RM17-11 NOPR supporting statement

Download: docx | pdf

Supporting Statement for

FERC-725B (Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards)

as modified by the NOPR in Docket RM17-11

The Federal Energy Regulatory Commission (Commission or FERC) requests that the Office of Management and Budget (OMB) review and approve FERC-725B (Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards as modified by the NOPR in RM17-11¹.

1. CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY

Pursuant to section 215 of the Federal Power Act (FPA),² the Commission proposes to approve Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security – Security Management Controls). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted proposed Reliability Standard CIP-003-7 in response to directives in Order No. 822.³ The Commission also proposes to approve the associated violation risk factors and violation severity levels, implementation plan and effective dates proposed by NERC. In addition, the Commission proposes to approve the modified definitions of Transient Cyber Asset and Removable Media as well as the retirement of the definitions for Low Impact External Routable Connectivity (LERC) and Low Impact Electronic Access Point (LEAP) in the NERC Glossary of Terms Used in NERC Reliability Standards (NERC Glossary). Further, the Commission proposes to approve the retirement of Reliability Standard CIP-003-6.

The proposed Reliability Standard CIP-003-7 addresses the directives in Order No. 822 by:

• Clarifying the obligations pertaining to electronic access control for low impact BES [Bulk Electric System] Cyber Systems;⁴ and

• Adopting mandatory security controls for transient electronic devices (e.g. thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems.

In addition, by requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances for low impact BES Cyber Systems, the proposed Reliability Standard aligns the treatment of low impact BES Cyber Systems with that of high and medium impact BES Cyber Systems, which currently include a requirement for declaring and responding to CIP Exceptional Circumstances. Accordingly, we propose to approve proposed Reliability Standard CIP-003-7 because the proposed modifications improve the base-line cybersecurity posture of responsible entities compared to the current Commission-approved CIP Reliability Standards.

2. HOW, BY WHOM, AND FOR WHAT PURPOSE THE INFORMATION IS TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION

The proposed Reliability Standard CIP-003-7 enhances security controls for low impact BES Cyber Systems by improving electronic access controls and creating security controls for transient electronic assets (TCAs) used at low impact BES Cyber Systems. The NERC Compliance Registry, as of September 2017, identifies approximately 1,320 U.S. entities that are subject to mandatory compliance with Reliability Standards. Of this total, we estimate that 1,100 entities (reliability coordinators, generator operators, generator owners, interchange coordinators or authorities, transmission operators, balancing authorities, transmission owners, and certain distribution providers) would be subject to the proposed Reliability Standard CIP-003-7.

These entities would be subject to the increased burden related to:

• creation of plans to provide security controls for TCAs to mitigate the risk of malicious code being introduced to low impact BES Cyber System;

• the ongoing review and updating of the plans and documentation that the planned security controls are implemented for TCAs at low impact BES Cyber System;

• modification of plans to provide electronic security controls for low impact BES Cyber Systems; and

• the ongoing review and updating of the plans/documentation for methodology regarding how planned security controls are implemented for low impact BES Cyber System.

The consequences of not creating or maintaining the documents would prevent:

• the implementation and maintenance of electronic access controls for low impact BES Cyber Systems; and

• the mitigation of the risk of malicious code being introduced to low impact BES Cyber System from TCAs.

3. DESCRIBE ANY CONSIDERATION OF THE USE OF IMPROVED TECHNOLOGY TO REDUCE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN.

The use of current or improved technology and the medium are not covered in Reliability Standards, and are therefore left to the discretion of each respondent. We think that nearly all of the respondents are likely to make and keep related records in an electronic format. Each of the eight Regional Entities has a well-established compliance portal for registered entities to electronically submit compliance information and reports. The compliance portals allow documents developed by the registered entities to be attached and uploaded to the Regional Entity’s portal. Compliance data can also be submitted by filling out data forms on the portals. These portals are accessible through an internet browser password-protected user interface.

4. DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2

Filing requirements are periodically reviewed as OMB review dates arise or as the Commission may deem necessary in carrying out its regulatory responsibilities under the FPA in order to eliminate duplication and ensure that filing burden is minimized. There are no similar sources for information available that can be used or modified for these reporting purposes.

5. METHODS USED TO MINIMIZE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES

The Commission estimates one-time and ongoing increases in reporting burden on variety of NERC-registered entities (including Reliability Coordinators, Generator Operators, Generator Owners, Interchange Coordinators/Authorities, Transmission Operators, Balancing Authorities, Transmission Owners, and certain Distribution Providers) due to the changes in the revised Reliability Standard, with no other increase in the cost of compliance (when compared with the current standards). Approximately 857 of the 1,100 balancing authorities are expected to meet the SBA’s definition for a small entity.

