How Florida Power & Light Strengthened Risk Mitigation and NERC CIP Compliance With ChangeGear

In the utility industry, reliability is everything.

Electric companies are expected to be stable, secure, and resilient at all times. But behind that expectation is a difficult operational reality. Large energy providers have to manage geographically dispersed infrastructure, thousands of connected devices, and strict regulatory requirements, all while keeping critical systems running without interruption.

That was the challenge facing Florida Power & Light.

As the largest energy company in the United States by retail electricity produced and sold, FP&L serves more than 5.6 million customer accounts and supports more than 12 million residents across Florida. The company operates one of the cleanest power generation fleets in the country and has been widely recognized for reliability, trust, and operational excellence. But even at that scale, maintaining control over digital infrastructure and compliance processes remained a growing challenge.

A high-performing utility facing a high-stakes infrastructure challenge

Utilities do not operate in a simple environment.

For FP&L, managing and securing infrastructure across a broad geographic footprint meant dealing with thousands of networked devices, a wide range of platforms, and an evolving set of compliance expectations. Like banking and healthcare, the energy sector is highly regulated. And in the case of utilities, much of that pressure is tied to protecting the assets that support the bulk electric system.

That is where NERC CIP comes in.

The North American Electric Reliability Corporation Critical Infrastructure Protection requirements are designed to secure the assets required for operating North America’s bulk electric system. While the framework provides structure, the day-to-day reality of maintaining accurate visibility across such a large and varied environment is far more difficult.

Configuration items are constantly changing. Assets are replaced. Technologies evolve. Locations expand. And when inventory or security information becomes outdated, the risk is not just operational. It can lead directly to negative audit findings.

The problem: too much manual work and not enough baseline control

One of FP&L’s biggest pain points was situational awareness.

Manually collected data was often not enough. In many cases, it was outdated by the time it could be used. That created a major challenge in an environment where infrastructure must be continuously documented, categorized, and aligned with policy.

FP&L had previously used IBM Tivoli Netcool Configuration Manager to manage the configuration of network devices and support baseline management. But the team was not getting the right deviations. Instead of comparing devices against how they should look under current policy, they were only seeing how devices looked before and after a change. That left too much room for compliance risk.

The deeper issue was how devices were being categorized.

Without clear baselines for groups of devices based on their function, baseline management became far too complex. When every device effectively becomes its own baseline, scale turns into overhead. For an organization managing thousands of devices, that model quickly becomes difficult to sustain.

The solution: a more flexible and scalable approach with ChangeGear

FP&L needed a better way to group assets, create policy-based baselines, and modernize how digital infrastructure was managed.

ChangeGear proved to be the most flexible and scalable solution.

FP&L implemented Service Desk, Asset Management, and CMDB. With ChangeGear’s CMDB, the company was able to create a single database with approximately 150 device baselines, making it easier to group and manage devices based on function rather than treating each one as a separate exception.

That shift was important.

Instead of relying on fragmented tools and single-point solutions, FP&L began building a more comprehensive approach to asset and change management. The team also identified ChangeGear 8 Change Manager for Business Compliance with Tripwire integration as a stronger path forward for business compliance and policy-driven control.

Using integration and automation to improve governance

One of the biggest advantages for FP&L was the ability to use ChangeGear’s no-code and low-code design to support enterprise monitoring and management with mostly out-of-the-box capabilities.

Integration with Tripwire added another important layer.

Using API functionality, ChangeGear and Tripwire were able to operate seamlessly together. This gave FP&L a more connected way to manage change, monitor infrastructure, and enforce authorization requirements across its environment.

That mattered because NERC CIP requires the company to record, track, and justify every one of the hundreds of ports, protocols, and services on its devices and networks. Expanding auditing capabilities was not optional. It was essential.

With ChangeGear and Tripwire in place, authorized requesters could submit white-listed change elements, while unauthorized requesters or unauthorized elements could be stopped immediately and trigger a condition report.

That is a significant improvement in control.

It means change processes become more disciplined, policy enforcement becomes more automated, and risk can be flagged before it spreads further into the environment.

A smarter way to handle risk mitigation

FP&L also needed a better way to manage defects that were not ready to move forward in the normal workflow.

This is where ChangeGear’s Flex module became especially valuable.

Using Flex, FP&L created a custom Mitigation module to handle risk mitigation cases. This module allowed the team to defer defects that were not yet ready to proceed while still keeping them visible, trackable, and managed inside the workflow.

That solved a real operational problem.

At FP&L, defects are time-sensitive and need to be addressed within 35 days of discovery. Previously, those items were being held in Excel spreadsheets stored on SharePoint. That gave the team a place to park them, but not a reliable way to report on them, track status cleanly, or manage them in an automated way.

With the Mitigation module, those special cases could now be handled in a far more structured and efficient manner. The result was less spreadsheet dependency, better tracking, and less manual effort.

The result: better risk mitigation, stronger auditing, better reporting

FP&L transformed how it approaches the management and security of digital infrastructure.

By replacing older systems and disconnected point solutions, the company created a more comprehensive way to manage assets and change. That helped FP&L more efficiently and effectively support the strict demands of NERC CIP while improving internal service and support.

Several benefits stand out.

Risk mitigation improved.
Workflows and authorizations became more automated.
Auditing capabilities expanded.
Reporting improved.

Just as importantly, the company created a more sustainable operational foundation for managing compliance at scale.

That is the real takeaway here. In a regulated utility environment, better tooling is not just about convenience. It is about making risk more manageable, improving visibility, and building a system that can keep pace with constant change.

Why this story matters

This story is bigger than one implementation.

It shows what happens when a large, highly regulated utility moves from fragmented tools and manual tracking to a more connected model for asset, change, and compliance management.

FP&L did not just modernize a platform. It improved how policy, change, risk, and infrastructure oversight work together.

For utilities facing similar pressures, that matters. Regulatory requirements are not getting lighter. Infrastructure environments are not getting simpler. And the cost of poor visibility continues to rise.

That is why platforms like ChangeGear matter in these environments. They help teams move from reactive documentation to proactive control.

Final thought

For utilities, digital infrastructure management is inseparable from reliability, compliance, and risk.

Florida Power & Light’s success story shows how a more flexible CMDB, stronger baseline management, automated authorizations, and better risk workflows can help support that mission.

In environments where every asset matters and every change carries weight, that kind of control is not optional.

It is essential.

Download the full case study here: https://www.serviceaide.com/success-stories/success-story---florida-power-light-cn6hj

‍