FERC-725U (OMB Control Number: To be determined). Updated 10/1/14.
Docket No. RM14-15 (Proposed Rule, issued 7/17/2014)
RIN: 1902-AE87
Supporting Statement
FERC-725U, Mandatory Reliability Standards: Reliability Standard CIP-014-1
Proposed rule in Docket No. RM14-15
The Federal Energy Regulatory Commission (FERC or Commission) requests that the Office of Management and Budget (OMB) review and approve the FERC-725U, Mandatory Reliability Standards: Reliability Standard CIP-014-1, information collection as included in the proposed rule in Docket No. RM14-15.
CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY
On August 8, 2005, the Electricity Modernization Act of 2005, which is Title XII,
Subtitle A, of the Energy Policy Act of 2005 (EPAct 2005), was enacted into law. EPAct 2005 adds a new section 215 to the Federal Power Act (FPA), which requires a Commission-certified Electric Reliability Organization (ERO) to develop mandatory and enforceable Reliability Standards which are subject to Commission review and approval. Once approved, an ERO would enforce the Reliability Standards either subject to Commission oversight or by the Commission independently.
On February 3, 2006, the Commission issued Order No. 672, implementing section 215 of the FPA. Pursuant to Order No. 672, the Commission certified one organization, NERC, as the ERO. The ERO is required to develop Reliability Standards, which are subject to Commission review and approval. The Reliability Standards apply to users, owners and operators of the Bulk-Power System, as set forth in each Reliability Standard.
Section 215(d)(2) of the FPA and the Commission’s regulations provide that the Commission may approve a proposed Reliability Standard if it determines that the proposal is just, reasonable, not unduly discriminatory or preferential, and in the public interest. The Commission specified in Order No. 672 certain general factors it would consider when assessing whether a particular Reliability Standard is just and reasonable. According to this guidance, a Reliability Standard must provide for the reliable operation of Bulk-Power System facilities and may impose a requirement on any user, owner or operator of such facilities. It must be designed to achieve a specified reliability goal and must contain a technically sound means to achieve this goal. The Reliability Standard should be clear and unambiguous regarding what is required and who is required to comply.
Pursuant to section 215 of the FPA, the Commission proposes to approve Reliability Standard CIP-014-1 (Physical Security). NERC submitted the proposed Reliability Standard for Commission approval in response to a Commission order issued on March 7, 2014.1
In the March 7 Order, the Commission determined that physical attacks on the Bulk-Power System could adversely impact the reliable operation of the Bulk-Power System, resulting in instability, uncontrolled separation, or cascading failures. Moreover, the Commission observed that the current Reliability Standards do not specifically require entities to take steps to reasonably protect against physical security attacks on the Bulk-Power System. Accordingly, to carry out section 215 of the FPA and to provide for the reliable operation of the Bulk-Power System, the Commission directed NERC, pursuant to FPA section 215(d)(5), to develop and file for approval proposed Reliability Standards that address threats and vulnerabilities to the physical security of critical facilities on the Bulk-Power System.2
The March 7 Order indicated that the Reliability Standards should require owners or operators of the Bulk-Power System to take at least three steps to address the risks that physical security attacks pose to the reliable operation of the Bulk-Power System. Specifically, the March 7 Order directed that: (1) the Reliability Standards should require owners or operators of the Bulk-Power System to perform a risk assessment of their systems to identify their “critical facilities”; (2) the Reliability Standards should require owners or operators of the identified critical facilities to evaluate the potential threats and vulnerabilities to those identified facilities; and (3) the Reliability Standards should require those owners or operators of critical facilities to develop and implement a security plan designed to protect against attacks to those identified critical facilities based on the assessment of the potential threats and vulnerabilities to their physical security.
The March 7 Order stated that the risk assessment used by an owner or operator to identify critical facilities should be verified by an entity other than the owner or operator, such as by NERC, the relevant Regional Entity, a reliability coordinator, or another entity.3 In addition, the March 7 Order also indicated that the Reliability Standards should include a procedure for the verifying entity, as well as the Commission, to add or remove facilities from an owner’s or operator’s list of critical facilities.4 The March 7 Order further stated that the determination of threats and vulnerabilities and the security plan should be reviewed by NERC, the relevant Regional Entity, the reliability coordinator, or another entity with appropriate expertise.
