FERC-725B supporting statement FINAL

FERC-725B supporting statement FINAL.docx

FERC-725B, Mandatory Reliability Standards for Critical Infrastructure Protection

OMB: 1902-0248

⚠️ Notice: This form may be outdated. More recent filings and information on OMB 1902-0248 can be found here:

Document [docx]

Download: docx | pdf

FERC-725B (OMB Control No. 1902-0248)

Supporting Statement for

FERC-725B (Mandatory Reliability Standards for Critical Infrastructure Protection)

The Federal Energy Regulatory Commission (Commission or FERC) requests that the Office of Management and Budget (OMB) review and approve FERC-725B, Mandatory Reliability Standards for Critical Infrastructure Protection (CIP), for a three year period. FERC-725B (OMB Control No. 1902-0248) is an existing Commission data collection (filing requirements), as stated by 18 Code of Federal Regulations, Part 40.

The Commission estimates the annual reporting burden for FERC-725B will be 1,214,042 total hours (an average of 858¹ hour per respondent).

CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY

On August 8, 2005, The Electricity Modernization Act of 2005, which is Title XII of the Energy Policy Act of 2005 (EPAct 2005), was enacted into law.^² EPAct 2005 added a new section 215 to the Federal Power Act (FPA), which requires a Commission-certified Electric Reliability Organization (ERO) to develop mandatory and enforceable Reliability Standards, which are subject to Commission review and approval. Once approved by the Commission, the Reliability Standards may be enforced by the ERO, subject to Commission oversight. The North American Electric Reliability Corporation (NERC) is the Commission-certified ERO.

On January 18, 2008, the Commission issued Order No. 706, which approved the CIP version 1 Standards to address cyber security of the Bulk-Power System.^³ In Order No. 706, the Commission approved eight CIP Reliability Standards (CIP-002-1 through CIP-009-1). While approving the CIP version 1 Standards, the Commission also directed NERC to develop modifications to the CIP version 1 Standards, intended to enhance the protection provided by the CIP Reliability Standards. Subsequently, NERC filed the CIP version 2 and CIP version 3 Standards in partial compliance with Order No. 706. The Commission approved these standards in September 2009^⁴ and March 2010,^⁵ respectively.

On April 19, 2012, the Commission issued Order No. 761, which approved the CIP version 4 Standards (CIP-002-4 through CIP-009-4).^⁶ Reliability Standard CIP-002-4 (Critical Cyber Asset Identification) sets forth 17 uniform “bright line” criteria for identifying Critical Assets. In the final rule in RM13-5, the Commission approves NERC’s proposal to allow responsible entities to transition from compliance with the currently-effective CIP version 3 Standards to compliance with the CIP version 5 Standards. Thus, CIP-002-4 through CIP-009-4 will not become effective, and CIP-002-3 through CIP-009-3 will remain in effect until the effective date of the CIP version 5 Standards.^⁷

In its petition to the Commission to approve the CIP version 5 standards, NERC states that it took into consideration the 4 years of experience since the first CIP standards were implemented, “as well as FERC directives…[and] developed the proposed CIP version 5 standards to better protect the reliability of the nation’s Bulk Electric System (“BES”) from cyber-attacks.”⁸

NERC goes on to state that:

The improvements included in CIP version 5 reflect a maturity of the NERC CIP program. While the general framework of the proposed standards follow the organization of the previous CIP versions, a new process is introduced in proposed CIP-002-05 for identifying and classifying BES Cyber Systems according to “Low-Medium-High” impact. Once BES Cyber Systems are identified, a Responsible Entity must then comply with proposed CIP-003-5 to CIP-011-1, according to specific criteria relating to impact and other characteristics such as communications connectivity. As such, NERC and its stakeholders have proposed the most comprehensive set of mandatory cybersecurity standards ever utilized on a widespread basis in the electric industry.

In terms of information collection, the CIP standards require entities to document their compliance with requirements and to develop cyber security policies and procedures.

