Download:
docx |
pdf
FERC-725B,
OMB Control No. 1902-0248
Final
Rule in Docket No. RM13-5 (issued 11/22/2013)
RIN:
1902-AE66
Supporting
Statement
FERC-725B,
Mandatory Reliability Standards for Critical Infrastructure
Protection
(As
modified in the Final Rule in Docket No. RM13-5, issued 11/22/2013)
The
Federal Energy Regulatory Commission (Commission or FERC) requests
that the Office of Management and Budget (OMB) approve FERC‑725B,
Mandatory Reliability Standards for Critical Infrastructure
Protection (CIP),
for the revisions to the Reliability Standards found in the final
rule in Docket No. RM13-5.
FERC-725B
(OMB
Control No. 1902-0248) is an existing data collection, as contained
in 18 Code of Federal Regulations (CFR), Part 40.
CIRCUMSTANCES
THAT MAKE THE COLLECTION OF INFORMATION NECESSARY
On
August 8, 2005, The Electricity Modernization Act of 2005, which is
Title XII of the Energy Policy Act of 2005 (EPAct 2005), was enacted
into law.
EPAct 2005 added a new section 215 to the Federal Power Act (FPA),
which requires a Commission-certified Electric Reliability
Organization (ERO) to develop mandatory and enforceable Reliability
Standards, which are subject to Commission review and approval. Once
approved by the Commission, the Reliability Standards may be enforced
by the ERO, subject to Commission oversight. The North American
Electric Reliability Corporation (NERC) is the Commission-certified
ERO.
On
January 18, 2008, the Commission issued Order No. 706, which approved
the CIP version 1 Standards to address cyber security of the
Bulk-Power System.
In Order No. 706, the Commission approved eight CIP Reliability
Standards (CIP-002-1 through CIP-009-1). While approving the CIP
version 1 Standards, the Commission also directed NERC to develop
modifications to the CIP version 1 Standards, intended to enhance the
protection provided by the CIP Reliability Standards. Subsequently,
NERC filed the CIP version 2 and CIP version 3 Standards in partial
compliance with Order No. 706. The Commission approved these
standards in September 2009
and March 2010,
respectively.
On
April 19, 2012, the Commission issued Order No. 761, which approved
the CIP version 4 Standards (CIP-002-4 through CIP-009-4).
Reliability Standard CIP-002-4 (Critical Cyber Asset Identification)
sets forth 17 uniform “bright line” criteria for
identifying Critical Assets. In the final rule in RM13-5, the
Commission approves NERC’s proposal to allow responsible
entities to transition from compliance with the currently-effective
CIP version 3 Standards to compliance with the CIP version 5
Standards. Thus, CIP-002-4 through CIP-009-4 will not become
effective, and CIP-002-3 through CIP-009-3 will remain in effect
until the effective date of the CIP version 5 Standards.
In
its petition to the Commission to approve the CIP version 5
standards, NERC states that it took into consideration the 4 years of
experience since the first CIP standards were implemented, “as
well as FERC directives…[and] developed the proposed CIP
version 5 standards to better protect the reliability of the nation’s
Bulk Electric System (“BES”) from cyber-attacks.”
NERC
goes on to state that:
The
improvements included in CIP version 5 reflect a maturity of the NERC
CIP program. While the general framework of the proposed standards
follow the organization of the previous CIP versions, a new process
is introduced in proposed CIP-002-05 for identifying and classifying
BES Cyber Systems according to “Low-Medium-High” impact.
Once BES Cyber Systems are identified, a Responsible Entity must then
comply with proposed CIP-003-5 to CIP-011-1, according to specific
criteria relating to impact and other characteristics such as
communications connectivity. As such, NERC and its stakeholders have
proposed the most comprehensive set of mandatory cybersecurity
standards ever utilized on a widespread basis in the electric
industry.
In
terms of information collection, the CIP standards require entities
to document their compliance with requirements and to develop cyber
security policies and procedures.
