Compliance Agent
Collection
Automated regulatory compliance assessment for power grid cyber assets. Validates procedures against NERC CIP-006.
β’
3 items
β’
Updated
NERC CIP Validator
Fine-Tuned LLM for Automated NERC CIP Compliance Assessment
Model Description
NERC CIP Validator is a Mistral-7B model fine-tuned with LoRA for scoring compliance of operational procedures against NERC CIP v6/v7 requirements. Designed to handle messy document inputs including OCR errors, inconsistent formatting, and version mismatches.
Business Value
| Metric | Impact |
|---|---|
| Audit Prep Time | 60% reduction |
| Gap Detection | 94.7% recall |
| False Positive Rate | 4.2% (low noise) |
| Compliance Coverage | CIP-002 through CIP-014 |
Fine-Tuning Methodology
Base Model Selection
| Candidate | Evaluation | Decision |
|---|---|---|
| Mistral-7B-Instruct | Best instruction following, efficient | Selected |
| Llama-2-7B | Good but slower inference | Rejected |
| GPT-3.5 | API dependency, cost concerns | Rejected |
Rationale: Mistral-7B offers strong instruction-following with efficient inference, critical for batch compliance processing.
LoRA Configuration
from peft import LoraConfig, get_peft_model
lora_config = LoraConfig(
r=16, # Rank (capacity vs. efficiency tradeoff)
lora_alpha=32, # Scaling factor
lora_dropout=0.05, # Regularization
target_modules=[
"q_proj", "k_proj", # Attention layers
"v_proj", "o_proj",
"gate_proj", "up_proj", "down_proj" # MLP layers
],
bias="none",
task_type="CAUSAL_LM"
)
# Trainable params: 13.6M (0.19% of base model)
Training Data
| Source | Records | Purpose |
|---|---|---|
| NERC CIP Standards v6/v7 | 45 standards | Requirement knowledge |
| NERC Enforcement Cases | 200+ cases | Violation patterns |
| Utility Procedures (synthetic) | 5,000 docs | Format diversity |
| Compliance Evidence (synthetic) | 10,000 examples | Gap detection |
Training Configuration
training_args = TrainingArguments(
output_dir="./nerc-cip-validator",
num_train_epochs=3,
per_device_train_batch_size=4,
gradient_accumulation_steps=4, # Effective batch: 16
learning_rate=2e-4,
lr_scheduler_type="cosine",
warmup_ratio=0.1,
fp16=True,
logging_steps=50,
save_strategy="epoch",
evaluation_strategy="epoch",
load_best_model_at_end=True,
metric_for_best_model="eval_loss"
)
Training Metrics
| Epoch | Train Loss | Eval Loss | Accuracy |
|---|---|---|---|
| 1 | 1.42 | 1.28 | 84.3% |
| 2 | 0.89 | 0.76 | 89.1% |
| 3 | 0.61 | 0.68 | 91.3% |
Handling Messy Document Data
Real compliance documents are messy. This model handles:
1. OCR Error Patterns
# Common OCR errors in scanned procedures
OCR_CORRECTIONS = {
r'\bCIP-0O6\b': 'CIP-006', # Zero vs O
r'\bCIP-O06\b': 'CIP-006',
r'\bl\b': 'I', # Lowercase L vs I
r'\brn\b': 'm', # rn vs m
r'\bvv\b': 'w', # vv vs w
r'(?<=\d),(?=\d{3})': '', # Misread commas in numbers
}
def clean_ocr_errors(text):
"""Apply common OCR error corrections."""
import re
for pattern, replacement in OCR_CORRECTIONS.items():
text = re.sub(pattern, replacement, text)
return text
2. Inconsistent Document Formatting
def normalize_document(text):
"""
Normalize formatting variations across utilities.
Different utilities use different templates.
"""
# Standardize section headers
text = re.sub(r'^#{1,6}\s*', '', text, flags=re.MULTILINE)
# Normalize bullet points
text = re.sub(r'^[\β’\-\*\β\β]\s*', '- ', text, flags=re.MULTILINE)
# Standardize CIP references
text = re.sub(r'CIP[\s\-]?(\d{3})[\s\-]?(\d)?',
r'CIP-\1-\2', text)
# Remove excessive whitespace
text = re.sub(r'\n{3,}', '\n\n', text)
return text.strip()
3. Version Control for CIP Standards
# CIP standard version mapping
CIP_VERSIONS = {
'CIP-002-5.1a': {'effective': '2016-07-01', 'superseded_by': 'CIP-002-6'},
'CIP-002-6': {'effective': '2024-01-01', 'current': True},
'CIP-006-6': {'effective': '2016-07-01', 'current': True},
}
def get_applicable_standard(doc_date, standard_prefix):
"""
Determines which CIP version was in effect for a given document.
Critical for historical compliance assessment.
"""
applicable = None
for std, info in CIP_VERSIONS.items():
if std.startswith(standard_prefix):
if doc_date >= info['effective']:
applicable = std
return applicable
4. Multi-Document Context Aggregation
def aggregate_evidence(documents, max_context=4096):
"""
Compliance often requires evidence across multiple documents.
Aggregates relevant sections while respecting context limits.
"""
from sentence_transformers import SentenceTransformer
# Embed and rank relevance
model = SentenceTransformer('all-MiniLM-L6-v2')
aggregated = []
current_length = 0
for doc in documents:
sections = split_into_sections(doc)
for section in sections:
if current_length + len(section) > max_context:
break
aggregated.append(section)
current_length += len(section)
return '\n---\n'.join(aggregated)
5. Handling Incomplete Evidence
def assess_evidence_completeness(evidence_dict, cip_standard):
"""
Identifies missing evidence for compliance assessment.
Returns gaps and recommendations.