HOW, BY WHOM, AND FOR WHAT PURPOSE THE INFORMATION IS TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION

The information collection requirements in the CIP version 5 standards apply to entities registered as the following functions: balancing authorities, distribution providers, generator operators, generator owners, interchange coordinators (or interchange authorities), reliability coordinators, transmission operators, and transmission owners. Based on the NERC compliance registry, FERC estimates there are 1,475 entities in the U.S. registered for at least one of the functions listed above. Each of these entities is considered a “respondent” for the purposes of fulfilling the paperwork requirements.

The cyber security policy, process, and procedure documentation required by the CIP standards are the principal components of a cyber-security program. The main use for the information generated is to achieve and maintain a cyber-secure operational state, a process which requires vigilant monitoring of activity against documented policies and procedures. The information generated can also be used to show auditors that required cyber security policies, processes, and procedures are designed to achieve the requirement and are implemented as designed. Similarly, the applicable compliance enforcement authority (regional entity or NERC) relies upon any such documentation it is shown to measure an entity’s compliance with a given requirement. The information is also used for evaluating reliability events or for enforcement actions.

If the information collection requirements did not exist then it would be difficult to monitor and enforce compliance with the standards which could lead entities to relax their compliance with the requirements. Also, creating and maintaining documentation is integral to the task of performing cyber security, as reflected in the fact that some of the reliability standards’ requirements actually require an entity to create a document (as opposed to documenting compliance with a requirement). Without such information collection an entity may fail to perform actions that may affect the reliability and security of the grid.

DESCRIBE ANY CONSIDERATION OF THE USE OF IMPROVED TECHNOLOGY TO REDUCE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN.

The use of current or improved technology is not covered in the CIP Reliability Standards, and is therefore left to the discretion of each responsible entity.

DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2

The information collection requirements are unique to this reliability standard and to this information collection. The Commission does not know of any duplication in the requirements.

5. METHODS USED TO MINIMIZE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES

The CIP version 5 Reliability Standards generally do apply to small entities, depending first on their registered function(s) and then on the types of facilities they own. Nearly all of the small entities, which are subject to the CIP version 5 standards, own only facilities that should fall into the Low impact category for these standards. This means the burden for these entities is relatively minor compared with the rest of the applicable entities. The only requirement CIP version 5 Reliability Standards impose on owners with regard to their Low impact category facilities is to create and implement policies to protect their cyber assets. The requirements for Low impact category facilities do not impose any specific, technical security controls, which will provide small entities with more flexibility in complying with the standards. As FERC stated in Order No. 761, “…control systems that support Bulk-Power System reliability are only as secure as their weakest links, and that a single vulnerability opens the computer network and all other networks with which it is interconnected to potential malicious activity.” Due to the inherent connectivity between entities that must occur to operate the Bulk-Power System, the CIP version 5 Reliability Standards cannot exclude entities based on size alone without creating a weak point in the security of the Bulk-Power System that can be exploited to navigate to higher value cyber systems.

CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY

As stated in response to item #2, the documentation related to the CIP reliability standards is an integral part of establishing and maintaining cyber security. The power grid would be at greater risk to cyber threats if the collection was conducted less frequently.

7. EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION

There is one special circumstances as described in 5 CFR 1320.5(d)(2) related to this information collection.

Entities may have to submit to or show the auditors security or confidential information that is related to the CIP standards. The general practice is that the auditor often does not remove the information from the site of the entity and, in any case, returns the confidential information to the entity following the audit.

This special circumstance is necessary to maintain an effective cyber-security program.

8. DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND THE AGENCY’S RESPONSE TO THESE COMMENTS

In accordance with OMB requirements⁹, the Commission published a 60-day notice^¹⁰ and a 30-day notice to the public regarding this information collection on 4/17/2015 and 6/26/2015 respectively. The Commission noted that it would be requesting a three-year extension of the public reporting burden with no change to the existing requirements concerning the collection of data.

