Terms of the
previous clearance remain in effect. The agency intends to issue a
final rule in response to comments addressing the proposed
amendments. When the agency resubmits on that rulemaking action, it
is strongly recommended that it substantively address public
comments and any related burden estimate changes in its
submission.
Inventory as of this Action
Requested
Previously Approved
09/30/2014
36 Months From Approved
09/30/2014
1,501
0
1,501
819,840
0
819,840
5,261
0
5,261
The CIP Reliability Standards are
necessary to support the reliable operation of the Bulk-Power
System. In this NOPR in RM11-11, FERC proposes to approve Version 4
of the CIP Reliability Standards, CIP-002-4 through CIP-009-4. The
proposed Version 4 CIP Reliability Standards were developed and
submitted by NERC to FERC for approval. In general, the CIP
Reliability Standards provide a cybersecurity framework for the
identification and protection of Critical Cyber Assets to support
the reliable operation of the Bulk-Power System. In particular, the
Version 4 CIP Reliability Standards propose to modify CIP-002-4 to
include "bright line" criteria for the identification of Critical
Assets, in lieu of the currently-required risk-based assessment
methodology that is developed and applied by registered entities.
In addition, NERC developed proposed conforming modifications to
the remaining CIP Reliability Standards, CIP-003-4 through
CIP-009-4. FERC proposes to approve Version 4 of the CIP
Reliability Standards, the Violation Risk Factors (VRFs) and the
Violation Severity Levels (VSLs) with modifications, the associated
implementation plan, and the effective date for Version 4 CIP
Reliability Standards as proposed by NERC. The Commission also
proposes to approve the retirement of the currently effective
Version 3 CIP Reliability Standards, CIP-002-3 to CIP-009-3. While
FERC proposes to approve the Version 4 CIP Standards, like NERC,
the Commission recognizes that the Version 4 CIP Standards
represent an "interim step" to addressing all of the outstanding
directives set forth in Order No. 706. The Commission believes that
the electric industry, through the NERC standards development
process, should continue to develop an approach to cybersecurity
that is meaningful and comprehensive to assure that the nation's
electric grid is capable of withstanding a Cybersecurity Incident.
FERC expects NERC will continue to improve the CIP Reliability
Standards and to address all outstanding directives in Order No.
706. How is the information used? Under the CIP Reliability
Standards a registered entity is not required to "report" to the
Commission, ERO or the Regional Entities, the various policies,
plans, programs and procedures to demonstrate compliance with the
CIP Reliability Standards. However, a registered entity is required
to "produce" the documented policies, plans, programs and
procedures during a periodic compliance audit or spot check for
example to demonstrate compliance with the CIP Reliability
Standards. Who uses the information? The registered entity utilizes
the information during a periodic audit to demonstrate compliance
with the CIP Reliability Standards. Why is the information
collected? The registered entities purpose in documenting policies,
plans, programs and procedures is to clearly establish for the
auditors how the CIP Reliability Standards are being followed. What
are the consequences of not collecting the information? Without
this documentation, the compliance enforcement authority would have
difficulty in verifying compliance to the CIP Reliability
Standards. Without the ability to verify compliance to the CIP
Reliability Standards, serious breaches in cybersecurity could
potentially compromise the reliable operation of the Bulk-Power
System.
As stated in the press release,
FERC "took steps to support continued transmission system
reliability by proposing revisions to eight critical infrastructure
protection reliability standards that include a new method of
identifying cyber assets that are critical to the nation's bulk
power grid. The proposed "Version 4" CIP standards are an interim
step, FERC said in directing the electric industry and the North
American Electric Reliability Corp. (NERC) to continue developing a
comprehensive approach to assure the grid can withstand a cyber
security incident. NERC is the Commission-certified electric
reliability organization responsible for developing and enforcing
mandatory reliability standards. The new standard would replace the
existing risk-based assessment methodology for identifying critical
assets with 17 uniform "bright line" criteria, making the process
more consistent and clear by limiting discretion in the
identification of such assets."
$1,575
No
No
No
No
No
Uncollected
Nicholas Snyder 202
502-6408
No
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.
SuppStatement_10_31_11.doc
FERC-725B, Mandatory Reliability Standards for Critical Infrastructure Protection