In accordance
with 5 CFR 1320, the information collection is approved for three
years.
Inventory as of this Action
Requested
Previously Approved
06/30/2015
36 Months From Approved
09/30/2014
1,501
0
1,501
850,680
0
819,840
5,444
0
5,261
How is the information used? Under
CIP-002-4, registered entities create lists of Critical Assets and
Critical Cyber Assets. Entities that identified Critical Cyber
Assets must meet the requirements of CIP-003-4 through CIP-009-4.
These latter standards deal with areas such as personnel training,
systems security and physical perimeter security. In all cases
entities generate documentation that they keep to show compliance
with the requirements of the standards Who uses the information?
The registered entity uses the information to demonstrate
compliance. The compliance enforcement authority reviews the
information. Why is the information collected? The registered
entities document the policies, plans, programs and procedures to
clearly show compliance with the CIP Reliability Standards. What
are the consequences of not collecting the information? Without
this documentation, the compliance enforcement authority would have
difficulty in verifying compliance with the CIP Reliability
Standards. Without the ability to verify compliance with the CIP
Reliability Standards, serious breaches in cyber security could
result and compromise the reliable operation of the Bulk-Power
System.
In the final rule in RM11-11,
FERC adopts revisions to eight CIP Reliability Standards that
include a new method of identifying cyber assets that are critical
to the nation's Bulk-Power System. The new Version 4 CIP
Reliability Standards replace the existing risk-based assessment
methodology for identifying Critical Assets with 17 uniform "bright
line" criteria, making the process more consistent and clear by
limiting discretion in the identification of such assets.
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.
RM11-11_SS_Final_4-27-12b.doc
CIP-002 - 009-4.pdf
FERC-725B, Mandatory Reliability Standards for Critical Infrastructure Protection