FERC-603 Supporting Statement (2014)

FERC-603 (OMB Control No. 1902-0197)

Updated 6/12/14

1. CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY

18 C.F.R. § 388.113(c) (1) defines Critical Energy Infrastructure Information (CEII) as information about proposed or existing critical infrastructure that (i) relates to the production, generation, transportation, transmission, or distribution of energy, (ii) could be useful to persons in planning an attack on critical infrastructure, (iii) is exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. 552, and (iv) does not simply give the location of the critical infrastructure. 18 C.F.R. § 388.113(c)(2) defines "critical infrastructure" as:

"existing or proposed systems and assets, whether physical or virtual, that are so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on the security, national economic security, national public health or safety, or any combination of those matters."

The Commission uses the term "critical infrastructure" because it reflects the same definition used in sec. 1016(d) (Critical Infrastructure Protection Act of 2001) of the Uniting and Strengthening America by Providing Appropriate Tool to Intercept and Obstruct Terrorism Act. (USA Patriot Act) Pub. L. No. 107-56.

Shortly after the attacks on September 11, 2001, the Commission began its efforts with respect to CEII.¹ As a preliminary step, the Commission removed from its public files and Internet page documents such as oversized maps that were likely to contain detailed specifications of facilities, and directed the public to use the Freedom of Information Act (FOIA) request process to obtain such information.² The Commission was not alone in its reaction to protecting sensitive information. The Associated Press reported on October 12, 2001, that "Federal agencies are scrutinizing their Web sites and removing any information they believe terrorists might use to plot attacks against the nation." The report referred to action by the Nuclear Regulatory Commission, the Environmental Protection Agency, the Centers for Disease Control and Prevention, and the United States Department of Transportation Office of Pipeline Safety. Since September 11, 2001, our country fortunately has not experienced any attacks as devastating as the ones experienced on that day. Concerns about threats to the energy infrastructure over which the Commission has regulatory responsibilities, however, still exist.

Information provided to the Commission in FERC-603 is necessary to the verification process and essential to keeping sensitive information out of the hands of individuals that may do harm to this nation.

The Commission implemented the FERC-603 collection in Order No. 630 (RM02-4-000), creating a process for requesters to gain access to CEII. Since that time, the Commission has issued several orders refining and simplifying the CEII process. For example, in Order No. 702 the Commission eliminated the requirement for several fields on the CEII request form, making those fields necessary on a case-by-case basis. Order No. 702 also allowed annual certification for repeat requesters, i.e., repeat requesters are no longer required to file a new non-disclosure agreement with each subsequent request. This decreased the use of the CEII request form. Finally, in the same order the Commission revised its regulations to allow an authorized representative of an organization to file a CEII request on behalf of all that organization’s employees. Therefore, individuals from that organization are no longer required to submit individual CEII request forms which decreased the overall use of the request form.

In 2013, the online CEII request form was redesigned (with no substantive changes) to allow requestors to add additional users more easily.

For more information regarding the changes to the CEII process since its inception please see http://www.ferc.gov/legal/maj-ord-reg/land-docs/ceii-rule.asp.

2. HOW, BY WHOM, AND FOR WHAT PURPOSES THE INFORMATION IS TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION

A Critical Energy Infrastructure Information Coordinator (currently the Director, External Affairs) is authorized by 18 C.F.R. § 375.313 to process non-FOIA requests for CEII and make determinations on such requests. 18 C.F.R. § 388.113 (d) (3) sets forth a process where requesters provide the CEII Coordinator information about themselves and their need for the information. The CEII coordinator uses the information to make a determination as to whether to release the information.³ If the requester is determined to be eligible to receive the information requested, the CEII Coordinator will determine what conditions, if any, to place on release of the information. Filers requesting CEII must also be willing to sign a non-disclosure agreement.

