If you’ve spent any time in the world of NERC compliance, you’ve filled out a Reliability Standard Audit Worksheet (RSAW). Maybe even hundreds of them. And if you’re like most compliance pros, you have mixed feelings about RSAWs. A little gratitude, a lot of frustration, and the occasional “why are we still filling these out?” type of thoughts. But the winds are shifting, and RSAWs are slowly being retired across the entire industry. In this article, we’ll explore why RSAWs were originally created, the purpose they served, and why their time is up as utilities are modernizing their NERC Governance, Risk, and Compliance (GRC) programs.
What Are NERC RSAWs?
When RSAWs first entered the NERC compliance scene back in 2011, they were designed with good intentions. The idea was to bring structure, consistency, and clarity to the NERC CIP and NERC O&P audit process. Every standard had its own RSAW, which acted as a shared guidebook for both auditors and registered entities.
RSAWs clarified audit expectations by outlining exactly what NERC auditors were looking for, which helped entities prepare the right evidence to demonstrate. They also brought a level of consistency across the Regional Entities. Before RSAWs, one auditor might ask for logs while another asked for process narratives, and that chaos created compliance uncertainty. RSAWs aimed to smooth those differences out.
RSAWs were also helpful for internal self-assessments and internal audits. Compliance teams could use them as checklists to measure their audit readiness long before the audit started. And perhaps most importantly, RSAWs served as an audit time capsule. A written trail that documented what was reviewed, what was submitted, and how compliance was determined, all in an ever-growing single Word document. What could go wrong?
Somewhere along the way, the RSAW lost its way as a helpful tool into the actual compliance program itself.
Why RSAWs Are Being Retired?
If you’ve been a part of the evolution of NERC CIP or O&P audits over the last decade, the coming retirement of RSAWs might not sound like a surprise. The entire approach to compliance is moving away from checkbox-style validation and towards a model that’s dynamic, risk-informed, and grounded in real operational rhythm.
One of the biggest issues with RSAWs is that they became the embodiment of NERC compliance theater. Organizations were spending so much time making the RSAW “look” perfect, even when their actual security controls weren’t correlating in strength. Compliance teams could copy and paste old narratives, reuse legacy screenshots, and craft convincing stories, all while their critical compliance processes were breaking down.
This kind of documentation-focused mindset created a dangerous disconnect between paper security and reality. A good RSAW could mask a poor security posture. At the same time, teams with strong controls, but weak writing skills, could end up getting flagged for findings or a more stringent audit experience. RSAWs didn’t seem to be the answer anymore based on the original intent of their design.
On top of that, the nature of NERC audits has changed. NERC ERO auditors no longer want to just read a Word doc. They want access to real evidence: change tickets, firewall configurations, system access logs, and incident response records. They want to sit down, open up your firewall interface, and walk through it with your team in real time. RSAWs simply can’t keep up with that pace of discussion.
Another huge shift for NERC audits has been the growing emphasis on Internal Control Evaluations (ICEs). Instead of proving that you met each requirement line by line, the focus is now on explaining how your controls reduce overall risk. For example, a strong NERC access management program can reduce the scrutiny you face under CIP-004. Layered defenses and real-time monitoring can minimize review times under CIP-007. It’s about the bigger picture.
RSAWs never really supported that kind of thinking. They forced a rigid narrative, one linear requirement at a time. But operational security doesn’t work that way. Controls are interconnected. Risks evolve. Programs are fluid.
And then there’s automation. Most modern compliance programs are built using NERC GRC platforms that tie evidence directly to controls. Policies are linked to tickets, logs, and alerts. Dashboards show real-time status for every domain. You can run a control test and generate audit-ready documentation in minutes. RSAWs were never designed for this kind of world. They became static artifacts in an automated, living system.
Reasons RSAWs are Becoming a Legacy Compliance Tool
Imagine you’re a NERC registered entity and have a team of 9 divisions to cooperate on a CIP-004 Access Management audit. During this process you’ll most likely have 9 narratives around how a process is done, which someone is voluntarily forced to write down in plain English into a shared Word document, all while attempting to sound like a scholarly PhD explaining technical processes and workflows.
Take it a step further, coordinating these 9 teams is challenging when calendar reminders and email notes become the driving force behind the compliance program. Oh, and let’s hope that Word document doesn’t crash halfway through the 5th person making their adjustments in the document.
The enterprise ERO is primarily leading the charge on changing the game for NERC audits. The introduction of Align, the Evidence Request Tool (ERT), and the Secure Evidence Locker (SEL) has created a separation of compliance narratives and compliance evidence. It’s important to note that the RSAW tried to do too much and naturally has matured into a variety of focused compliance tools. Let’s look at some of the common reasons RSAWs are becoming a legacy compliance tool:
–Shared Document – Microsoft Word never crashes, right? When 9 people need to access a single document, it becomes a version control nightmare. Typically left to someone to consolidate voices, narratives, tone, and logic to make sense for an auditor.
