RM17-11 Final Rule supporting statement

Download: docx | pdf

Supporting Statement for

FERC-725B (Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards)

as modified by the Final Rule in Docket RM17-11

The Federal Energy Regulatory Commission (Commission or FERC) requests that the Office of Management and Budget (OMB) review and approve FERC-725B (Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards as modified by the Final Rule in RM17-11-000¹. The reporting requirements in the FERC-725B are also contained in FERC’s regulations in 18 Code of Federal Regulations (CFR) Part 40.

1. CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY

Pursuant to Section 215 of the Federal Power Act (FPA),² the Commission approves Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security – Security Management Controls). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted Reliability Standard CIP-003-7 in response to directives in Order No. 822.³ The Commission also approves the associated violation risk factors and violation severity levels, implementation plan and effective dates mandated by NERC. In addition, the Commission approves the modified definitions of Transient Cyber Asset and Removable Media as well as the retirement of the definitions for Low Impact External Routable Connectivity (LERC) and Low Impact Electronic Access Point (LEAP) in the NERC Glossary of Terms Used in NERC Reliability Standards (NERC Glossary). Further, the Commission approves the retirement of Reliability Standard CIP-003-6.

Reliability Standard CIP-003-7 addresses the directives in Order No. 822 by:

• Clarifying the obligations pertaining to electronic access control for low impact BES [Bulk Electric System] Cyber Systems;⁴ and

• Adopting mandatory security controls for transient electronic devices (e.g. thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems.

In addition, by requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances for low impact BES Cyber Systems, the Reliability Standard aligns the treatment of low impact BES Cyber Systems with that of high and medium impact BES Cyber Systems, which currently include a requirement for declaring and responding to CIP Exceptional Circumstances. Accordingly, we propose to approve Reliability Standard CIP-003-7 because the modifications improve the base-line cybersecurity posture of responsible entities compared to the current Commission-approved CIP Reliability Standards.

2. HOW, BY WHOM, AND FOR WHAT PURPOSE THE INFORMATION IS TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION

The CIP-003-7 Reliability Standard enhances security controls for low impact BES Cyber Systems by improving electronic access controls and creating security controls for transient electronic assets (TCAs) used at low impact BES Cyber Systems. The NERC Compliance Registry, as of September 2017, identifies approximately 1,320 U.S. entities that are subject to mandatory compliance with Reliability Standards. Of this total, we estimate that 1,100 entities (reliability coordinators, generator operators, generator owners, interchange coordinators or authorities, transmission operators, balancing authorities, transmission owners, and certain distribution providers) would be subject to Reliability Standard CIP-003-7.

These entities would be subject to the increased burden related to:

• creation of plans to provide security controls for TCAs to mitigate the risk of malicious code being introduced to low impact BES Cyber System;

• the ongoing review and updating of the plans and documentation that the planned security controls are implemented for TCAs at low impact BES Cyber System;

• modification of plans to provide electronic security controls for low impact BES Cyber Systems; and

• the ongoing review and updating of the plans/documentation for methodology regarding how planned security controls are implemented for low impact BES Cyber System.

The consequences of not creating or maintaining the documents would prevent:

• the implementation and maintenance of electronic access controls for low impact BES Cyber Systems; and

• the mitigation of the risk of malicious code being introduced to low impact BES Cyber System from TCAs.

3. DESCRIBE ANY CONSIDERATION OF THE USE OF IMPROVED TECHNOLOGY TO REDUCE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN.

This collection does not require industry to file the information with the Commission. However, FERC-725B does contain information collection and record retention requirements for which using current technology is an option.

The information technology to meet the information collection requirements is not specifically covered in the Reliability Standard.

4. DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2

The Commission periodically reviews filing requirements concurrent with OMB review or as the Commission deems necessary to eliminate duplicative filing and to minimize the filing burden. The Commission is unaware of any other source of information related to bulk-electric system physical security.

5. METHODS USED TO MINIMIZE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES

The Commission estimates one-time and ongoing increases in reporting burden on variety of NERC-registered entities (including Reliability Coordinators, Generator Operators, Generator Owners, Interchange Coordinators/Authorities, Transmission Operators, Balancing Authorities, Transmission Owners, and certain Distribution Providers) due to the changes in the revised Reliability Standard, with no other increase in the cost of compliance (when compared with the current standards). Approximately 857 of the 1,100 balancing authorities are expected to meet the Small Business Administration’s definition for a small entity.

