FERC-725U (OMB Control No.: 1902-0274)
Supporting Statement for
FERC-725U, Mandatory Reliability Standards: Reliability Standard CIP-014
(Three-year approval for extension requested)
The Federal Energy Regulatory Commission (FERC or Commission) requests that the Office of Management and Budget (OMB) review and renew the information collection requirements in FERC-725U under OMB Control No. 1902-0274. This supporting statement covers the requirements of the FERC-725U information collection. The reporting requirements in the FERC-725U are also contained in FERC’s regulations in 18 Code of Federal Regulations (CFR) Part 40.
CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY
On August 8, 2005, The Electricity Modernization Act of 2005, which is Title XII of the Energy Policy Act of 2005 (EPAct 2005), was enacted into law. EPAct 2005 added a new Section 215 to the Federal Power Act (FPA), which requires a Commission-certified Electric Reliability Organization (ERO) to develop mandatory and enforceable Reliability Standards, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the ERO, subject to Commission oversight. In 2006, the Commission certified the North American Electric Reliability Corporation (NERC) as the ERO pursuant to FPA section 215.1
HOW, BY WHOM, AND FOR WHAT PURPOSE THE INFORMATION IS TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION
Reliability Standard CIP-014-1 (inactive as of 10/1/2015)
On 11/20/2014, FERC issued an order2 approving Reliability Standard CIP-014-1. Reliability Standard CIP-014-1 enhanced physical security measures for the critical Bulk-Power System facilities and lessened the overall vulnerability of the Bulk-Power System against physical attacks.
Reliability Standard CIP-014-2 (current)
On 7/14/2015, FERC issued a letter order approving Reliability Standard CIP-014-2 (the current version of the Reliability Standard). Reliability Standard CIP-014-2 modified Reliability Standard CIP-014-1 by removing the term “widespread” from Requirement R1. Removing the term ensured that:
Applicable entities identify appropriate critical facilities under Requirement R1, and
The electric reliability organization enforces the CIP-014-2 Reliability Standard in a more consistent manner.
The removal of the word “widespread” from Requirement R1 did not change any other aspect of the CIP-014-2 nor the FERC-725U information collection.
Reliability Standard CIP-014-2 requires applicable transmission owners and transmission operators to identify and protect transmission stations and transmission substations, and their associated primary control centers that if rendered inoperable or damaged resulting from a physical attack could result in widespread instability, uncontrolled separation, or cascading within an Interconnection.
In terms of information collection requirements, an applicable entity must create or maintain documentation showing compliance, when appropriate, with each requirement of the Reliability Standard. Reliability Standard CIP-014-2 has six requirements:
Requirement R1 requires applicable transmission owners (TO) to perform risk assessments on a periodic basis3 to identify their transmission stations and transmission substations that, if rendered inoperable or damaged, could result in widespread instability, uncontrolled separation, or cascading within an Interconnection. Requirement R1 also requires transmission owners to identify the primary control center that operationally controls each of the identified transmission stations or transmission substations. Examples of acceptable evidence may include dated written or electronic documentation of the risk assessment of its transmission stations and transmission substations (existing and planned to be in service within 24 months) that meet the criteria in Applicability Section 4.1.1 as specified in Requirement R1.
Requirement R2 requires that each applicable transmission owner have an unaffiliated third party with appropriate experience verify the risk assessment performed under Requirement R1. Requirement R2 states that the transmission owner must either modify its identification of facilities consistent with the verifier’s recommendation or document the technical basis for not doing so. In addition, Requirement R2 requires each transmission owner to implement procedures for protecting sensitive or confidential information made available to third-party verifiers or developed under the Reliability Standard from public disclosure. Examples of acceptable evidence may include dated written or electronic documentation that the transmission owner completed an unaffiliated third party verification of the Requirement R1 risk assessment and satisfied all of the applicable provisions of Requirement R2, including, if applicable, documenting the technical basis for not modifying the Requirement R1 identification as specified under Part 2.3.
Requirement R3 requires the transmission owner to notify a transmission operator (TOP) that operationally controls a primary control center identified under Requirement R1 of such identification to ensure that the transmission operator has notice of the identification so that it may timely fulfill its obligations under Requirements R4 and R5 to protect the primary control center. Examples of acceptable evidence may include dated written or electronic communications that the transmission owner notified each transmission operator, as applicable, according to Requirement R3.
Requirement R4 requires each applicable transmission owner and transmission operator to conduct an evaluation of the potential threats and vulnerabilities of a physical attack on each of its respective transmission stations, transmission substations, and primary control centers identified as critical in Requirement R1. Examples of evidence may include dated written or electronic documentation that the transmission owner or transmission operator conducted an evaluation of the potential threats and vulnerabilities of a physical attack to their respective transmission station(s), transmission substation(s) and primary control center(s) as specified in Requirement R4.
Requirement R5 requires each transmission owner and transmission operator to develop and implement documented physical security plans that cover each of their respective transmission stations, transmission substations, and primary control centers identified as critical in Requirement R1. Examples of evidence may include dated written or electronic documentation of its physical security plan(s) that covers their respective identified and verified transmission station(s), transmission substation(s), and primary control center(s) as specified in Requirement R5, and additional evidence demonstrating implementation of the physical security plan.
