FERC-603 OMB Just. 2008

12

5816. JUSTIFICATION

1. CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY

Shortly after the attacks on September 11, 2001, the Commission began its efforts with respect to CEII.² As a preliminary step, the Commission removed from its public files and Internet page documents such as oversized maps that were likely to contain detailed specifications of facilities, and directed the public to use the Freedom of Information Act (FOIA) request process to obtain such information.³ The Commission was not alone in its reaction to protecting sensitive information. The Associated Press reported on October 12, 2001, that "Federal agencies are scrutinizing their Web sites and removing any information they believe terrorists might use to plot attacks against the nation. Federal agencies have been reviewing their sites in the wake of the terrorist attacks." The report referred to action by the Nuclear Regulatory Commission, the Environmental Protection Agency, the Centers for Disease Control and Prevention, and the United States Department of Transportation Office of Pipeline Safety. Since September 11, 2001, our country fortunately has not experienced any attacks as devastating as the ones experienced on that day. Concerns about threats to the energy infrastructure over which the Commission has regulatory responsibilities, however, still exist.

The Commission established its CEII rules in Order Nos. 630 and 630-A..⁴ The current procedures require that each CEII requester file a signed, written request in which he or she provides to the CEII Coordinator detailed information about himself or herself and his or her need for the information, along with an executed non-disclosure agreement. Commission staff verifies and utilizes this information to determine whether to release the CEII to the requester. The current process requires that Commission staff verify each requester when each request is made. Information provided to the Commission in FERC-603 is necessary to the verification process and essential to keeping sensitive information out of the hands of individuals that may do harm to this nation.

Information exempt from disclosure under the Freedom of Information Act (FOIA)

FOIA Exemption 2

FOIA Exemption 2 exempts from disclosure certain information concerning an agency's personnel rules and practices. The Department of Justice (DOJ) has provided guidance to agencies and instructed them to take full advantage of Exemption 2's protection for critical infrastructure information. Specifically, DOJ's guidance has stated "[a]ny agency assessment of, or statement regarding, the vulnerability of such a critical asset should be protected pursuant to Exemption2."⁵ The Commission believes that a portion of the CEII removed from public access may be exempt from disclosure under Exemption 2 of FOIA.

FOIA Exemption 4

FOIA Exemption 4 protects trade secrets and commercial or financial information. The Commission has determined that much of the information that maybe withheld as CEII may fall within the scope of Exemption 4, because release of the information could cause competitive harm to submitters, impair the Commission's ability to obtain similar information in the future, or impair the effectiveness of the Commission's programs. Inappropriate release of CEII could render the infrastructure more vulnerable to attack, threatening the energy industry and domestic power grid, resulting in potentially devastating economic and environmental consequences.

FOIA Exemption 7

FOIA Exemption 7 exempts from disclosure certain information compiled for law enforcement purposes. In order to invoke Exemption 7, the agency must be able to demonstrate that the document at issue involves records or information compiled for law enforcement purposes. The Commission has very broad authority to enforce the provisions of the Federal Power Act and the Natural Gas Act. For instance, under the Federal Power Act, the Commission (1) monitors and investigates compliance with licenses, exemptions and preliminary permits it issues, 16 U.S.C. 823b; (2) determines just and reasonable rates, 16 U.S.C. 824e; and (3) ensures compliance with the Act and regulations issued there under, 16 U.S.C. 825m, 825o-l. Similarly, with respect to natural gas, the Commission has broad authority (1) to determine whether rates and charges are just and reasonable, 15 U.S.C. 717c; and (2) to enforce violations of the statute or regulations issued there under, 15 U.S.C. 717s. Thus, given its broad enforcement authority, much of the information the Commission collects qualifies as information collected for a law enforcement purpose. Further, many of the documents containing critical energy infrastructure information enjoy protection under FOIA Exemption 7(F), which allows for withholding documents the release of which could reasonably be expected to endanger a person's life or safety.