Commission staff received one comment in response to our 60-day notice. The comment and FERC’s response follow:

Public comment received about the FERC-725B information collection: FERC received one comment from Robert S. Lynch and Associates. The comment pertained to the burden and cost of responding to a Freedom of Information Act (FOIA) request related to the FERC-725B and the information collection not being safeguarded against a request under the FOIA.

FERC’s response to the public comment: The burden related to the Federal Energy Regulatory Commission safeguarding of information collection activities against a request under the Freedom of Information Act (FOIA) request does not have a direct collection cost burden on the regulated entities and, thus, is not included in the reported cost burden.

However, to the data vulnerability issue raised by the commenter, the information collected as related to the CIP Reliability Standards is generally protected from FOIA requests because it is retained by the regulated entities themselves and not the Commission. For compliance and enforcement activities of the CIP Reliability Standards, Section 215 of the Federal Power Act (FPA)¹¹ required the Commission to appoint an Electric Reliability Organization (ERO). The Commission appointed NERC. The ERO and its designated assignees, generally in exercising its compliance and enforcement activities under Section 215 of the FPA, only review the information collected by the regulated entities and only take possession of the information required to process the enforcement actions. The Commission, in furtherance of the Commission’s statutory responsibility under Section 215 of the FPA, reviews and approves enforcement actions undertaken by ERO and, in doing so, does receive information collected related to CIP Reliability Standards. However, the information that is received by the Commission for performing its statutory oversight responsibilities is generally devoid of specific sensitive information. Therefore, FERC does not find it necessary to make any changes to the collection at this time.

For additional information on NERC’s handling of secure or confidential information, please refer to Question #10.

9. EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS

There are no payments or gifts to FERC-725B respondents.

10. DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS

According to the NERC Rule of Procedure 1502,¹² “a Receiving Entity shall keep in confidence and not copy, disclose, or distribute any Confidential Information or any part thereof without the permission of the Submitting Entity, except as otherwise legally required.” This serves to protect confidential information submitted to NERC or Regional Entities.

Responding entities do not submit the information collected under the approved Reliability Standards to FERC. Rather, they maintain it internally. Since there are no submissions made to FERC, FERC provides no specific provisions in order to protect confidentiality unless and until any such information is submitted to FERC as part of an enforcement action or other compliance review.

11. PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE, SUCH AS SEXUAL BEHAVIOR AND ATTITUDES, RELIGIOUS BELIEFS, AND OTHER MATTERS THAT ARE COMMONLY CONSIDERED PRIVATE.

There are no questions of a sensitive nature that are considered private in the FERC-725B.

12. ESTIMATED BURDEN OF COLLECTION OF INFORMATION

The currently approved information collection burden is:

Number of respondents: 1,475

Hourly Burden: 1,327,231 hours

The burden is explained in further detail in the following tables:

Groups of Registered Entities	Classes of Entity’s Facilities Requiring CIP Version 5 Protections	Number of Entities¹³	Total Hours in Year 1 (hours)¹⁴	Total Hours in Year 2 (hours)	Total Hours in Year 3 (hours)
Group A	Low^¹⁵	61	0	3,804	3,804
Group B	Low^¹⁶	1,089	0	570,636	570,636
Group B	Medium^¹⁷	260	128,960	128,960	64,896
Group C	Low^¹⁸	325	0	170,300	170,300
Group C	Medium (New)^¹⁹	78	1,248	1,248	19,136
Group C	Low^²⁰ (Blackstart)	283	22,640	22,640	-206,024
Group C	Medium or High^²¹	325	265,200	265,200	135,200
Totals²²			418,048	1,162,788	757,948

The 1,327,231 hours relates Year 1-3 total annual burdens as follows:

CIP Version 4 imposed 848,730 hours.
CIP Version 5 added 779,595 hours (due to the Final Rule in RM13-5-000).
a 429,600 hour reduction due to a revised assumption in the frequency of audits the majority of registered entities were likely to experience (due to the Final Rule in RM13-5-000).
a 143,208 hours increase due to maintenance of documents for future audits (due to the Final Rule in RM13-5-000).
A 14,702 hour decrease due to estimated net fewer entities for that clearance period (due to the Final Rule in RM13-5-000).

