In accordance
with 5 CFR 1320, the information collection is approved.
Inventory as of this Action
Requested
Previously Approved
12/31/2021
36 Months From Approved
06/30/2021
223,362
0
222,882
1,996,520
0
1,928,744
0
0
0
The Final Rule in RM17-13-000 approves
Reliability Standards CIP-005-6, CIP-010-3, and CIP-013-1. The
Reliability Standards CIP-013-1 (Cyber Security – Supply Chain Risk
Management), CIP-005-6 (Cyber Security --- Electronic Security
Perimeters(s)), and CIP-010-3 (Cyber Security --- Configuration
Change Management and Vulnerability Assessments) are to be used by
NERC registered entities to mitigate cybersecurity risks associated
with the supply chain for high and medium impact BES Cyber Systems.
The NERC Compliance Registry, as of December 2017, identifies
approximately 1,250 unique U.S. entities that are subject to
mandatory compliance with Reliability Standards. Of this total, we
estimate that 288 entities will face an increased paperwork burden
under the approved Reliability Standards CIP-013-1, CIP-005-6, and
CIP-010-3. This Final Rule is being submitted in the FERC-725B
information collection (OMB Control No. 1902-0248). The RM17-13-000
NOPR was submitted in the FERC-725B1 information collection due to
the FERC-725B information collection being under review for an
unrelated activity at the time. Due to NOPR and Final Rule being
submitted in different collections, FERC staff must submit this ICR
with the Stage of Rulemaking field set as "not associated with
rulemaking". Additionally, the NOPR and Final Rule citations and
dates are included in the 60 and 30-day notice fields
respectively.
As the Commission previously
recognized, the global supply chain provides the opportunity for
significant benefits to customers, including low cost,
interoperability, rapid innovation, a variety of product features
and choice. However, the global supply chain also enables
opportunities for adversaries to directly or indirectly affect the
management or operations of companies that may result in risks to
end users. Supply chain risks may include the insertion of
counterfeits, unauthorized production, tampering, theft, or
insertion of malicious software, as well as poor manufacturing and
development practices. The supply chain risk management Reliability
Standards submitted by NERC constitute substantial progress in
addressing the supply chain cyber security risks identified by the
Commission. NERC registered entities that operate applicable
systems listed in Reliability Standards CIP-013-1, CIP-005-6, and
CIP-010-3 must develop and implement: -one or more method(s) for
determining active vendor remote access sessions; -one or more
method(s) to disable active vendor remote access; -a method to
verify the identity of the software source; and the integrity of
the software obtained from the software source when the method to
do so is available; -one or more documented supply chain cyber
security risk management plan(s) for high and medium impact BES
Cyber Systems which must address as applicable; --Notification by
the vendor of vendor-identified incidents related to the products
or services provided to the Responsible Entity that pose cyber
security risk to the Responsible Entity; --Coordination of
responses to vendor-identified incidents related to the products or
services provided to the Responsible Entity that pose cyber
security risk to the Responsible Entity; --Notification by vendors
when remote or onsite access should no longer be granted to vendor
representatives; --Disclosure by vendors of known vulnerabilities
related to the products or services provided to the Responsible
Entity; --Verification of software integrity and authenticity of
all software and patches provided by the vendor for use in the BES
Cyber System; --Coordination of controls for: ---vendor-initiated
Interactive Remote Access; ---system-to-system remote access with a
vendor(s) --Each Responsible Entity shall implement its supply
chain cyber security risk management plan(s).
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.
RM17-13-000 Final Rule supporting statement.docx
NERC Petition for CIP-005-6 CIP-010-3 CIP-013-1.pdf
RM17-13-000 Final Rule (Reliability Standard CIP-013-1 R1) (one-time averaged over Years 1-3)