Given that an attack on the energy infrastructure is a legitimate threat, the Commission believes that release of the information could facilitate or increase the likelihood of the success of such an attack and could be expected to endanger life and safety of people. The failure of a dam could cause flooding that would endanger lives, as could the explosion of a natural gas pipeline. Interruptions to gas and electric power supplies likewise could endanger lives of those reliant on power, especially in times of extreme hot or cold weather. For these reasons, the Commission believes the information identified as CEII may qualify for protection under Exemption 7(F).

RM02-4-000 Final Rule

On March 3, 2003, in Order No. 630, RM02-4-000, the Commission revised the definition of CEII, enlarging the definition to include information about proposed facilities, while, at the same time, contracting the definition to exclude information that simply gives the location of a particular facility. While recognizing that requesters remain free to request documents under the FOIA, the final rule instituted a new, non-FOIA avenue for seeking access to CEII. The FOIA is of questionable use when a document contains CEII because, by definition, CEII encompasses only information that is exempt from mandatory disclosure under the FOIA. The non-FOIA avenue enables requesters with a need for information that is exempt from disclosure under the FOIA to obtain the information, subject to appropriate restrictions on use and disclosure of the information. Agencies releasing information under a FOIA request must generally release the information to all requesters. In addition, the agency may not restrict the recipient's use or dissemination of that information. If the Commission wishes to make otherwise exempt information available to a particular requester based on that requester's need for the information, or wishes to limit the recipient's use and dissemination of exempt information, it must do so outside of the confines of the FOIA.

RM02-4-002 Final Rule

On August 3, 2004, in Order No. 649, RM02-4-002, the Commission revised its regulations for gaining access to CEII and committed to continue monitoring and reviewing the CEII program to examine the effectiveness of the rules within one year. In order to facilitate the review, the Commission issued a notice soliciting public comment on the effectiveness of the CEII process. (See item no. 8 of this justification.) The first CEII review was initiated with a notice soliciting public comment that was issued on February 13, 2004.⁶ After reviewing the comments received, the Commission made a few changes to the CEII process in Order No. 649⁷ The Commission changed the treatment of boundary maps from CEII to Non-Internet Public (NIP). FERC also agreed that federal agencies would not have to file more than one request for CEII in one docket, and that agents and owners and operators of facilities could get information on their client’s facilities outside the CEII process with written authorization from the owner/operator.

RM02-4-003 Final Rule

On June 21, 2005⁸, in Order No. 662, RM02-4-003, the Commission further amended its regulations for gaining access to CEII. These changes were made based on comments filed in response to the March 3, 2005 notice seeking public comment on the effectiveness of the Commission’s CEII rules. The final rule removed federal agency requesters from the scope of the rule, modified the application of NIP treatment, and clarified obligations of requesters. It also discussed changes that will be made to non-disclosure agreements.

RM06-24-000 Final Rule

On September 21, 2006, in Order No. 683, RM06-24-000, the Commission made additional amendments to its regulations for gaining access to CEII by clarifying the definition of CEII to exclude information that the Commission never intended to be deemed as containing critical infrastructure information. In addition, procedural changes were made based on over three years experience processing CEII requests. These changes simplify the procedures for obtaining access to CEII without increasing vulnerability of the energy infrastructure.

RM06-23-000 Final Rule

On October 30, 2007,⁹ in Order No. 702, RM06-23-000, the Commission significantly amended its regulations for gaining access to CEII. In order to facilitate the review, the Commission issued a notice soliciting public comment on the effectiveness of the CEII process. (See item no. 8 of this justification.) The final rule: modified non-disclosure agreements; modified the Commission’s process to allow the CEII Coordinator to respond to CEII requests by letter; provided landowners access to alignment sheets for the routes across or in the vicinity of their properties; included a fee provision; limited the portions of forms and reports the Commission defines as containing CEII; and eliminated as a category of documents the Non-Internet Public designation.

Order No. 702 changed the Commission’s regulations in three ways that will decrease the frequency and time spent on the CEII request form. First, the final rule provided that the Commission will seek a requester’s date and place of birth on a case-by-case basis rather than require that information with every request for CEII and eliminated the request for social security numbers. Experience in processing requests for CEII since issuance of Order No. 630 had shown that the legitimacy of a particular requester can usually be determined from information other than the requester’s date and place of birth. However, occasionally, a date and place of birth are needed to assess the legitimacy of a requester. Therefore, the Commission revised 18 C.F.R. § 388.113(d) of the regulation to obtain that information on a case-by-case basis rather than obtain it in every instance. In response to this final rule, the CEII request form was amended to eliminate the space for individuals to provide their date of birth, place of birth, and social security number. Therefore, the final rule limited the burden imposed on requesters of CEII.