Requirement R6 requires that each transmission owner and transmission operator subject to Requirements R4 and R5 have an unaffiliated third party with appropriate experience review its Requirement R4 evaluation and Requirement R5 security plan. Requirement R6 states that the transmission owner or transmission operator must either modify its evaluation and security plan consistent with the recommendation, if any, of the reviewer or document its reasons for not doing so. In addition, Requirement R6 requires each transmission owner to implement procedures for protecting sensitive or confidential information made available to third-party reviewers or developed under the Reliability Standard from public disclosure. Examples of evidence may include written or electronic documentation that the transmission owner or transmission operator had an unaffiliated third party review the evaluation performed under Requirement R4 and the security plan(s) developed under Requirement R5 as specified in Requirement R6 including, if applicable, documenting the reasons for not modifying the evaluation or security plan(s) in accordance with a recommendation under Part 6.3.
Transmission owners and transmission operators must keep data or evidence to show compliance with the standard for three years unless directed by its Compliance Enforcement Authority. If a responsible entity is found non-compliant, it must keep information related to the non-compliance until mitigation is complete and approved, or for the three years, whichever is longer.
DESCRIBE ANY CONSIDERATION OF THE USE OF IMPROVED INFORMATION TECHNOLOGY TO REDUCE THE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN
This collection does not require industry to file the information with the Commission. However, FERC-725U does contain information collection and record retention requirements for which using current technology is an option.
The information technology to meet the information collection requirements is not specifically covered in the Reliability Standard.
DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2
The Commission periodically reviews filing requirements concurrent with OMB review or as the Commission deems necessary to eliminate duplicative filing and to minimize the filing burden. The Commission is unaware of any other source of information related to bulk-electric system physical security.
METHODS USED TO MINIMIZE THE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES
In general, small entities may reduce their burden by taking part in a joint registration organization or a coordinated functional registration. These options allow a small entity to share the compliance burden with other entities and, thus, to minimize their own compliance burden. Detailed information regarding these options is available in NERC’s Rule of Procedure at Sections 507 and 5084.
CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY
The paperwork requirements are related with documenting compliance with substantive requirements (including the preparation of a physical security plan), and maintaining such documents. The frequency of the paperwork requirements was vetted and approved by industry consensus in the NERC standard development process and is ultimately meant to support the reliability of the bulk electric system.
EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION
There are no special circumstances related to the FERC-725U information collection.
DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND THE AGENCY’S RESPONSE
The ERO process to establish Reliability Standards is a collaborative process with the ERO, Regional Entities, and other stakeholders developing and reviewing drafts and providing comments.5 The NERC-approved Reliability Standards were then submitted by NERC to the FERC for review and approval.
In accordance with OMB requirements, the Commission published a 60-day notice6 and a 30-day notice7 to the public regarding this information collection on 9/1/2017 and 11/1/2017 respectively. Within the public notices, the Commission noted that it would be requesting a three-year extension of the public reporting burden. The Commission received no comments from the public in response to either published notice regarding the FERC-725U information collection.
On 12/15/2017, Commission staff issued an additional 30-day notice8 to correct and to more clearly describe the burden estimate for the multi-year cycle of the FERC-725U (with its significantly varying burden in different years). The revised burden estimates are presented in Question #12 of this supporting statement.
EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS
There are no gifts or payments given to the respondents.
DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS
According to the NERC Rules of Procedure9, “…a Receiving Entity shall keep in confidence and not copy, disclose, or distribute any Confidential Information or any part thereof without the permission of the Submitting Entity, except as otherwise legally required.” This serves to protect confidential information submitted to NERC or Regional Entities.
Responding entities do not submit the information collected under the Reliability Standard to FERC. Rather, they maintain it internally. Since there are no submissions made to FERC, FERC provides no specific provisions in order to protect confidentiality.
PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE, SUCH AS SEXUAL BEHAVIOR AND ATTITUDES, RELIGIOUS BELIEFS, AND OTHER MATTERS THAT ARE COMMONLY CONSIDERED PRIVATE.
This collection does not include any questions of a sensitive nature.
ESTIMATED BURDEN OF COLLECTION OF INFORMATION
The burden for the FERC-725U information collection is estimated based on the five year cycle of the requirements in the Reliability Standard. Over this five-year cycle, annual burden levels fluctuate greatly based on which reporting requirements are implicated each year.
This renewal requests three years of extension/approval. However, using a three-year timespan to calculate the burden would cause the total annual burden to fluctuate in an unrepresentative way because of the mismatch between the Reliability Standard’s five-year cycle and the three-year PRA administrative cycle for extension requests. Some extension requests would propose inordinately high or low burden solely dependent on the timing of the request, not on any actual changes to reporting requirements.
In order to provide the annual burden estimate in a more representative way, Commission staff is:
Calculating the average annual burden using the five-year cycle of the Standard and using that average for Years 1-3 of this extension.
Brief synopsis of the Reliability Standard’s five-year cycle and its relation to Requirements R1-R6 and Record Retention Requirements:
The year stated is the year in this PRA renewal cycle with the requirements imposed during that year.
Year 1 Record Retention only
Year 2: R1, R2, R3, R4, R5, R6, and Record Retention
Year 3: Record Retention only
Year 4: R1, R2, R3, R4, R5, R6, and Record Retention10