HOW,
BY WHOM, AND FOR WHAT PURPOSE THE INFORMATION IS TO BE USED AND THE
CONSEQUENCES OF NOT COLLECTING THE INFORMATION
The
information collection requirements in the CIP version 5 standards
apply to entities registered as the following functions: balancing
authorities, distribution providers, generator operators, generator
owners, interchange coordinators (or interchange authorities),
reliability coordinators, transmission operators, and transmission
owners. Based on the NERC compliance registry, FERC estimates there
are 1,475 entities in the U.S. registered for at least one of the
functions listed above. Each of these entities is considered a
“respondent” for the purposes of fulfilling the paperwork
requirements.
The
cyber security policy, process, and procedure documentation required
by the CIP standards are the principal components of a cyber-security
program. The main use for the information generated is to achieve
and maintain a cyber-secure operational state, a process which
requires vigilant monitoring of activity against documented policies
and procedures. The information generated can also be used to show
auditors that required cyber security policies, processes, and
procedures are designed to achieve the requirement and are
implemented as designed. Similarly, the applicable compliance
enforcement authority (regional entity or NERC) relies upon any such
documentation it is shown to measure an entity’s compliance
with a given requirement. The information is also used for
evaluating reliability events or for enforcement actions.
If
the information collection requirements did not exist then it would
be difficult to monitor and enforce compliance with the standards
which could lead entities to relax their compliance with the
requirements. Also, creating and maintaining documentation is
integral to the task of performing cyber security, as reflected in
the fact that some of the reliability standards’ requirements
actually require an entity to create a document (as opposed to
documenting
compliance
with a requirement). Without such information collection an entity
may fail to perform actions that may affect the reliability and
security of the grid.
DESCRIBE
ANY CONSIDERATION OF THE USE OF IMPROVED INFORMATION TECHNOLOGY TO
REDUCE THE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING
BURDEN
The
use of current or improved technology is not covered in the CIP
Reliability Standards, and is therefore left to the discretion of
each responsible entity.
DESCRIBE
EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY
SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR
USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2
The
information collection requirements are unique to this reliability
standard and to this information collection. The Commission does not
know of any duplication in the requirements.
METHODS
USED TO MINIMIZE THE BURDEN IN COLLECTION OF INFORMATION INVOLVING
SMALL ENTITIES
The
CIP version 5 Reliability Standards generally do apply to small
entities, depending first on their registered function(s) and then on
the types of facilities they own. Nearly all of the small entities,
which are subject to the CIP version 5 standards, own only
facilities that should fall into the Low impact category for these
standards. This means the burden for these entities is relatively
minor compared with the rest of the applicable entities. The only
requirement CIP version 5 Reliability Standards impose on owners with
regard to their Low impact category facilities is to create and
implement policies
to protect their cyber assets. The requirements for Low impact
category facilities do not impose any specific, technical security
controls, which will provide small entities with more flexibility in
complying with the standards. As FERC stated in Order No. 761,
“…control systems that support Bulk-Power System
reliability are only as secure as their weakest links, and that a
single vulnerability opens the computer network and all other
networks with which it is interconnected to potential malicious
activity.”
Due to the inherent connectivity between entities that must occur to
operate the Bulk-Power System, the CIP version 5 Reliability
Standards cannot exclude entities based on size alone without
creating a weak point in the security of the Bulk-Power System that
can be exploited to navigate to higher value cyber systems.
NERC’s
Standard Drafting Team of technical experts considered the impact on
small entities when setting the cyber asset impact classification
levels and intended that the Low cyber assets would be provided with
the least effort and cost, compared to other impact levels.
CONSEQUENCE
TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY
As
stated in response to item #2, the documentation related to the CIP
reliability standards is an integral part of establishing and
maintaining cyber security. The power grid would be at greater risk
to cyber threats if the collection was conducted less frequently.
EXPLAIN
ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION
There
is one special circumstances as described in 5 CFR 1320.5(d)(2)
related to this information collection.
Entities
may have to submit to or show the auditors security or confidential
information that is related to the CIP standards. The general
practice is that the auditor often does not remove the information
from the site of the entity and, in any case, returns the
confidential information to the entity following the audit.
This
special circumstance is necessary to maintain an effective
cyber-security program.