Through this data collection process, the Commission is able to provide information to individuals who need it to participate in Commission's proceedings, but who might not otherwise have access to the information under FOIA. Without this information, the Commission would not have the ability to provide information in an efficient manner to those with a specific need for it. Likewise, if the Commission were to rely solely on FOIA procedure it would not be able to restrict general public access to critical energy infrastructure information which could then be accessed by persons with the ability to attack that infrastructure. Failure to institute these procedures would mean that FERC is unable to discharge its responsibilities to protect critical information.

2. DESCRIBE ANY CONSIDERATION FOR THE USE OF IMPROVED INFORMATION TECHNOLOGY TO REDUCE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN

Requests for access to CEII material can be filed electronically or in hard copy. Approximately 95% of the requests are submitted electronically with the remaining requests coming in via fax or hard copy.

2. DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2.

The information requested here cannot be obtained from other sources as the information is specific to each requester seeking CEII. However, it should be noted that all Commission public information collections are subject to analysis and review by Commission staff and are examined for redundancy.

2. METHODS USED TO MINIMIZE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES

The Commission believes that the information to be provided by requesters seeking CEII will not impose an undue burden on "small business concerns" under the Regulatory Flexibility Act (RFA).

2. CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY

It is not possible to collect this data with less frequency. The Commission has no control over when a requester submits a CEII data request. The Commission believes the required information will impose the least possible burden for the public and regulated entities to comply with the Commission's CEII policies.

2. EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION

There are no special circumstances related to this collection of information.

2. DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND AGENCY'S RESPONSE TO THESE COMMENTS

In accordance with OMB requirements, the Commission published a 60-day notice⁴ and a 30-day notice⁵ to the public regarding this information collection on 2/11/2014 and 5/9/2014 respectively. Within the public notices, the Commission noted that it would be requesting a three-year extension of the public reporting burden.

Comment in response to the 60-day notice.

The Commission received a comment from Southern Company Services, Inc. (SCS). SCS, as agent for Alabama Power Company, Georgia Power Company, Gulf Power Company, Mississippi Power Company, and Southern Power Company, serves the electricity needs of more than 4.4 million retail customers in the southeastern United States. SCS is a NERC-registered entity subject to the mandatory NERC reliability standards for generation and transmission owners and operators as well as other NERC-registered functions.

SCS states that it agrees with Acting Chairman LaFleur’s recent statement on the publication of the Wall Street Journal article about Grid Security (March 12, 2014), as well as her call for a more clearly defined exemption under FOIA for CEII. SCS states that until such an exemption is legislatively created, one additional step the Commission should consider to protect CEII and other sensitive information would be to only collect such information when absolutely necessary. Instead, where appropriate, the Commission may consider alternatives such as on-site reviews, webinars, and other technological solutions that allow the Commission to view such information without having to possess the information in its records. Such steps may mitigate the chances that CEII and other sensitive information could end up in the wrong hands or be released to the public, thereby endangering the reliability of the electric grid.

SCS also states that the more steps the Commission can take to minimize inappropriate public access to CEII and other sensitive information, the less likely it is that such information can be used to harm the electric reliability of the grid, thereby imposing additional costs on generation and transmission owners and operators, and thus the ratepayer. By leveraging emerging technologies in ways that allow the Commission to view sensitive CEII and other information, without necessarily collecting or possessing it, the Commission should be able to fulfill its compliance and enforcement responsibilities while avoiding the risk of public disclosure of sensitive information under FOIA requests in ways that could harm or create risk to the reliability of the electric grid.

Commission Response: The Commission is committed to ensuring security by pursuing the practices that SCS advocates. The Commission is conducting an ongoing assessment of how best to keep CEII secure while allowing those in the industry who need the information to access it.

Comment in response to the 30-day notice.

Comments of Modesto Irrigation District (MID). MID is an irrigation district with both electric and water operations. MID owns and operates facilities for electricity generation, transmission, distribution, purchase, and sale of electric power energy at wholesale and retail, and is a fully integrated utility.