The March 7 Order stated that, because the three steps of compliance with the contemplated Reliability Standards could contain sensitive or confidential information that, if released to the public, could jeopardize the reliable operation of the Bulk-Power System, NERC should include in the Reliability Standards a procedure that will ensure confidential treatment of sensitive or confidential information but still allow for the Commission, NERC and the Regional Entities to review and inspect any information that is needed to ensure compliance with the Reliability Standards.
The Commission directed NERC to submit the proposed Reliability Standards to the Commission for approval within 90 days of issuance of the March 7 Order (i.e., June 5, 2014).
HOW, BY WHOM, AND FOR WHAT PURPOSE THE INFORMATION IS TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION
Proposed Reliability Standard CIP-014-1 requires transmission owners and transmission operators to identify and protect transmission stations and transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or cascading within an Interconnection.5
In terms of information collection requirements, an applicable entity must create or maintain documentation showing compliance, when appropriate, with each requirement of the proposed Reliability Standard. The specific information collection requirements in each Reliability Standard requirement are as follows:
Requirement R1: Each applicable entity must have documentation to prove it conducted the required risk assessment.
Requirement R2: Each applicable entity must have documentation to prove that an unaffiliated third party verified its risk assessment. If the entity does not modify its risk assessment in response to the third party verifier’s recommendation, the entity must draft a technical justification to support its decision not to comply with the recommendation. Each entity must also develop procedures for protecting sensitive or confidential information made available to the unaffiliated third party verifier and to protect or exempt sensitive or confidential information developed pursuant to this Reliability Standard from public disclosure.
Requirement R3: Each transmission owner must have documentation that it notified a transmission operator if the transmission operator has operational control of certain primary control centers identified and verified in Requirements R1 and R2.
Requirement R4: Each applicable entity (transmission owner and transmission operator) must document its vulnerability analysis of the stations, substations and primary control centers identified in Requirements R1 and R2.
Requirement R5: Each applicable entity (transmission owner and transmission operator) must develop a physical security plan. The plan has to include the following attributes:
Resiliency or security measures designed collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified during the evaluation conducted in Requirement R4.
Law enforcement contact and coordination information.
A timeline for executing the physical security enhancements and modifications specified in the physical security plan.
Provisions to evaluate evolving physical threats, and their corresponding security measures, to the transmission station(s), transmission substation(s), or primary control center(s).
Requirement R6: Each applicable entity (transmission owner and transmission operator) must have documentation to prove that an unaffiliated third party verified its evaluation performed under requirement R4 and the security plan developed under requirement R5. The rest of the requirement is similar to the description for requirement R2 above.
DESCRIBE ANY CONSIDERATION OF THE USE OF IMPROVED INFORMATION TECHNOLOGY TO REDUCE THE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN
How entities use information technology to meet the information collection requirements is not an area specifically covered in the proposed Reliability Standard.
In general, the Commission supports the use of information technology to reduce burden.
DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2
The Commission periodically reviews filing requirements concurrent with OMB review or as the Commission deems necessary to eliminate duplicative filing and to minimize the filing burden.
The Commission is unaware of any other source of information related to bulk electric system physical security.
METHODS USED TO MINIMIZE THE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES
Small entities generally can reduce their burden by taking part in a joint registration organization or a coordinated function registration. These options allow an entity the ability to share its compliance burden with other similar entities.
Detailed information regarding these options are available in NERC’s Rules of Procedure at sections 507 and 508.6
CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY
The paperwork requirements in this collection are that entities document compliance with substantive requirements, including the preparation of a physical security plan, and maintaining such documents. The frequency of the paperwork requirements was vetted and approved by industry consensus in the NERC standard development process and is ultimately meant to support the reliability of the bulk electric system.
EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION
There are no special circumstances for this collection.
DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND THE AGENCY’S RESPONSE
The ERO process to establish Reliability Standards is a collaborative process with the ERO, Regional Entities and other stakeholders developing and reviewing drafts, and providing comments, with the final proposed standard submitted to the FERC for review and approval.7 In addition, each FERC rulemaking (both proposed and final rules) is published in the Federal Register, thereby providing public utilities and licensees, state commissions, Federal agencies, and other interested parties an opportunity to submit data, views, comments or suggestions concerning the proposed collection of data. The proposed rule was published in the Federal Register on July 23, 2014 (79 FR 42734).
EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS
There are no gifts or payments given to the respondents.
DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS
According to the NERC Rule of Procedure8, “…a Receiving Entity shall keep in confidence and not copy, disclose, or distribute any Confidential Information or any part thereof without the permission of the Submitting Entity, except as otherwise legally required.” This serves to protect confidential information submitted to NERC or Regional Entities.
Responding entities do not submit the information collected under the proposed Reliability Standard to FERC. Rather, they maintain it internally. Since there are no submissions made to FERC, FERC provides no specific provisions in order to protect confidentiality.
PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE, SUCH AS SEXUAL BEHAVIOR AND ATTITUDES, RELIGIOUS BELIEFS, AND OTHER MATTERS THAT ARE COMMONLY CONSIDERED PRIVATE.
This collection does not contain any questions of a sensitive nature.
ESTIMATED BURDEN OF COLLECTION OF INFORMATION
The table below shows the estimated information collection burden. The Commission estimated the burden by requirement in the proposed Reliability Standard (e.g. R1, R2) and by the year (year 1 through year 3). The table also includes the related monetary cost related to the labor hours.
The reporting requirements of this collection are cyclical. For example, of the 357 entities complying with Requirement R1 in year 1, 30 will have to do Requirement R1 again in year 3, and all 357 will have to do Requirement R1 again in year 5. The record retention requirements are imposed annually on transmission owners (357) plus the transmission operators identified in requirement R3 (2).
For requirements R4-6 in year one the respondents are a subset (30) of the total group of transmission owners (357) and the two transmission operators identified in requirement R3. This same group of entities (30 transmission owners and two transmission operators) are the entities that have to comply again in year three.
Requirements in Reliability Standard CIP-014-1 over Years 1-3 |
Number
of Respondents |
Number of Responses per Respondent (2) |
Total Number of Responses (1)*(2)=(3) |
Average Burden Hours & Cost Per Response9 (4) |
Total Burden Hours & Total Cost (3)*(4) |
Year 1 |
|
|
|
|
|
R1 |
357 |
1 |
357 |
20 $1,220 |
7,140 $435,540 |
R2 |
357 |
1 |
357 |
34 $2,342 |
12,138 $836,094 |
R3 |
210 |
1 |
2 |
1 $128 |
2 $256 |
R4 |
32 |
1 |
32 |
80 $4,880 |
2,560 $156,160 |
R5 |
32 |
1 |
32 |
320 $19,520 |
10,240 $624,640 |
R6 |
32 |
1 |
32 |
304 $18,812 |
9,728 $601,984 |
Record Retention |
359 |
1 |
359 |
2 $64 |
718 $22,976 |
Year 2 |
|
|
|
|
|
Record Retention |
359 |
1 |
359 |
2 $64 |
718 $22,976 |
Year 3 |
|
|
|
|
|
R1 |
30 |
1 |
30 |
20 $1,220 |
600 $36,600 |
R2 |
30 |
1 |
30 |
34 $2,342 |
1,020 $70,260 |
R3 |
2 |
1 |
2 |
1 $128 |
2 $256 |
R4 |
32 |
1 |
32 |
80 $4,880 |
2,560 $156,160 |
R5 |
32 |
1 |
32 |
80 $4,880 |
2,560 $156,160 |
R6 |
32 |
1 |
32 |
134 $8,442 |
4,288 $270,144 |
Record Retention |
359 |
1 |
359 |
2 $64 |
718 $22,976 |
Year 1 Total |
|
42,526 $2,677,650 |
|||
Year 2 Total |
|
718 $22,976 |
|||
Year 3 Total |
|
11,748 $712,556 |
|||
TOTAL |
|
54,992 $3,413,182 |
|||
ESTIMATE OF THE TOTAL ANNUAL COST BURDEN TO RESPONDENTS
There are no start-up or other non-labor costs associated with the information collection.