DESCRIBE
EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND
THE AGENCY’S RESPONSE
The
ERO process to establish Reliability Standards is a collaborative
process with the ERO, Regional Entities and other stakeholders
developing and reviewing drafts, and providing comments, with the
final proposed standard, as approved by the ERO’s Board of
Trustees, submitted to the FERC for review and approval.
In addition, each FERC rulemaking (both proposed and final rules) is
published in the Federal
Register,
thereby providing public utilities and licensees, state commissions,
Federal agencies, and other interested parties an opportunity to
submit data, views, comments or suggestions concerning the proposed
collection of data.
The proposed rule was published in the Federal Register on April 24,
2013 (78 FR 24107). The Commission also issued an errata notice��1�
in this docket on May 5, 2013 correcting a few mistakes in the
proposed rule.
In
response to the NOPR, interested entities filed 62 comments. The
Commission summarized and responded to these comments in the final
rule.
Comments
regarding the information collection section of the rule
A
number of commenters take issue with the Commission’s choice to
evaluate the paperwork burden imposed in this Final Rule on an
incremental basis from the CIP version 4 Standards to the CIP version
5 Standards, rather than estimate the paperwork burden based on a
transition from the CIP version 3 Standards. In addition, various
commenters assert that the Commission underestimates the paperwork
and cost burdens imposed by the CIP version 5 Standards.
EEI
argues that comparing CIP version 5 to CIP version 4 “vastly
understates the burden and biases any realistic evaluation,”
and “strongly disagrees” with this basic assumption of
the estimated paperwork burden. EEI contends that a more realistic
and practical analysis would compare CIP version 3 and CIP version 5,
but admits that such a comparison would be problematic because the
design of the two versions are so different. Therefore, EEI urges
the Commission to evaluate the CIP version 5 Standards on their own
merits.
According to MidAmerican, the Commission’s comparison of the
two versions, and identification of the burden on responsible
entities based on the classes of facilities each group of entities
owns, “misses the mark” and, therefore, the Commission
grossly underestimated the burden to successfully implement the CIP
version 5 Standards.
Similarly, NRECA is unclear why the Commission chose to assess the
paperwork burden by comparing CIP version 4 and CIP version 5, noting
the differences between the two versions and the fact that CIP
version 4 will not be implemented. NRECA submits that an appropriate
analysis of burden should be based on the full cost of implementing
CIP version 5.
Tampa
states that the level of effort under the CIP version 5 Standards is
considerably higher than described in the NOPR due to the volume of
new entities and new facilities coming into scope. Tampa points out
that entities newly subject to the CIP Reliability Standards “will
have a steep learning curve and will need to purchase and install
automated workflow and document management systems, which will
require time and funding.”
Los
Angeles Department of Water and Power (LADWP) states that it expects
the impacts of implementing and complying with the CIP version 5
Standards will be substantial, largely resulting from two changes:
(1) the elimination of the current blanket exemption for non-routable
protocols, and (2) the new requirements in CIP-005-5 that require the
expanded use of electronic security perimeters.
LADWP estimates that it will make an initial investment of almost
$33 million for equipment, materials, and labor. LADWP also
estimates that it will spend $3 million annually for software
licenses and staff to monitor and implement the CIP version 5
Standards.
Commission
Determination
For
the reasons discussed below, the Commission adopts the Information
Collection Statement outlined in the Docket No. RM13-5-000 NOPR.
The
Paperwork Reduction Act only applies to the paperwork burden imposed
by a rule, it does not apply to the substantive requirements (non
paperwork burden) imposed by that rule.
Commenters generally argue that the Commission underestimates the
economic burden of the CIP version 5. However, no commenter provides
an analysis regarding the paperwork burden resulting from the
approval of the CIP version 5 Standards, as opposed to the
anticipated costs of full implementation. For example, NRECA states
that its data suggests that the costs associated with the CIP version
5 Standards are an order of magnitude greater than the NOPR
estimates. Likewise, LADWP provides a cost estimate for full
implantation including equipment, materials and labor, but does not
segregate out the paperwork burden relevant to the immediate
analysis. Because the Paperwork Reduction Act requires that the
Commission estimate the total average annual paperwork cost burden,
not the total estimated cost burden of the rule, arguing that the
cost of full compliance with CIP version higher than the estimated
paperwork
burden
does not negate the Commission’s Paperwork Reduction Act
estimate.