MID believes that modifications to the Commission’s requirements may help reduce the burden on CEII-filing entities, while protecting sensitive information essential to the security of integrate electric systems. MID states that although the Commission requires entities seeking CEII information to sign protective agreements for such information, and understands that Commission staff attempts to verify that the requesting person or entity is seeking information for a legitimate purpose, there is still potential for disclosure of confidential information to individuals who do not have a legitimate need for such information, or may not have the means to fully protect such information.

MID supports SCS’s position that the Commission should collect CEII and other sensitive information only when it is absolutely necessary. MID adds that there are alternative mechanisms available that would allow the Commission to gain access to needed information. These include telephone conferences, webinars, and other technological solutions that would not require the Commission to possess and retain CEI information in its records.

MID also agrees with Acting Chairman LaFleur that Congress should explore a more robust exemption under FOIA to limit the risk of unnecessary, public disclosure of sensitive information relating to the critical infrastructure of the bulk power system.

Commission Response: The Commission finds MID’s point about not collecting CEII more than necessary to be a valid point, but would need to consider it in the context of specific filing requirements. The Commission also agrees that FOIA or similar legislation providing greater protection for sensitive information regarding the bulk power system would be helpful.

2. EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS

There are no gifts or payments given to respondents.

2. DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS

Respondents to this collection are those individuals and/or entities requesting access to CEII material. The information gathered in this collection is used to determine eligibility to obtain access to CEII material and is not considered public information.

2. PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE, SUCH AS SEXUAL BEHAVIOR AND ATTITUDES, RELIGIOUS BELIEFS, AND OTHER MATTERS THAT ARE COMMONLY CONSIDERED PRIVATE.

This collection does not contain any questions of a sensitive nature.

2. ESTIMATED BURDEN ON COLLECTION OF INFORMATION

2. ESTIMATED OF THE TOTAL COST BURDEN TO RESPONDENTS

There are no estimated non-labor costs.

2. ESTIMATED ANNUALIZED COST TO THE FEDERAL GOVERNMENT

The estimate of the cost to the Federal Government is based on salaries for professional and clerical support. Based on the staff and resources involved in processing the information, the estimated average annual cost to FERC follows.

2. REASONS FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE

The burden has not changed for this collection. The estimated cost has increased due to updating the hourly wage figure.

2. TIME SCHEDULE FOR THE PUBLICATION OF DATA

There is no publication of data as part of this collection of information.

2. DISPLAY OF EXPIRATION DATE

The OMB control number and expiration date is displayed on the form (electronic and hard-copy) used to request access to CEII information.

2. EXCEPTION TO THE CERTIFICATION STATEMENT

The data collected for this reporting requirement are not used for statistical purposes.

1 See Statement of Policy on Treatment of Previously Public Documents, 66 Fed. Reg. 52,917 (Oct. 18, 2001), 97 FERC ¶ 61,130 (2001) [posted at http://elibrary.ferc.gov/idmws/search/intermediate.asp?link_file=yes&doclist=2215938] .

2 The FOIA process is specified in 5 U.S.C. 552 and the Commission’s regulations at 18 CFR 388.108.

3 Under § 388.113(d), a request filed with CEII coordinator must contain the following information: requester's name, title, address and telephone number; name, address and telephone number of the person or entity on whose behalf the information is requested; a detailed statement explaining the particular need for and intended use of the information; and a statement as to the requestor's willingness to adhere to limitations on the use and disclosure of the information requested.

4 79 FR 8181

5 79 FR 26738

6 The estimates for cost per response are derived using the following formula: Average Burden Hours per Response * $70.50 per Hour = Average Cost per Response. The hourly cost figure is based on the average FERC salary plus benefits. We assume that respondents receive similar compensation.

7 The FERC FTE estimate is $146,591. This includes salary plus benefits.

8 Paperwork Reduction Act of 1995 (PRA)

9 The Commission bases the cost of Paperwork Reduction Act administration on staff time, and other costs related to compliance with the Paperwork Reduction Act of 1995.

8