Second, the Commission revised its regulations to allow an annual certification for repeat requesters, i.e., repeat requesters would not be required to file a new non-disclosure agreement with each subsequent request. The previous regulation sets forth a process where a requester provides to the CEII Coordinator detailed information about the requester and his or her need for the information, which the CEII Coordinator uses in determining whether to release the information. The revised regulation provides that a requester provide such detailed information with an initial request. Once the CEII Coordinator determines that the requester does not pose a security risk, the requester would not have to provide such detailed information with subsequent requests during the calendar year. This will decrease the use of the CEII request form.

Finally, the Commission revised its regulations to allow an authorized representative of an organization to file a CEII request on behalf of all that organization’s employees. The Commission would verify an organization and require that the organization verify its own users. Therefore, individuals from that organization would no longer be required to submit individual CEII request forms decreasing the overall use of the request form.

2. HOW, BY WHOM, AND FOR WHAT PURPOSES THE INFORMATION IS TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION

The Commission added 18 C.F.R. § 375.313 to its regulations to authorize a Critical Energy Infrastructure Information Coordinator (currently the Director, External Affairs) to process non-FOIA requests for CEII and make determinations on such requests. 18 C.F.R. § 388.113 (d) (3) sets forth a process where requesters provide the CEII Coordinator information about themselves and their need for the information. The CEII coordinator uses the information to make a determination as to whether to release the information.¹⁰ If the requester is determined to be eligible to receive the information requested, the CEII Coordinator will determine what conditions, if any, to place on release of the information. Where appropriate, the CEII Coordinator will forward a non-disclosure agreement to the requestor for execution of the request. Once the requestor signs any required non-disclosure agreement, the CEII Coordinator will make the critical energy infrastructure information available to the requester.

Through this data collection process, the Commission is able to provide information to individuals who need it to participate in Commission's proceedings, but who might not otherwise have access to the information under FOIA. Without this information, the Commission would not the ability to provide information in an efficient manner to those with a specific need for it. Likewise, if the Commission were to rely solely on FOIA procedure it would not be able to restrict general public access to critical energy infrastructure information which could then be accessed by persons with the ability to attack that infrastructure. Failure to institute these procedures would mean that FERC is unable to discharge its responsibilities to protect critical information.

.

2. DESCRIBE ANY CONSIDERATION FOR THE USE OF IMPROVED INFORMATION TECHNOLOGY TO REDUCE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN

There is an ongoing effort to determine the potential and value of improved information technology to reduce the burden. As the Commission increases its use of electronic media for filing, storage, retrieval, and tracking of information and documents, greater uniformity in filing procedures, wherever practical, will greatly expedite and simplify this conversion to electronic media. The Commission has provided those entities who file documents with the Commission, the option of submitting them either in hard copy or electronic media.

2. DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2.

The information requested here cannot be obtained from other sources as the information is specific to each requester either seeking CEII data or requesting that the documents they are submitting to the Commission be classified as CEII. However, it should be noted that all Commission public information collections are subject to analysis and review by Commission staff and are examined for redundancy. Further, Commission staff conducted an internal review of this collection of information to determine its necessity in meeting the strategic objectives of the Commission.

2. METHODS USED TO MINIMIZE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES

The Commission believes that the information to be provided by requesters

seeking CEII will not impose an undue burden on "small business concerns" under the Regulatory Fairness Act (RFA). For those entities seeking privilege treatment of their documents, the only modification the Commission is making to its filing requirements is to require requesters to identify what information should be classified as CEII and provide a justification for that classification. Filers already follow similar procedures under 18 CFR § 388.112 when seeking to have the information within their documents classified as "confidential" information.

2. CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY

It is not possible to collect this data with less frequency. The Commission has no

control over when a requester submits a CEII data request. The Commission believes the required information will impose the least possible burden for the public and regulated entities to comply with the Commission's CEII policies.

2. EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION

(a) An original and fourteen copies are required to be submitted to the Commission for documents for which privileged treatment is sought if the documents are in hard copy. A filer is to submit a written statement requesting privileged treatment for some or all of the information in the documents, and the justification for non disclosure of the information. The original document is to be marked on the front page with either "Contains Privilege Information-Do not Release" or "Contains Privileged Critical Energy Infrastructure Information-Do Not Release" and identifying information within the document for which the privilege privileged treatment is sought. In addition, filers have the option of filing the information electronically, but they also have to provide a separate written statement with the same information as noted above. The original goes to the FERC’s document management system, eLibrary. One copy is distributed to the Public Reference Room for public inspection. Another copy is distributed to the Office of General Counsel for legal review. The remaining copies are distributed to the Commission's program office for technical review by analysts.

2. DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND AGENCY'S RESPONSE TO THESE COMMENTS

On March 3, 2005,¹¹ the Commission issued a Notice of Inquiry (NOI) in RM02-4-003 to determine what changes, if any, should be made to its regulations to restrict unfettered general public access to critical energy infrastructure information, but still permit those with a need for information to obtain in an efficient manner. The NOI set forth the Commission's general views on how it treats previously public documents, and asked specific questions on the scope and implications of maintaining the confidentiality of certain documents that previously had been made public but were removed from easy public access on October 11, 2001. Fifteen entities responded to the NOI and their comments were addressed in Order No. 662 (mentioned above).

1. On September 21, 2006,¹² the Commission issued a Notice of Proposed Rulemaking (NOPR) in RM06-24-000 on its procedures for dealing with CEII. Specifically the Commission proposed to revise its regulations to: allow an annual certification for repeat requesters of CEII; allow an authorized representative to file an executed non-disclosure agreement; make the FOIA fee schedule applicable to CEII requests; provide CEII appeal rights that are compatible with FOIA appeal rights; grant landowners the right to obtain alignment sheets directly from Commission staff; and abolish the non-Internet public category of information. This NOPR also sought comments on the CEII portions of various forms and reports submitted to the Commission After receiving 15 comments in response to the NOPR, the Commission amended and clarified 18 CFR § 388.113 and its CEII process in Order No. 702 (mentioned above).

In accordance with OMB requirements in 5 C.F.R. 1320.8(d), the reporting requirements for FERC-603 were noticed in the Federal Register on February 14, 2008 (73 FR 8651-8652). The Commission did not receive any comments in response to that notice.

2. EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS

Not applicable. The Commission does not provide compensation or remuneration to entities subject to its jurisdiction.

2. DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS

The Commission's existing regulations at 18 C.F.R. § 388.112 provide a process for filers to submit documents with a request for privileged treatment. The Commission proposes to amend 18 C.F.R. § 388.112 to clarify those claims for privileged treatment should indicate whenever a filing contains CEII. Because the Commission adopted the approach in 18 C.F.R. § 388.112 for filing CEII, it does not specify how the filer should segregate or redact non-public information from the rest of the filing. As with non-CEII, the filer must in the first instance decide whether to have a separate non-public appendix, or to just redact non-public information from the filing. The Commission will not tolerate filers invoking CEII inappropriately by sweeping non-CEII (or other legitimate confidential information) under the CEII heading.

2. PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE THAT ARE CONSIDERED PRIVATE.

There are no questions of a sensitive nature that are considered private.

2. ESTIMATED BURDEN ON COLLECTION OF INFORMATION

OMB Current

Inventory: 182 1 .25 46

Program Change: 0 0 0 0

Adjustment: +18 1 +.05 +14

The Commission anticipates that it should take no more than 20 minutes to prepare and submit a CEII data request, which is an increase from the previous estimate of 15 minutes, due to the elimination of the requirement to submit date of birth, place or birth, and social security number, pursuant to Order No. 702 and the increase time spent in filling out the non-disclosure agreement and listing business references.

The Commission did not include an estimate for filers who seek their documents or portions of them to be classified as CEII. They currently follow similar procedures for "confidential" information.

