Scott Aaronson nails it "Cybersecurity is a team sport" and more can be done to protect the entire electric grid from cyber threats, not just the Bulk Electric System, which NERC focuses on. Click the link below to watch a 5 minute video showing how States and Federal entities can work together to secure the entire electric grid from cyber-attacks.
With the new Cyber Incident Reporting Act legislation in place there is now an opportunity to protect the entire grid, from generation to consumption, from cyber-threats by engaging State Regulators with CISA and DOE initiatives aimed at providing all critical infrastructure operators, including small and medium entities like munis and coops, i.e. NRECA and APGA, with the help they need to secure their critical infrastructure operations from cyber-threats. State regulators have the connections needed to ensure that all critical infrastructure operators have the tools and resources they need to protect themselves from cyber-criminal threats. DOE, as the SRMA for energy, may wish to consider an approach that leverages these State entities to ensure that NIST/CISA cybersecurity best practice protections are being implemented across the entire electric grid and all critical infrastructures. That's a win-win for public-private partnership, IMO.