With
regard to MidAmerican’s and Tampa’s comments regarding
the costs associated with the expanded scope of the CIP version 5
Standards, the Commission recognized that the CIP version 5 Standards
offer a more comprehensive protection of the bulk electric system,
particularly due to the coverage of Low Impact assets. Statements
regarding the expanded scope of the CIP Reliability Standards alone,
without additional data, do not undermine the Commission’s
approach to estimating the paperwork burden associated with the CIP
version 5 Standards or the resulting paperwork burden estimate. The
Commission included the cost of developing and modifying the
documentation for the required policies, plans, programs and
procedures in the paperwork burden estimate, but did not include the
cost of substantive compliance with the CIP Reliability Standards.
Absent specific comments on the paperwork burden associated with the
CIP version 5 Standards, the Commission has no basis to amend the
NOPR estimate.
In
addition, multiple commenters argue that the Commission erred by
relying on a burden estimate based on a comparison of the CIP version
5 Standards to the CIP version 4 Standards since the CIP version 4
Standards will not take effect. The Commission reiterated that, in
considering and approving the CIP version 4 Standards, the Commission
already compared and accounted for the incremental cost burden
resulting from the change from the CIP version 3 Standards to the CIP
version 4 Standards. Therefore, any incremental change in paperwork
burden associated with the approval of the CIP version 5 Standards
will be relative to the burden imposed by the approval of the CIP
version 4 Standards, whether that change be positive or negative.
In
reply to concerns regarding potential cost increases associated with
changes we directed in the Final Rule, the Commission clarified that
any differences in cost will be evaluated at such time as NERC files
the directed changes with the Commission.
After
consideration of comments, the Commission adopted the NOPR proposal
for the information collection burden and cost as detailed in items
12-15 of this supporting statement.
EXPLAIN
ANY PAYMENT OR GIFTS TO RESPONDENTS
There
are no payments or gifts for respondents related to this collection.
DESCRIBE
ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS
As
stated in item #7, if a registered entity is required to disclose
security or confidential information during an audit, the general
practice is that the auditor returns that information to the entity
following the audit.
PROVIDE
ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE
There
are no questions of a sensitive nature that are considered private.
ESTIMATED
BURDEN OF COLLECTION OF INFORMATION
The
existing FERC-725B burden is 848,730 hours per year. This burden is
for paperwork compliance of version 4 of CIP Reliability Standards
(CIP version 4).
In
the final rule, the Commission approved a new version of the CIP
Reliability Standards. The Commission based its paperwork burden
estimates on the difference between the latest Commission-approved
(and OMB approved for the information collection requirements)
version of the CIP Reliability Standards (CIP version 4) and the
estimated paperwork burden resulting from CIP version 5 Reliability
Standards (CIP Version 5).
The
paperwork burden under CIP version 5 is different than that imposed
by CIP version 4. Under CIP version 4, all applicable entities must
first identify, by applying criteria specified in CIP-002-4, which of
the Cyber Assets they own are subject to the mandatory protections
specified in the remaining CIP standards. Those identified Cyber
Assets are termed Critical Cyber Assets (CCA) in CIP version 4. If,
upon completion of the required process in CIP-002-4, the entity has
identified at least one CCA, it must implement all mandatory
protections specified in the remaining CIP Reliability Standards with
respect to any identified CCA. If, on the other hand, the entity
determines that it does not own any CCAs, it is not required to
implement any of the protections specified in the remaining CIP
version 4 Standards.
By
contrast, CIP version 5 does not use the term CCA. Under CIP version
5, a responsible entity identifies Cyber Assets for protection by
applying the CIP-002-5 definitions and classification criteria. The
responsible entity is required to comply with at least some mandatory
protections in the remaining standards for all Cyber Assets
identified as BES Cyber Systems. The specific mandatory protections
with which the responsible entity must comply depends on whether the
Cyber Assets it owns and identifies as BES Cyber Systems are
classified as Low, Medium, or High impact by CIP-002-5 Attachment 1
(and
other characteristics detailed in various individual requirements).