This Reliability Standard does not contain provisions for minimizing the burden of the collection for small entities. All the requirements in the Reliability Standard apply to every applicable entity. However, small entities generally can reduce their burden by taking part in a joint registration organization or a coordinated function registration. These options allow an entity the ability to share its compliance burden with other similar entities. Detailed information regarding these options is available in NERC’s Rules of Procedure at Section 1502, Paragraph 2, available at NERCs website.

6. CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY

The consequences of not creating the documents would prevent 1) the implementation of electronic access controls for low impact BES Cyber Systems and 2) the mitigation of the risk of malicious code being introduced to low impact BES Cyber System from TCAs.

The frequency of modifying or updating the documentation of the plans occurs only when the entities change or modify their security controls for the low impact BES Cyber Systems or TCA used at low impact BES Cyber Systems.

The frequency of documentation that the security controls were implemented and remain implemented, that the entities defined in their plans, is entirely based upon the frequency of the entities using TCA at low impact BES Cyber Systems or otherwise stated in their plans to maintain the security controls that the entity designed or the modification of low impact BES Cyber Systems that impact the security controls.

7. EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION

FERC-725B information collection has no special circumstances.

8. DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND THE AGENCY'S RESPONSE TO THESE COMMENTS

Each FERC rulemaking (both proposed and final rules) is published in the Federal Register thereby providing public utilities and licensees, state commissions, Federal agencies, and other interested parties an opportunity to submit data, views, comments or suggestions concerning the proposed collections of data.

The Commission solicited comments at the NOPR stage⁵. None of the comments received pertained to paperwork burden.

The Final Rule was published⁶ in the Federal Register on 4/25/2018.

9. EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS

No payments or gifts have been made to respondents.

10. DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS

According to the NERC Rules of Procedure⁷, “…a Receiving Entity shall keep in confidence and not copy, disclose, or distribute any Confidential Information or any part thereof without the permission of the Submitting Entity, except as otherwise legally required.” This serves to protect confidential information submitted to NERC or Regional Entities.

Responding entities do not submit the information collected due to the Reliability Standards to FERC. Rather, they submit the information to NERC, the regional entities, or maintain it internally. Since there are no submissions made to FERC, FERC provides no specific provisions in order to protect confidentiality.

11. PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE, SUCH AS SEXUAL BEHAVIOR AND ATTITUDES, RELIGIOUS BELIEFS, AND OTHER MATTERS THAT ARE COMMONLY CONSIDERED PRIVATE

These collections do not contain any questions of a sensitive nature.

12. ESTIMATED BURDEN OF COLLECTION OF INFORMATION

NERC’s revisions to Reliability Standard CIP-003-7 will result in one-time and ongoing increases to burden in the reporting requirements imposed on Reliability Coordinators, Generator Operators, Generator Owners, Interchange Coordinators/Authorities, Transmission Operators, Balancing Authorities, Transmission Owners, and certain Distribution Providers.

The estimated changes to the burden and cost for FERC-725B due to the approved modifications in the Final Rule in RM17-11 follow:

RM17-11-000 Final Rule (Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards)
	Number of Respondents (1)	Annual Number of Responses per Respondent (2)	Total Number of Responses (1)*(2)=(3)	Average Burden & Cost Per Response8 (4)	Total Annual Burden Hours & Total Annual Cost (3)*(4)=(5)	Cost per Respondent ($) (5)÷(1)
Create low impact TCA assets plan (one-time)9	1,100	1	1,100	20 hrs.; $1,680	22,00010 hrs.; $1,848,000	$1,680
Updates and reviews of low impact TCA assets (ongoing)11	1,100	30012	330,000	1.5 hrs.13; $126	495,000 hrs.; $41,580,000	$37,800
Update/modify documentation to remove LERC and LEAP (one-time)8	1,100	1	1,100	20 hrs.; $1,680	22,0009 hrs.; $1,848,000	$1,680
Update paperwork for access control implementation in Section 214 and Section 315 (ongoing)10	1,100	1	1,100	20 hrs.; $1,680	22,0009 hrs.; $1,848,000	$1,680
TOTAL (one-time)8			2,200		44,00016 hrs.; $3,696,000
TOTAL (ongoing)10			331,100		517,00017 hrs.; $43,428,000

The one-time burden of 44,000 hours will be averaged over three years (44,000 hours ÷ 3 = 14,667 hours/year over three years). The number of responses is also averaged over three years (2200 responses ÷ 3 = 733.3 responses/year).