ESTIMATED ANNUALIZED COST TO FEDERAL GOVERNMENT
The Regional Entities and NERC do most of the data processing, monitoring and compliance work for Reliability Standards. Any involvement by the Commission is covered under the FERC-725 collection (1902-0225) and is not part of this request or package.
FERC-725U |
Number of Employees (FTEs) |
Estimated Annual Federal Cost |
Analysis and Processing of filings |
0 |
$0 |
Paperwork Reduction Act Administrative Cost11 |
|
$5,092 |
REASONS FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE
This is a new information collection contained in the requirements of a new physical security Reliability Standard. The burden increase is necessary to support the implementation of a physical security Reliability Standard.
The annual time burden below represents the total burden for the first three years, divided by three.
FERC-725U |
Total Request |
Previously Approved |
Change due to Adjustment in Estimate |
Change Due to Agency Discretion |
Annual Number of Responses |
359 |
0 |
0 |
0 |
Annual Time Burden (Hr) |
18,331 |
0 |
0 |
0 |
Annual Cost Burden ($) |
$0 |
$0 |
$0 |
$0 |
TIME SCHEDULE FOR PUBLICATION OF DATA
There is no publication of data as part of this collection of information.
DISPLAY OF EXPIRATION DATE
The expiration date is displayed in a table posted on ferc.gov at http://www.ferc.gov/docs-filing/info-collections.asp.
EXCEPTIONS TO THE CERTIFICATION STATEMENT
The Commission does not use the data collected for this reporting requirement for statistical purposes. Therefore, the Commission does not use as stated in item (i) of the certification to OMB “effective and efficient statistical survey methodology.”
1 Reliability Standards for Physical Security Measures, 146 FERC ¶ 61,166 (2014) (March 7 Order).
2 Id. 824o(d)(5).
3 March 7 Order, 146 FERC ¶ 61,166 at P 11.
4 Id.
5 Proposed Reliability Standard CIP-014-1 (Purpose).
6 Available at http://www.nerc.com/FilingsOrders/us/RuleOfProcedureDL/NERC_ROP_Effective_20140701_updated_20140602.pdf.
7 Details of the current ERO Reliability Standard processes are available on the NERC website at http://www.nerc.com/pa/Stand/Resources/Documents/Appendix3AStandardsProcessesManual.pdf.
8 Section 1502, Paragraph 2, available at NERCs website.
9 The estimates for cost per response are derived using the following formula: Average Burden Hours per Response * XX per Hour = Average Cost per Response. The hourly cost figures are based on wages plus benefits for engineers ($61/hr.), attorneys ($128/hr.), and administrative staff ($32/hr.). The record retention cost is based on the administrative staff category; R3 is based on the attorney category; R1, R4, R5 and R6 are based on the engineer category; and R2 is a mix of the engineer (20 hrs.) and attorney (4 hrs.) categories. These figures are based on Bureau of Labor Statistics wage and benefit data obtainable at http://www.bls.gov/news.release/ecec.nr0.htm and http://www.bls.gov/news.release/ecec.nr0.htm.
10 For requirement R3 in year one, the two respondents noted are transmission owners that are required to identify two transmission operators. These two transmission operators are required to comply with R4-R6. The same applies to R3 in year 3.
11 The PRA Administrative Cost is a Federal Cost associated with preparing, issuing, and submitting materials necessary to comply with the Paperwork Reduction Act (PRA) for rulemakings, orders, or any other vehicle used to create, modify, extend, or discontinue an information collection. This average annual cost includes requests for extensions, all associated rulemakings (not just this proposed rule), and other changes to the collection.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | ferc |
| File Modified | 0000-00-00 |
| File Created | 2021-01-27 |