Each responsible entity that owns Cyber Assets identified as BES
Cyber Systems will be concerned at least with the Low impact
classification.
Because
the change in paperwork burden between CIP version 4 and CIP version
5 differs depending upon the extent to which that entity had to
comply with CIP version 4, we delineate the registered entities into
three groupings related to their status under CIP version 4, as
follows:
Group
A:
Entities that are not subject to the CIP version 4 Standards, but
are subject to the CIP version 5 Standards. The Group A entities
consist of those Distribution Providers that are not also registered
for another CIP function, such as the Load Serving Entity function
(which is subject to CIP version 4). All of these entities are
concerned only with the Low classification because they do not own
any assets classified as Medium or High under CIP-002-5 Attachment
1.
Group
B: Entities
that are registered for functions subject to CIP version 4, but that
did not identify any CCAs under CIP-002-4. Therefore, Group B
entities do not own facilities that require the implementation of
mandatory protections specified by the remaining CIP version 4
Standards. Cyber Assets that would not have been subject to
mandatory protections under the CIP version 4 Standards are not
classified as High impact under the CIP version 5 Standards.
Therefore, Group B entities do not own any assets classified as High
impact by CIP-002-5 Attachment 1, and are subject to requirements
concerned with only the Low and potentially Medium impact
classifications (depending whether any assets they own meet the
Medium criteria).
Group
C: Entities
that are registered for functions subject to CIP version 4 and
that identify, upon completion of the CIP-002-4 analysis, at least
one asset as a CCA. Therefore, Group C entities own facilities that
require the implementation of the mandatory protections specified in
the remaining CIP version 4 Standards. Most types of Cyber Assets
that would been subject to mandatory protections under the CIP
version 4 Standards (all except blackstart generation and cranking
path facilities) are classified as either High or Medium impact
under the CIP version 5 Standards. Therefore, Group C entities
potentially own Cyber Assets that are classified as High or Medium
impact by CIP-002-5 Attachment 1, and are concerned with all three
impact classifications (depending on the extent to which the assets
they own meet the Medium or High criteria).
NERC
states on its website that, “All bulk power system owners,
operators, and users must comply with approved NERC Reliability
standards. These entities are required to register with NERC through
the appropriate regional entity.”
The NERC Compliance Registry as of February 28, 2013 indicated that
1,927 entities were registered for NERC’s compliance program.
Of these, 1,911 were identified as being U.S. entities. Staff
concluded that approximately 1,475 U.S. entities were registered for
at least one CIP-applicable function, and therefore must comply with
the proposed CIP version 5 Reliability Standards. Further, 1,414 are
subject to the currently approved CIP version 4. There is one
functional registration that was not subject to CIP version 4 (or
other prior versions) but which is now subject to CIP version 5, by
virtue of being added to the list of responsible entities under the
Applicability section of each of the CIP version 5 Standards
(Distribution Providers). However, many entities registered for the
Distribution Provider function are also registered for another
function that made them subject to CIP version 4 (and past versions).
The net difference (the entities registered such that they are
subject to CIP version 5 but are not subject to CIP version 4) is the
entities that constitute Group A (61 entities).
Consistent
with the Commission’s approach in Order No. 761 (CIP version
4),
we assume that 23 percent (325 unique entities) of the 1,414 US
entities subject to CIP version 4 identified CCAs (Group C). It
follows that the remaining 77 percent (1089 unique entities) of the
U.S. entities did not identify any CCAs under CIP version 4 (Group
B). This ratio factors into several of the calculations needed to
estimate the differences in effort among entities in Group B, as
compared to Group C.
To
estimate the change in paperwork burden between CIP version 4 and
proposed CIP version 5, we recognize that the entities in all groups
will undertake the following paperwork tasks to at least some extent:
1) create or modify documentation of processes used to identify and
classify the cyber assets to be protected under the CIP Reliability
Standards; 2) create or modify policy, process and compliance
documentation; and 3) create and maintain documentation related to
compliance activities. Entities have two years to comply with
requirements applicable to Cyber Assets classified as High or Medium,
and three years to comply with requirements applicable to those
classified as Low. We assume that entities with High or Medium
assets will incur burden over years one and two and entities with Low
assets will incur burden over years two and three.
