OM-001`](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) | Canonical role name; pillar structure |
| RACI Instrument | [`CERG-GOV-RAC-001`](../../governance/CERG-GOV-RAC-001_Consolidated_Roles_and_RACI_Instrument.md) | This role's accountability assignments |
| Job Architecture | [`CERG-GOV-JA-001`](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) | Grade definitions; progression criteria |
| Competency Model | [`CERG-GOV-CMP-001`](../../governance/CERG-GOV-CMP-001_Competency_Model_and_Behavioral_Anchors.md) | Full behavioral anchors |
| Performance Framework | [`CERG-GOV-PERF-001`](../../governance/CERG-GOV-PERF-001_Performance_Management_and_Promotion_Framework.md) | Performance review cadence and calibration |
| Training Framework | [`CERG-GOV-TRN-001`](../../governance/CERG-GOV-TRN-001_Training_Development_and_Certification_Framework.md) | Certification matrix |
| Job Families Overview | [`CERG-GOV-JF-001`](../CERG-GOV-JF-001_Job_Families_Overview.md) | Family structure and level definitions |
| NICE Crosswalk | [`CERG-GOV-JF-002`](../CERG-GOV-JF-002_NICE_Workforce_Framework_Crosswalk.md) | NICE Work Role mapping |

---

## 13. Document Control

| Field | Value |
|---|---|
| **Document ID** | CERG-GOV-JD-GOVCOMP-001 |
| **Version** | 1.0 |
| **Status** | Approved |
| **Effective Date** | 2026-06-11 |
| **Classification** | Public |
| **Owner** | Governance Pillar Leader |
| **Approved By** | CISO |
| **Parent Policy** | [`CERG-POL-001`](../../governance/CERG-POL-001_Cybersecurity_Policy.md) - Cybersecurity Policy |
| **Review Cycle** | Annual |
| **Next Scheduled Review** | 2027-06-11 |
| **Frameworks** | NIST SP 800-181r1 (NICE) |
| **Regulations** | Cross-cutting |
| **Environments** | All CERG-managed workforce |

### Revision History

| **Version** | **Date** | **Author** | **Change Summary** |
|---|---|---|---|
| 1.0 | 2026-06-11 | Governance Pillar Leader | Initial release. Extracted from monolithic JD-001 into enhanced per-role format with NICE mapping, KPI sections, and competency anchor sections. |

### Review Triggers

- Change to this role's definition in [CERG-GOV-OM-001](../../governance/CERG-GOV-OM-001_CERG_Operating_Model.md) §6.1
- Change to this role's NICE Work Role mapping in JF-002
- Change to this role's grade range in [CERG-GOV-JA-001](../../governance/CERG-GOV-JA-001_Job_Architecture_and_Grade_Framework.md) §7
- Direction from the CISO

Governance owns this document. The Governance Pillar Leader (Policy & Standards) is responsible for initiating reviews, managing the revision cycle, and obtaining approval for all changes.

### Related Documents

| **Document** | **ID** | **Relationship** |
|---|---|---|
| Cybersecurity Policy | [`CERG-POL-001`](../../governance/CERG-POL-001_Cybersecurity_Policy.md) | Parent policy |
| Job Families Overview | [`CERG-GOV-JF-001`](../CERG-GOV-JF-001_Job_Families_Overview.md) | Family structure and level definitions |
| NICE Crosswalk | [`CERG-GOV-JF-002`](../CERG-GOV-JF-002_NICE_Workforce_Framework_Crosswalk.md) | NICE Work Role mapping |