In summary: 848,730 hours + 779,595 hours - 429,600 hours +143,208 hours – 14,702 hours = 1,327,231 hours.

13. ESTIMATE OF TOTAL ANNUAL COST OF BURDEN TO RESPONDENTS

There are no non-labor start-up costs.

14. ESTIMATED ANNUALIZED COST TO FEDERAL GOVERNMENT

The estimated annualized cost to the Federal Government related to the data collections are shown below:

	Number of Hours or FTE’s	Estimated Annual Federal Cost ($)^²³
PRA²⁴ Administration Cost^²⁵	-	$ 5,193.
Data Processing and Analysis	0	$0.
FERC Total	-	$5,193

15. REASONS FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE

The decrease in burden is primarily due to a reduction in registered entities (1,475 to 1,415). Also, a large portion of the decrease in burden is due to the removal of CIP Version 4 requirements, specifically requirements related to Group C registered entities (Low “Blackstart”).

There are three items presenting burden associated with CIP Reliability Standards in the following section:

The first table illustrates burden associated with CIP version 5 Reliability Standards.
The second table illustrates burden associated with CIP version 3 and 4 Reliability Standards.
The third item (bulleted list) is a sum of the total burden for all active CIP-related Reliability Standards (i.e. CIP Versions 3-5).

Annual Burden Related to CIP Reliability Standards (Version 5)
Groups of Registered Entities	Classes of Entity’s Facilities Requiring CIP	Number of Entities	Total Hours in Year 1 (hours)	Total Hours in Year 2 (hours)	Total Hours in Year 3 (hours)
Group A	Low	41	2,540	2,540	564
Group B	Low	1,058	554,392	554,392	110,032
Group B	Medium	260	128,960	64,896	64,896
Group C	Low	316	165,584	165,584	32,864
Group C	Medium (New)	78	1,248	19,136	19,136
Group C	Low (Blackstart)	283	22,640	-206,024²⁶	-206,024²⁶
Group C	Medium or High	316	257,856	131,456	131,456
Total			1,133,220	731,980	152,924

The total annual burden (related to CIP Version 5 only) is 672,708 hours when averaging Years 1-3 [(1,133,220 hours + 731,980 hours + 152,924 hours) ÷ 3 = 672,708 hours]. The total annual cost averaged over Years 1-3 is $50,883,633 (672,708 hours * $75.64^²⁷ = $50,883,633).

Regarding CIP standards unaffected by CIP Version 5, the estimated burden has been adjusted to account for a reduction in affected entities²⁸. The applicable estimate related to CIP Version 3 and 4 standards (related to the active components) is provided in the table below. (For display purposes, the numbers in the tables below have been rounded. However, exact figures were used in the calculations.)

Burden Related to CIP Reliability Standards (Version 3 and Version 4)²⁹

Number of Respondents
(1)

Annual Number of Responses per Respondent

(2)

Total Number of Responses (1)*(2)=(3)

Average Burden & Cost Per Response

(4)

Total Annual Burden Hours & Total Annual Cost

(3)*(4)=(5)

Cost per Respondent

($)

(5)÷(1)

1,415

383³⁰

$28,937

541,334³¹

$40,946,496

$28,937

The following items represent the estimated total annual burden (averaged over Years 1-3) for FERC-725B and includes all burden associated with CIP Reliability Standards³².

Number of respondents: 1,415 (Not all entities with CIP-related functions will be obligated to comply with every CIP reliability standard.)
Total Annual Burden Hours: 1,214,042
Total Annual Cost: $91,830,137 (1,214,042 hours * $75.64 = $91,830,137)
Average Cost per Respondent: $64,898³³ ($91,830,137 ÷ 1,415 entities = $64,898)

The following table shows the total burden of the new collection of information. The format, labels, and definitions of the table follow the ROCIS submission system’s “Information Collection Request Summary of Burden” for the metadata.