We
estimate the level of paperwork burden for each Group as follows:
No
more than 10 percent of the Group A entities, and all of Group B &
C entities will own at least one subject facility classified as Low
under the CIP version 5 Standards. We estimate 24 hours
per entity to develop its evaluation process documentation for
identifying the facilities subject to the standard, and 1,024 hours
to develop the required documentation for covered assets. We divide
the total burden hours between the second and third years of the
compliance period allowed for the facilities classified as Low
because this is when we assume the entities will do the work.
The
burden hours for facilities classified as Medium and High are split
between the first and second year, since Groups B and C are allowed
a 24-month period to bring facilities into compliance. (The third
year figure shown for these rows represents an ongoing effort
level). Except for Group C Blackstart facilities (see bullet on
Blackstart facilities below), we assume 32 hours
per entity for modification of its evaluation process documentation
since CIP version 4 Standards require entities to have a similar
process for entities in this group.
We
assume no more than 30 percent of Group B and Group C entities will
own one or more of the newly covered transmission facilities
classified as Medium. For those Group B entities that do, we assume
3,200 hours
to develop the required policy, compliance and implementation
documentation for the 10 standards, and 832 hours
per entity for ongoing compliance burden. For those Group C
entities that do, we assume 832 hours
per entity for ongoing compliance burden. Group C compliance and
implementation documentation was required for CIP version 4
Standards, and the burden increase for CIP version 5 Standards is
shown below.
With
respect to the Blackstart facilities owned by Group C entities, we
assume 160 hours
per entity to modify policy and evaluation process documentation.
We also assume a reduction
of 728 hours
per entity for ongoing compliance documentation that is required
under the currently approved CIP standards but is no longer required
under CIP version 5.
For
Group C’s Medium and High facilities, we assume 1,600 hours
per entity to modify the required policy, compliance, and
implementation documentation, and 416 hours
per entity for ongoing compliance.
The
estimated paperwork burden changes for these entities, as contained
in the final rule in RM13-5-000, are illustrated in the table below.
The information collection burden also varies according to the types
of facilities the entities own, as classified by the criteria in
CIP-002-5, Attachment 1. To further refine our estimate, we indicate
the classes of facilities each group of entities owns in the second
column of the table below.
Groups
of Registered Entities
|
Classes
of Entity’s Facilities Requiring CIP Version 5 Protections
|
Number
of Entities
|
Total
Hours in Year 1 (hours)
|
Total
Hours in Year 2 (hours)
|
Total
Hours in Year 3 (hours)
|
Group
A
|
Low
|
61
|
0
|
3,804
|
3,804
|
Group
B
|
Low
|
1,089
|
0
|
570,636
|
570,636
|
Group
B
|
Medium
|
260
|
128,960
|
128,960
|
64,896
|
Group
C
|
Low
|
325
|
0
|
170,300
|
170,300
|
Group
C
|
Medium
(New)
|
78
|
1,248
|
1,248
|
19,136
|
Group
C
|
Low
(Blackstart)
|
283
|
22,640
|
22,640
|
-206,024
|
Group
C
|
Medium
or High
|
325
|
265,200
|
265,200
|
135,200
|
Totals
|
|
|
418,048
|
1,162,788
|
757,948
|
The
following shows the average annual cost burden (averaged over Years
1-3 and rounded for hours/entity) for all entities within the group,
based on the burden hours in the table above:
Group
A: 61 unique entities * 41.5 hrs/entity * $72/hour = $182,000
Group
B: 1,089 unique entities * 448 hrs/entity * $72/hour = $35,127,000
Group
C: 325 unique entities * 889 hrs/entity * $72/hour = $20,803,000
Total
average annual paperwork cost for the change in requirements
contained in the final rule in RM13-5 = $56,112,000. (i.e., $182,000
+ $35,127,000 + $20,803,000).
The
estimated hourly rate of $72 is the average loaded cost (wage plus
benefits) of legal services ($128.00 per hour), technical employees
($58.86 per hour) and administrative support ($30.18 per hour), based
on hourly rates and average benefits data from the Bureau of Labor
Statistics.