2. ESTIMATED OF THE TOTAL COST BURDEN TO RESPONDENTS

Annualized Capital/Startup Costs== $3,000 (60 hours @ $50 hourly rate). Cost per respondent = $15.00 ($3,000). Because the data requests maybe a one time request, the Commission does not anticipate ongoing maintenance costs for these data requests.

2. ESTIMATED ANNUALIZED COST TO THE FEDERAL GOVERNMENT

The costs to the Commission are for staffing requirements to review and prepare a response to CEII requests= $126,384. (1 FTE (full time equivalent employees) x $126,384).

2. REASONS FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE

When the CEII data request was instituted in Order No. 630, the Commission anticipated 200 filings. In FY 2005 it received 548 requests for CEII, 303 requests in FY 2006, 279 requests in FY 2007 and to through March 30, 2008 CEII requests numbered 122 for an annual projection of 244 requests in FY 2008. As of March, 2008 there were 18 CEII requests pending. The vast majority of those were filed after January 1, 2008. With the changes adopted in Order, No. 702, the Commission anticipates that the number of CEII requests per year will return to a level of around 200 per year. For further discussion, see Background section above.

2. TIME SCHEDULE FOR THE PUBLICATION OF DATA

Schedule for Data Collection and Analysis

Estimated Activity Completion Time

CEII Data Request Filed on occasion

CEII Coordinator Response 20 days after receipt of the request as appropriate.

2. DISPLAY OF EXPIRATION DATE

The OMB control number and expiration date is displayed on the form. (See exhibit)

2. EXCEPTION TO THE CERTIFICATION STATEMENT

There are exceptions to the Paperwork Reduction Act Submission certification. Because the data collected for this reporting requirement is not used for statistical purposes, the Commission does not use the standard as stated in item 19(i) "effective and efficient statistical survey methodology."

2. COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS.

This is not a collection of information employing statistical methods.

118 C.F.R. § 388.113(c) (1) defines CEII as information about proposed or existing critical infrastructure that (i) relates to the production, generation, transportation, transmission, or distribution of energy, (ii) could be useful to persons in planning an attack on critical infrastructure, (iii) is exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. 552, and (iv) does not simply give the location of the critical infrastructure. 18 C.F.R. § 388.113(c)(2) defines "critical infrastructure" as

"existing or proposed systems and assets, whether physical or virtual, that are so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on the security, national economic security, national public health or safety, or any combination of those matters." The Commission uses the term "critical infrastructure" because it reflects the same definition used in sec. 1016(d) (Critical Infrastructure Protection Act of 2001) of the Uniting and Strengthening America by Providing Appropriate Tool to Intercept and Obstruct Terrorism Act. (USA Patriot Act) Pub. L. No. 107-56.

2 See Statement of Policy on Treatment of Previously Public Documents, 66 Fed. Reg. 52,917 (Oct. 18, 2001), 97 FERC ¶ 61,130 (2001).

3 The FOIA process is specified in 5 U.S.C. 552 and the Commission’s regulations at 18 CFR 388.108.

4 Critical Energy Infrastructure Information, Order No. 630, 68 Fed. Reg. 9,857 (Mar. 3, 2003), FERC Stats. & Regs. ¶ 31,140 (2003); order on reh’g, Order No. 630-A, 68 Fed. Reg. 46,456 (Aug. 6, 2003), FERC Stats. & Regs. ¶ 31,147 (2003).

5 DOJ 2001 FOIA Post 19, Posted October 15, 2001.

6 69 FR 8638 (February 25, 2004).

7 69 FR 48,386 (August 10, 2004).

8 70 FR 37031 (June 28, 2005)

9 72 FR 63980 (November 14, 2007)

10 Under § 388.113(d), a request filed with CEII coordinator must contain the following information: requester's name, title, address and telephone number; name, address and telephone number of the person or entity on whose behalf the information is requested; a detailed statement explaining the particular need for and intended use of the information; and a statement as to the requestor's willingness to adhere to limitations on the use and disclosure of the information requested.

11 70 FR 12867, March 16, 2005

12 71 FR 58325, October 3, 2006

12