This Reliability Standard does not contain provisions for minimizing the burden of the collection for small entities. All the requirements in the Reliability Standard apply to every applicable entity. However, Small entities generally can reduce their burden by taking part in a joint registration organization or a coordinated function registration. These options allow an entity the ability to share its compliance burden with other similar entities. Detailed information regarding these options is available in NERC’s Rules of Procedure at Section 1502, Paragraph 2, available at NERCs website.

6. CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY

The consequences of not creating the documents would prevent 1) the implementation of electronic access controls for low impact BES Cyber Systems and 2) the mitigation of the risk of malicious code being introduced to low impact BES Cyber System from TCAs.

The frequency of modifying or updating the documentation of the plans occurs only when the entities change or modify their security controls for the low impact BES Cyber Systems or TCA used at low impact BES Cyber Systems.

The frequency of documentation that the security controls were implemented and remain implemented, that the entities defined in their plans, is entirely based upon the frequency of the entities using TCA at low impact BES Cyber Systems or otherwise stated in their plans to maintain the security controls that the entity designed or the modification of low impact BES Cyber Systems that impact the security controls.

7. EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION

FERC-725B information collection has no special circumstances.

8. DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND THE AGENCY'S RESPONSE TO THESE COMMENTS

Each FERC rulemaking (both proposed and final rules) is published in the Federal Register thereby providing public utilities and licensees, state commissions, Federal agencies, and other interested parties an opportunity to submit data, views, comments or suggestions concerning the proposed collections of data.

The NOPR was published⁵ in the Federal Register on 10/26/2017.

9. EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS

No payments or gifts have been made to respondents.

10. DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS

According to the NERC Rules of Procedure⁶, “…a Receiving Entity shall keep in confidence and not copy, disclose, or distribute any Confidential Information or any part thereof without the permission of the Submitting Entity, except as otherwise legally required.” This serves to protect confidential information submitted to NERC or Regional Entities.

Responding entities do not submit the information collected due to the Reliability Standards to FERC. Rather, they submit the information to NERC, the regional entities, or maintain it internally. Since there are no submissions made to FERC, FERC provides no specific provisions in order to protect confidentiality.

11. PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE, SUCH AS SEXUAL BEHAVIOR AND ATTITUDES, RELIGIOUS BELIEFS, AND OTHER MATTERS THAT ARE COMMONLY CONSIDERED PRIVATE

These collections do not contain any questions of a sensitive nature.

12. ESTIMATED BURDEN OF COLLECTION OF INFORMATION

NERC’s proposed revisions to Reliability Standard CIP-003-7 will result in one-time and ongoing increases to burden in the reporting requirements imposed on Reliability Coordinators, Generator Operators, Generator Owners, Interchange Coordinators/Authorities, Transmission Operators, Balancing Authorities, Transmission Owners, and certain Distribution Providers.

The estimated changes to the burden and cost for FERC-725B due to the proposed modifications in the NOPR in RM17-11 follow:

RM17-11-000 NOPR (Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards)
	Number of Respondents (1)	Annual Number of Responses per Respondent (2)	Total Number of Responses (1)*(2)=(3)	Average Burden & Cost Per Response7 (4)	Total Annual Burden Hours & Total Annual Cost (3)*(4)=(5)	Cost per Respondent ($) (5)÷(1)
Create low impact TCA assets plan (one-time)8	1,100	1	1,100	20 hrs.; $1,680	22,0009 hrs.; $1,848,000	$1,680
Updates and reviews of low impact TCA assets (ongoing)10	1,100	30011	330,000	1.5 hrs.12; $126	495,000 hrs.; $41,580,000	$37,800
Update/modify documentation to remove LERC and LEAP (one-time)8	1,100	1	1,100	20 hrs.; $1,680	22,0009 hrs.; $1,848,000	$1,680
Update paperwork for access control implementation in Section 213 and Section 314 (ongoing)10	1,100	1	1,100	20 hrs.; $1,680	22,0009 hrs.; $1,848,000	$1,680
TOTAL (one-time)8			2,200		44,00015 hrs.; $3,696,000
TOTAL (ongoing)10			331,100		517,00016 hrs.; $43,428,000

The one-time burden of 44,000 hours will be averaged over three years (44,000 hours ÷ 3 = 14,667 hours/year over three years). The number of responses is also averaged over three years (2200 responses ÷ 3 = 733.3 responses/year).