-Hours of prep work – Formatting a Word document takes forever. Move a character 1 pixel to the right and it destroys all the beautiful formatting you spent hours crafting.
-Ongoing updates – Accessing the RSAW for ongoing updates typically only happens when required, sometimes once a quarter or year. This leaves opportunity for gaps.
-Separation of Evidence and Narratives – the RSAW is a document that tracks narratives around controls. While references to evidence have been standard, auditors will be using the ERT and SEL to acquire secure evidence beyond the RSAW using Requests for Information (RFIs).
-Rigid, linear flow – RSAWS are designed to be linear by nature, moving requirement by requirement. While this may be effective, compliance programs have broad controls that intersect with a variety of technology, processes, and people.
-Lack of automated alerts for compliance tasks – This is when the RSAW starts to really break down. As compliance tasks come up, the RSAW document doesn’t have built in reminders, notifications, and alerts for critical compliance tasks. So now a manual process must be implemented (and managed) with additional resources to hope tasks are completed.
-Lack of historical access/change records – As your NERC compliance program operates month over month and year over year, changes will naturally happen. In order to track these changes, someone must manually type in who changed what or keep a change record at the bottom of the document. Even more confusing is when a document is “checked out” and 9 other people have local “versions” they want to upload, creating a compliance organization nightmare.
What’s Replacing RSAWs?
So what happens now that RSAWs are fading out? Well the good news is that we’re not abandoning this structure altogether. We’re now building smarter processes around how NERC compliance is managed, demonstrated, and audited.
One of the most important changes is how audits are scoped. Instead of reviewing every single requirement every time, audit teams start with a risk profile. That means looking at your entity’s size, past audit history, system complexity, and recent changes. If you’ve proven that your controls are mature and well documented, your audit scope might shrink.
Audits will also rely more on dynamic evidence requests and RFIs. That means fewer weeks spent filling out narrative templates, and more real-time interviews and system walkthroughs. Auditors will ask to see the change record, and instead of reading a description, you’ll pull it up and show them. They’ll want screenshots or access to a secure portal. The process becomes less about the paperwork and more about actual performance of your NERC compliance program.
In place of RSAWs, expect to develop internal control documentation. These narratives will explain how your organization manages specific risks related to the controls that identify, assess, and correct compliance deficiencies. They’ll walk through your preventive, detective, and corrective controls, and show how those map to the NERC CIP requirements and/or the NERC O&P requirements. But the focus will be on how the overall compliance program works, not just what evidence it produces.
We’re also seeing the rise of readiness and maturity assessments, where regions come in before the official NERC audit to evaluate how your controls are functioning. These assessments are more collaborative and proactive. They’re designed to help entities improve, not just catch compliance mistakes.
Lastly, NERC released new compliance tools for evidence collection: ALIGN and Secure Evidence Locker (SEL). The ERT is an ERO-wide format for handling RFIs. It has been designed to increase consistency and transparency around NERC audits and evidence review. All of these new compliance tools are designed to replace the legacy RSAW format and move towards a risk-based, modern approach to NERC GRC programs. You’ll notice an RSAW narratives section in the NovaSync dashboard below, but uses smart controls and alerts to engage compliance team’s for required tasks.
What Does Life After RSAWs Look Like?
If your team is still building its entire audit approach around RSAWs, it’s time to rethink your strategy. Start by repositioning your documentation around internal controls. Think about how each process you run contributes to reducing risk. Don’t just gather evidence, connect it to controls and explain why those controls matter.
Invest in tools that let you automate evidence collection. If you’re still manually pulling logs, emails, and screenshots before every audit, you’re burning time that could be better spent managing risk.
And finally, test yourself. Run a mock audit to get a feel for how to describe your program in the real-world. Can your team demonstrate your compliance program with knowledge of the controls and evidence you have on hand? Practice makes perfect, and the more your team practices talking about your compliance program, the more they will know where to focus their efforts next.
RSAWs helped shape the early days of NERC compliance and we will be forever grateful for them as a tool during that time of uncertainty. They brought clarity when we needed it most. But today, they’re standing in the way of faster, smarter, more effective audits. Great NERC compliance programs are about demonstrating that your systems are secure, your people are trained, and your defined processes work as expected.
Retiring RSAWs isn’t a loss. It’s a sign of maturity and modern compliance programs have been embracing the change. It means we’re finally ready to focus on what matters most: operational risk, real data, and resilient infrastructure. Driving change is not easy, but can be accomplished with the right technology and support.
NovaSync is built by NERC compliance experts to help automate all of the routine compliance tasks to manage an effective NERC compliance program. If you are ready to modernize your NERC compliance program or are just curious how other entities are saving thousands of hours on compliance, reach out for a live demo of the NovaSync NERC GRC platform.