The
existing burden hours for FERC-725B are 848,730. In this clearance
package, we request a 301,094 hour downward adjustment, and a 779,595
hour program increase, as explained in item #15.
ESTIMATE
OF THE TOTAL ANNUAL COST BURDEN TO RESPONDENTS
The
main potential non-labor cost is for electronic record storage. The
Commission considers any cost related to storing CIP standard
documents to be negligible and is removing the record retention cost
that had been included for a previous version of the CIP standards.
There
are no other non-labor costs associated with the CIP version 5
standards.
ESTIMATED
ANNUALIZED COST TO FEDERAL GOVERNMENT
The
CIP Reliability Standards do not require any information to be
submitted to FERC. Most of the FERC cost pertaining to the CIP
standards relates to violation reporting or other compliance
monitoring and review activities, all of which are contained in the
FERC-725 collection (OMB Control No. 1902-0225).
FERC
does incur costs in maintaining this collection of information
current with OMB as indicated in the following table.
FERC-725B
Federal Cost
|
Estimated
Annual Federal Cost
|
PRA
Administration Cost
|
$2,250
|
REASONS
FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE
FERC
has issued a final rule which adopts the CIP version 5 Reliability
Standards. As discussed previously, these standards are an
improvement over the current Version 4 standards. The CIP version 5
standards require new and ongoing paperwork burden.
FERC
is averaging the estimated burden hours from the proposed rule across
the first three years to create an annual figure to provide to OMB.
This annual figure is 779,595 hrs [(418,048 hrs + 1,162,788 hrs +
757,948 hrs)/3 = 779,595 hrs]. After the first three years, entities
will have completed implementation of CIP version 5 (a total of
383,543 hours) and will continue with ongoing burden unless other
changes are made.
FERC
proposes to add the annual hours from the final rule, 779,595 hours,
to an adjusted baseline of burden hours under the existing CIP
standards. The current burden inventory shows 848,730 hours. FERC
is adjusting the existing hours based upon careful review of the
assumptions used to generate the previous estimates.
In
particular, one of the assumptions was that entities would incur the
full burden of preparing for an audit each
year
instead
of every 3-5 years. A small fraction of entities may be responsible
for multiple functions and be audited on a more frequent basis but
this is the exception and not the rule. We account for that in the
adjusted figure. The total burden reduction for modifying this
assumption is 429,600 hours.
Also,
the assumptions did not include some of the yearly burden required
to keep documents up to date for future audits. The change here
leads to a 143,208 hour increase.
Finally,
there are an estimated net 26 fewer entities now than there were the
last time OMB approved this collection (a reduction from 1,501 to
1,475). This change leads to a 14,702 hour burden reduction. CIP
version 5 adds 61 entities leading to an overall change of -26
entities. The general reason for the reduction in entities is
caused by some entities merging and some entities dropping from the
market.
The
total change due to agency adjustment is -301,094 hours (143,208
hours – 429,600 hours – 14,702 hours = -301,094 hours).
See the spreadsheet attached to this package for more details
regarding this agency adjustment change.
FERC
does not consider there to be any additional non-labor costs for CIP
version 5. The removal of the annual cost burden below is due to a
staff review determining that any non-labor hour costs are
negligible.
This
table shows the adjustments and discretionary changes to the burden
estimates, as described in this document.
FERC-725B
|
Total
Request
|
Previously
Approved
|
Change
due to Adjustment in Estimate
|
Change
Due to Agency Discretion
|
Annual
Number of Responses
|
1,475
|
1,501
|
-87
|
61
|
Annual
Time Burden (Hr)
|
1,327,231
|
848,730
|
-301,094
|
779,595
|
Annual
Cost Burden ($)
|
0
|
5,444
|
-5,444
|
0
|
TIME
SCHEDULE FOR PUBLICATION OF DATA
There
are no publications of data as part of this collection.
DISPLAY
OF EXPIRATION DATE
It
is not appropriate to display the expiration date because the
information is not collected on a preformatted form or in any format
that would allow for such a display.
EXCEPTIONS
TO THE CERTIFICATION STATEMENT
The
Commission does not use statistical methods for this collection.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Modified | 0000-00-00 |
| File Created | 2021-01-28 |