	Total Request	Previously Approved	Change due to Adjustment in Estimate	Change Due to Agency Discretion
Annual Number of Responses	1,415	1,475	-60	0
Annual Time Burden (Hr.)	1,214,042	1,327,231	-113,189	0
Annual Cost Burden ($)	$0	$0	$0	$0

TIME SCHEDULE FOR PUBLICATION OF DATA

There are no tabulating, statistical or or publication plans for the collection of information. The data are used for regulatory purposes only.

17. DISPLAY OF EXPIRATION DATE

The expiration dates are displayed on ferc.gov with links to the updated table from http://www.ferc.gov/docs-filing/info-collections.asp.

EXCEPTIONS TO THE CERTIFICATION STATEMENT

The Commission does not use the data collected for this reporting requirement for statistical purposes. Therefore, the Commission does not use as stated in item (i) of the certification to OMB "effective and efficient statistical survey methodology." The information collected is case specific to each information collection.

1 This hourly figure is rounded. The actual figure is 857.98 hours.

2 The Energy Policy Act of 2005, Pub. L. No 109-58, Title XII, Subtitle A, 119 Stat. 594, 941 (2005), codified at 16 U.S.C. 824o (2000).

3 Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ¶ 61,040, order on reh’g, Order No. 706-A, 123 FERC ¶ 61,174 (2008), order on clarification, Order No. 706-B, 126 FERC ¶ 61,229 (2009), order on clarification, Order No. 706-C, 127 FERC ¶ 61,273 (2009).

4 North American Electric Reliability Corp., 128 FERC ¶ 61,291, order denying reh’g and granting clarification, 129 FERC ¶ 61,236 (2009).

5 North American Electric Reliability Corp., 130 FERC ¶ 61,271 (2010).

6 Version 4 Critical Infrastructure Protection Reliability Standards, Order No. 761, 77 Fed. Reg. 24,594 (April 25, 2012), 139 FERC ¶ 61,058 (2012); order denying reh’g, 140 FERC ¶ 61,109 (2012).

7 On August 12, 2013, the Commission granted an extension of time to implement the CIP version 4 Standards from April 1, 2014 to October 1, 2014. N. Am. Elec. Reliability Corp., 144 FERC ¶ 61,123 (2013).

8 The NERC Petition is available on FERC’s eLibrary system (http://www.ferc.gov/docs-filing/elibrary.asp) by searching in Docket Number RM13-5. The proposed standards are contained in Exhibit A of NERC’s petition.

9 5 CFR 1320.8(d)

10 80 FR 21230

11 16 U.S.C. 824o

12 Section 1502, Paragraph 2, available at NERC’s website.

13 Group A includes 61 unique entities, Group B includes 1,089 unique entities, and Group C includes 325 unique entities.

14 The three “Total Hours” columns represent the aggregate hours for all the entities in each row. For the last row they show the grand total for each year.

15 Distribution Providers are the only functional entity type in Group A (see section 4, Applicability, of each CIP version 5 Standard), and their facilities are captured only by the Low classification criteria listed in proposed CIP-002-5. The number of entities in this group represents the number of Distribution Providers that are not registered for any additional CIP version 5 applicable functions, including the Load Serving Entity function. The Load Serving Entity function is subject to CIP versions 1-4.

16 As with Groups A and C, Group B will own Low facilities which were not identified for protections under prior CIP versions. The number of Group B respondents is calculated as 77 percent of the total entities previously subject to the CIP Reliability Standards. (0.77 * 1414 = 1,089). 1414 is the number of entities previously subject to CIP Reliability Standards.

17 In contrast to CIP version 4, Criterion 2.5 in proposed CIP version 5 identifies new facilities for protection (transmission facilities which are greater than or equal to 200kV and less than 300kV) and classifies them as “Medium.” Some of these newly-applicable transmission facilities are owned by entities that had not previously identified any CCAs under previous versions, while some of the Criterion 2.5 facilities are owned by entities that previously identified CCAs. Assuming Group B entities constitute 77 percent of the entities to which this criterion potentially applies, 260 entities of the 338 total Transmission Owners (TO) captured by Criterion 2.5 are assigned to Group B, while the remaining 78 are allotted to Group C.