The ongoing burden of 517,000 hours/year applies for only Years 2 and beyond. Similarly, the number of responses is also averaged over three years (2200 responses (one-time) + (331,100 responses (Year 2) + 331,100 (Year 3)) ÷ 3 = 221,467¹⁷).

The responses and burden for Years 1-3 will total respectively as follows:

Year 1: 221,467 responses; 14,667 hours

Year 2: 221,467 responses; 14,667 hours + 517,000 hours = 531,667 hours

Year 3: 221,467 responses; 14,667 hours + 517,000 hours = 531,667 hours

For submission in ROCIS the averages over Years 1-3 are:

• Annual burden proposed by the NOPR in RM17-11 is 359,333 hours. [(14,667 hours + ((517,000 hours + 14,667 hours) * 2)) ÷ 3] = 359,333 hours.

• Annual no. of responses proposed by the NOPR in RM17-11 is 221,467. [2200 responses (one-time) + (331,100 responses (Year 2) + 331,100 (Year 3)) ÷ 3 = 221,467¹⁷)]

13. ESTIMATE OF THE TOTAL ANNUAL COST BURDEN TO RESPONDENTS

There are no start-up or other non-labor costs.

Total Capital and Start-up cost: $0

Total Operation, Maintenance, and Purchase of Services: $0

All of the costs in the NOPR are associated with burden hours (labor) and described in Questions #12 and #15 in this supporting statement.

14. ESTIMATED ANNUALIZED COST TO FEDERAL GOVERNMENT

Any involvement by the Commission is covered under the FERC-725 (OMB Control No. 1902-0255). The data are not submitted to FERC.

The Commission does incur the costs associated with obtaining OMB clearance for FERC-725B collection under the Paperwork Reduction Act (PRA). The PRA Administrative Cost is a Federal Cost associated with preparing, issuing, and submitting materials necessary to comply with the PRA for rulemakings, orders, or any other vehicle used to create, modify, extend, or discontinue an information collection. This average annual cost includes requests for extensions, all associated rulemakings and orders, other changes to the collection, and associated publications in the Federal Register. FERC estimates the annual cost for this effort to be $5,723.00.

FERC-725B	Number of Employees (FTEs)	Estimated Annual Federal Cost
Analysis of Filings	0	$0
Processing of Filings	0	$0
Paperwork Reduction Act Administrative Cost18		$5,723
TOTAL		$5,723

15. REASONS FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE

Proposed Reliability Standards CIP-003-7¹⁹ clarify, consolidate, streamline, and enhance the Reliability Standards that entities, subjecting the entities to the increased burden of:

• creation of plans to provide security controls for TCAs to mitigate the risk of malicious code being introduced to low impact BES Cyber System;

• ongoing review and updating of the plans and documentation that the planned security controls are implemented for TCAs at low impact BES Cyber System;

• modification of plans to provide electronic security controls for low impact BES Cyber Systems; and

• ongoing review and updating of the plans and documentation that the planned security controls are implemented for low impact BES Cyber System.

Other factors that impact the burden are the frequency of:

• the entity modifying or updating their security controls for the low impact BES Cyber Systems or TCA used at low impact BES Cyber Systems;

• modification of low impact BES Cyber Systems that impact the security controls; and

• using TCA at low impact BES Cyber Systems.

A summary of the current OMB-approved inventory and the changes to FERC-725B information collection due to the NOPR in RM17-11 follows:

FERC-725B	Total Request	Previously Approved	Change due to Adjustment in Estimate	Change Due to Agency Discretion
Annual Number of Responses	222,882	1,415	0	221,467
Annual Time Burden20	1,928,743	1,569,410	0	359,333
Annual Cost Burden ($)	$126,725	$126,725	$0	$0

16. TIME SCHEDULE FOR THE PUBLICATION OF DATA

There are no tabulating, statistical or tabulating analysis or publication plans for the collection of information.

17. DISPLAY OF THE EXPIRATION DATE

The expiration date is displayed in a table posted on ferc.gov at http://www.ferc.gov/docs-filing/info-collections.asp.

18. EXCEPTIONS TO THE CERTIFICATION STATEMENT

There are no exceptions.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	RM17-11 NOPR supporting statement
Author	[email protected]
File Modified	0000-00-00
File Created	2021-01-21