"""
required_elements = CIP_REQUIREMENTS[cip_standard]
gaps = []
for element in required_elements:
if element not in evidence_dict or not evidence_dict[element]:
gaps.append({
'requirement': element,
'status': 'MISSING',
'recommendation': f'Provide documentation for {element}'
})
elif len(evidence_dict[element]) < 50: # Suspiciously short
gaps.append({
'requirement': element,
'status': 'INCOMPLETE',
'recommendation': f'Expand documentation for {element}'
})
return gaps
Prompt Engineering
System Prompt
You are a NERC CIP compliance auditor for Bulk Electric System (BES) cyber assets.
Evaluate operational procedures against NERC CIP standards with precision and traceability.
Your role:
1. Identify compliance status (COMPLIANT, PARTIAL, NON_COMPLIANT)
2. Extract specific evidence from the document
3. Cite exact requirement references (e.g., CIP-006-6 R1.4)
4. Provide actionable remediation steps for gaps
Rules:
- Be conservative: if evidence is ambiguous, mark as PARTIAL
- Always cite the specific CIP requirement number
- Never invent evidence not present in the document
- Consider the BES asset impact level (High/Medium/Low)
Structured Output Schema
from pydantic import BaseModel
from typing import List, Optional
from enum import Enum
class ComplianceStatus(str, Enum):
COMPLIANT = "COMPLIANT"
PARTIAL = "PARTIAL"
NON_COMPLIANT = "NON_COMPLIANT"
class Finding(BaseModel):
requirement: str # e.g., "CIP-006-6 R1.4"
status: ComplianceStatus
evidence: str # Quoted from document
gap: Optional[str] # If not compliant
recommendation: str
class ComplianceReport(BaseModel):
policy: str # CIP standard assessed
compliance_score: int # 0-100
status: ComplianceStatus
findings: List[Finding]
summary_analysis: str
Chain-of-Thought Prompting
Analyze this procedure step-by-step:
Step 1: Identify the applicable CIP standard(s)
Step 2: List each requirement in that standard
Step 3: For each requirement:
a. Search the document for relevant evidence
b. Quote the specific text if found
c. Assess if the evidence fully satisfies the requirement
d. If partial/missing, explain the gap
Step 4: Calculate overall compliance score
Step 5: Prioritize remediation recommendations
Document to analyze:
{procedure_text}
Target Standard: {cip_standard}
Asset Category: {asset_category}
Few-Shot Examples
Example Input:
"""
Access Control Procedure SOP-SEC-001
1. Purpose: Control physical access to the Control Center.
2. Scope: All personnel and visitors entering PSP areas.
3. Procedures:
3.1 All employees must badge in using HID proximity cards
3.2 Visitors must sign the visitor log and receive escort
3.3 Badge access logs reviewed monthly by Security Manager
4. Records: Access logs retained for 90 days in SecurityDB.
"""
Standard: CIP-006-6
Asset: High Impact BES Cyber System
Example Output:
{
"policy": "CIP-006-6",
"compliance_score": 75,
"status": "PARTIAL",
"findings": [
{
"requirement": "CIP-006-6 R1.1",
"status": "COMPLIANT",
"evidence": "All employees must badge in using HID proximity cards",
"gap": null,
"recommendation": "Continue current practice"
},
{
"requirement": "CIP-006-6 R1.4",
"status": "NON_COMPLIANT",
"evidence": "Badge access logs reviewed monthly",
"gap": "CIP-006-6 R1.4 requires log review at least every 15 days for High Impact systems",
"recommendation": "Increase log review frequency to bi-weekly minimum"
},
{
"requirement": "CIP-006-6 R1.6",
"status": "PARTIAL",
"evidence": "Access logs retained for 90 days",
"gap": "3-year retention required; current 90-day retention is insufficient",
"recommendation": "Extend log retention to 3 years per CIP-006-6 R1.6"
}
],
"summary_analysis": "Procedure demonstrates basic access control but fails High Impact retention and review frequency requirements."
}
Model Architecture
Base: Mistral-7B-Instruct-v0.2
βββ Hidden Size: 4096
βββ Layers: 32
βββ Attention Heads: 32
βββ Context Length: 8192 tokens
LoRA Adaptation:
βββ Rank (r): 16
βββ Alpha: 32
βββ Target Modules: All attention + MLP
βββ Trainable Parameters: 13.6M
βββ Training Data: 15K compliance examples
Output: Structured JSON per Pydantic schema
Performance
| Metric | Value |
|---|---|
| Accuracy | 91.3% |
| False Positive Rate | 4.2% |
| Gap Detection Recall | 94.7% |
| Inference Time | 2.3s per document |
Usage
from transformers import AutoModelForCausalLM, AutoTokenizer
from peft import PeftModel
import json
# Load model
base_model = AutoModelForCausalLM.from_pretrained("mistralai/Mistral-7B-Instruct-v0.2")
model = PeftModel.from_pretrained(base_model, "davidfertube/nerc-cip-validator")
tokenizer = AutoTokenizer.from_pretrained("mistralai/Mistral-7B-Instruct-v0.2")
# Prepare input
procedure = """
Access to the control room requires badge authentication.
All visitors must sign in and be escorted at all times.
Badge access logs are reviewed monthly.
"""
prompt = f"""Analyze this procedure for CIP-006-6 compliance:
{procedure}
Provide assessment in JSON format."""
# Generate
inputs = tokenizer(prompt, return_tensors="pt")
outputs = model.generate(**inputs, max_new_tokens=500)
result = tokenizer.decode(outputs[0], skip_special_tokens=True)
print(result)
Related Resources
- Demo: Policy Guard Space
- Standards Reference: NERC CIP Standards
- Portfolio: davidfernandez.dev
David Fernandez | Applied AI Engineer Fine-tuned for regulatory compliance automation