18 As with Groups A and B, the entities that identified CCAs under CIP version 4 (Group C) will also own facilities newly addressed by CIP version 5 and classified as Low. The number of Group C respondents is calculated as 23 percent of the total entities previously subject to the CIP Reliability Standards. (0.23 * 1414 = 325).

19 This row concerns only the newly subject transmission facilities that are addressed by CIP version 5, Criterion 2.5, as owned by Group C TO (Transmission Owner) entities. See the Footnote 18 for Group B Medium for further explanation. These Medium-rated facilities are broken out in this row, separate from other Medium facilities the entity may own in the High and Medium rows below because the level of effort for these Group C TO entities to protect these newly protected facilities is estimated differently than for the Group B entities, or for other Medium facilities the entity may own.

20 Blackstart generation and transmission cranking paths are the only types of facilities identified first for more specified security controls under CIP version 4, Criteria 1.4 and 1.5, but then subject only to Low mandatory security controls under CIP version 5, Criterion 3.4. The number of entities in this row represents 23 percent of the sum of all registered Generation Operators (891 total Generator Operators) to account for Blackstart Resources and all TOs to account for cranking paths. The total burden in year 3 is negative (-206,024 hours). The negative figure in this context representes a removal of requirements and burden for Group C (Blackstart) respondents because in year 3 these facilities will no longer be subject to the more specified security controls under CIP version 4. This leads to the burden reduction for these entities described in footnote 22.

21 Except for the Blackstart facilities noted above, the facilities that Group C entities identify as CCAs under CIP version 4 will be rated for Medium or High security controls under CIP version 5.

22 In the RM13-5-000 NOPR (78 FR 24107, 4/24/2013), the total for year 2 and the total for year 3 were shown to be 768 hours more than the actual totals. The Commission issued an errata notice on 5/3/2013 to correct the error.

23 Based on 2015 cost (salary plus benefits) per FTE of $149,489 for 1 year (or 2,080 hours), rounded to $72.00 per hour.

24 Paperwork Reduction Act of 1995 (PRA).

25 The PRA Administration Cost is $5,193, and includes preparing supporting statements, notices, and other activities associated with Paperwork Reduction Act compliance.

26 These figures (in the context of this table) represent a removal of requirements and burden for Group C (Blackstart) respondents in Years 2 and 3 due to CIP Version 5 changes. Since these numbers are stated as negative figures, they represent a reduction in OMB-approved burden estimate.

27 The estimates for cost per response are derived using the following formula: Average Burden Hours per Response * $75.64 per Hour = Average Cost per Response. The hourly cost figure comes from May 2014 data on the Bureau of Labor Statistics website (http://www.bls.gov/oes/current/naics2_22.htm). The figure is a mathematical average of the cost of wages and benefits related to legal services ($129.68), technical employees ($58.17), and administrative support ($39.12).

28 The estimate has been decreased from 1,475 to 1,415. The NERC Compliance Registry indicated that as of 1/14/2015, 1,415 entities were registered for at least one CIP-related function/responsibility.

29 Reliability Standards CIP-002-3, CIP003-3, CIP-004-3a, CIP-005-3a, CIP-006-3a, CIP-007-3c, CIP-008-3, and CIP-009-3.

30 This figure is rounded for display in the table. The actual number is 382.56813 and is used in the calculations above.

31 This figure is rounded for display in the table. The actual number is 541,333.91 and is used in the calculations above.

32 CIP Versions 3 and 4 (remaining components of Version 3 and 4), and 5.

33 This figure is rounded. The actual number is 64,897.623.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	Supporting Statement for
Author	Ellen Brown
File Modified	0000-00-00
File Created	2021-01-25