NERC CIP only addresses the bulk power system, leaving a large portion of the electric grid without defined cybersecurity protection practices. It is also dauntingly complex and confusing with some truly bad advice, i.e. the 15 minute rule to identify Cyber Assets. The NIST Cybersecurity Framework (CSF) Version 1.1 is more comprehensive, concise and effective than NERC CIP, with application across all critical infrastructure including, electric, gas, water, transportation, healthcare and communications. My recommendation is to follow the NIST CSF V 1.1 with specific guidance provided by NIST SP 800-53, SP 800-160 and for software supply chain protections, SP 800-161 (a/k/a NIST C-SCRM) combined with NTIA Software Bill of Materials (SBOM) for best practice.
Never trust software, always verify and report! (TM)