The ongoing burden of 517,000 hours/year applies for only Years 2 and beyond. Similarly, the number of responses is also averaged over three years (2200 responses (one-time) + (331,100 responses (Year 2) + 331,100 (Year 3)) ÷ 3 = 221,467¹⁸).

The responses and burden for Years 1-3 will total respectively as follows:

Year 1: 221,467 responses; 14,667 hours

Year 2: 221,467 responses; 14,667 hours + 517,000 hours = 531,667 hours

Year 3: 221,467 responses; 14,667 hours + 517,000 hours = 531,667 hours

For submission in ROCIS the averages over Years 1-3 are:

• Annual burden approved by the Final Rule in RM17-11-000 is 359,334¹⁹ hours. [(14,667 hours + ((517,000 hours + 14,667 hours) * 2)) ÷ 3] = 359,334¹⁹ hours.

• Annual number of responses approved by the Final Rule in RM17-11 is 221,467. [2200 responses (one-time) + (331,100 responses (Year 2) + 331,100 (Year 3)) ÷ 3 = 221,467¹⁸)]

13. ESTIMATE OF THE TOTAL ANNUAL COST BURDEN TO RESPONDENTS

There are no start-up or other non-labor costs.

Total Capital and Start-up cost: $0

Total Operation, Maintenance, and Purchase of Services: $0

All of the costs in the Final Rule are associated with burden hours (labor) and described in Questions #12 and #15 in this supporting statement.

14. ESTIMATED ANNUALIZED COST TO FEDERAL GOVERNMENT

The Regional Entities and NERC do most of the data processing, monitoring and compliance work for Reliability Standards; the burden and cost are included under the FERC-725 collection (OMB Control No. 1902-0225) and are not part of this request or package. Any involvement by the Commission is covered under the FERC-725 collection (OMB Control No. 1902-0225) and is not part of this request or package.

The estimated annualized cost to the Federal Government for FERC-725B follows:

FERC-725B	Number of Employees (FTEs)	Estimated Annual Federal Cost
Analysis of Filings	0	$0
Processing of Filings	0	$0
Paperwork Reduction Act Administrative Cost20		$5,723
TOTAL		$5,723

15. REASONS FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE

The CIP-003-7²¹ Reliability Standard clarifies, consolidates, streamlines, and enhances the previous Reliability Standard (CIP-003-6) and its related reporting requirements that subject affected entities to the increased burden of:

• creation of plans to provide security controls for TCAs to mitigate the risk of malicious code being introduced to low impact BES Cyber System;

• ongoing review and updating of the plans and documentation that the planned security controls are implemented for TCAs at low impact BES Cyber System;

• modification of plans to provide electronic security controls for low impact BES Cyber Systems; and

• ongoing review and updating of the plans and documentation that the planned security controls are implemented for low impact BES Cyber System.

Other factors that impact the burden are the frequency of:

• the entity modifying or updating their security controls for the low impact BES Cyber Systems or TCA used at low impact BES Cyber Systems;

• modification of low impact BES Cyber Systems that impact the security controls; and

• using TCA at low impact BES Cyber Systems.

A summary of the current OMB-approved inventory and the changes to FERC-725B information collection due to the Final Rule in RM17-11 follows:

FERC-725B	Total Request	Previously Approved	Change due to Adjustment in Estimate	Change Due to Agency Discretion
Annual Number of Responses	222,881	1,415	0	221,467
Annual Time Burden22	1,928,744	1,569,410	0	359,334
Annual Cost Burden ($)	$0	$0	$0	$0

16. TIME SCHEDULE FOR THE PUBLICATION OF DATA

There are no tabulating, statistical or tabulating analysis or publication plans for the collection of information.

17. DISPLAY OF THE EXPIRATION DATE

The expiration date is displayed in a table posted on ferc.gov at http://www.ferc.gov/docs-filing/info-collections.asp.

18. EXCEPTIONS TO THE CERTIFICATION STATEMENT

There are no exceptions.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	RM17-11 Final Rule supporting statement
Author	[email protected]
File Modified	0000-00-00
File Created	2021-01-21