RM17-13-000 Final Rule supporting statement

Download: docx | pdf

Supporting Statement for

FERC-725B (Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards)

as modified by the Final Rule in Docket RM17-13-000

The Federal Energy Regulatory Commission (Commission or FERC) requests that the Office of Management and Budget (OMB) review and approve the FERC-725B information collection (Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards) as established by the Final Rule in RM17-13-000¹.

1. CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY

On August 8, 2005, The Electricity Modernization Act of 2005, which is Title XII of the Energy Policy Act of 2005 (EPAct 2005), was enacted into law. EPAct 2005 added a new Section 215² to the Federal Power Act (FPA), which requires a Commission-certified Electric Reliability Organization (ERO) to develop mandatory and enforceable Reliability Standards, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the ERO, subject to Commission oversight. In 2006, the Commission certified the North American Electric Reliability Corporation (NERC) as the ERO pursuant to FPA section 215.³

Pursuant to section 215 of the FPA, the Commission approves Critical Infrastructure Protection (CIP) Reliability Standards CIP-013-1 (Cyber Security – Supply Chain Risk Management), CIP-005-6 (Cyber Security --- Electronic Security Perimeters(s)), and CIP-010-3 (Cyber Security --- Configuration Change Management and Vulnerability Assessments). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 in response to directives in Order No. 829.⁴ The reliability standards are intended to augment the currently effective CIP Reliability Standards in order to mitigate cybersecurity risks associated with the supply chain for BES Cyber System⁵.

2. HOW, BY WHOM, AND FOR WHAT PURPOSE THE INFORMATION IS TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION

The Reliability Standards CIP-013-1 (Cyber Security – Supply Chain Risk Management), CIP-005-6 (Cyber Security --- Electronic Security Perimeters(s)), and CIP-010-3 (Cyber Security --- Configuration Change Management and Vulnerability Assessments) are to be used by NERC registered entities to mitigate cybersecurity risks associated with the supply chain for high and medium impact BES Cyber Systems. The NERC Compliance Registry, as of December 2017, identifies approximately 1,250 unique U.S. entities that are subject to mandatory compliance with Reliability Standards. Of this total, we estimate that 288 entities will face an increased paperwork burden under the approved Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3.

3. DESCRIBE ANY CONSIDERATION OF THE USE OF IMPROVED TECHNOLOGY TO REDUCE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN.

The use of current or improved technology and the medium are not covered in Reliability Standards, and are therefore left to the discretion of each respondent. We think that nearly all of the respondents are likely to make and keep related records in an electronic format. The compliance portals allow documents developed by the registered entities to be attached and uploaded to the Regional Entity’s portal. Compliance data can also be submitted by filling out data forms on the portals. These portals are accessible through an internet browser password-protected user interface.

4. DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2

Filing requirements are periodically reviewed as OMB review dates arise or as the Commission may deem necessary in carrying out its regulatory responsibilities under the FPA in order to eliminate duplication and ensure that filing burden is minimized. There are no similar sources for information available that can be used or modified for these reporting purposes.

5. METHODS USED TO MINIMIZE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES

The Commission estimates one-time and ongoing increases in reporting burden on variety of NERC-registered entities (including Reliability Coordinators, Generator Operators, Generator Owners, Interchange Coordinators/Authorities, Transmission Operators, Balancing Authorities, Transmission Owners) due to the changes in the revised Reliability Standards, with no other increase in the cost of compliance (when compared with the current standards). Approximately 248 of the 288 affected entities are expected to meet the SBA’s definition for a small entity.

The Reliability Standards do not contain provisions for minimizing the burden of the collection for small entities. All the requirements in the Reliability Standards apply to every applicable entity. However, small entities generally can reduce their burden by taking part in a joint registration organization or a coordinated function registration. These options allow an entity the ability to share its compliance burden with other similar entities. Detailed information regarding these options is available in NERC’s Rules of Procedure at Section 1502, Paragraph 2, available at NERCs website.

6. CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY

The consequences of not collecting the data associated with these Reliability Standards will result in an unmitigated risk from software, hardware and services vulnerabilities present in the supply chain of the NERC registered entities which operate the bulk electric system.

7. EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION

FERC-725B information collection has no special circumstances.

8. DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND THE AGENCY'S RESPONSE TO THESE COMMENTS

Each FERC rulemaking (both proposed and final rules) is published in the Federal Register thereby providing public utilities and licensees, state commissions, Federal agencies, and other interested parties an opportunity to submit data, views, comments or suggestions concerning the approved collections of data.

None of the comments received at the NOPR stage pertained to paperwork burden, reporting requirements, or record-keeping costs.

The Final Rule was published⁶ in the Federal Register on 10/26/2018.

9. EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS

No payments or gifts have been made to respondents.

10. DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS

According to the NERC Rules of Procedure⁷, “…a Receiving Entity shall keep in confidence and not copy, disclose, or distribute any Confidential Information or any part thereof without the permission of the Submitting Entity, except as otherwise legally required.” This serves to protect confidential information submitted to NERC or Regional Entities.

Responding entities do not submit the information collected due to the Reliability Standards to FERC. Rather, they submit the information to NERC, the regional entities, or maintain it internally. Since there are no submissions made to FERC, FERC provides no specific provisions in order to protect confidentiality.

11. PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE, SUCH AS SEXUAL BEHAVIOR AND ATTITUDES, RELIGIOUS BELIEFS, AND OTHER MATTERS THAT ARE COMMONLY CONSIDERED PRIVATE

This collection does not contain any questions of a sensitive nature.

12. ESTIMATED BURDEN OF COLLECTION OF INFORMATION

NERC’s Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 will result in one-time and ongoing increases to burden in the reporting requirements imposed on Reliability Coordinators, Generator Operators, Generator Owners, Interchange Coordinators/Authorities, Transmission Operators, Balancing Authorities, and Transmission Owners.

The burden of the current versions of the standards, which are being replaced, is approved under FERC-725B. The new, approved versions of the standards (also being submitted in the FERC-725B information collection) will impose a burden in addition to the existing burden. The additional estimated burden and cost for FERC-725B due to these approved standards in the Final Rule in RM17-13-000 follow:

RM17-13-000 Final Rule (Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards)
	Number of Respondents (1)	Annual Number of Responses per Respondent (2)	Total Number of Responses (1)*(2)=(3)	Average Burden & Cost Per Response8 (4)	Total Annual Burden Hours & Total Annual Cost (3)*(4)=(5)	Cost per Respondent ($) (5)÷(1)
Create supply chain risk management plan (one-time)9 (CIP-013-1 R1)	288	1	288	546 hrs.; $44,226	157,248 hrs.; $12,737,088	$44,226
Updates and reviews of supply chain risk management plan (ongoing)10 (CIP-013-1 R2)	288	1	288	30 hrs.; $2,430	8,640 hrs.; $699,840	$2,430
Develop Procedures to update remote access requirements (one time) (CIP-005-6 R1-R4)	288	1	288	50 hrs.; $4,050	14,400 hrs.; $1,166,400	$4,050
Develop procedures for software integrity and authenticity requirements (one time) (CIP-010-3 R1-R4)	288	1	288	50 hrs.; $4,050	14,400 hrs.; $1,166,400	$4,050
TOTAL (one-time)			864		186,048 hrs.; $15,069,888
TOTAL (ongoing)			288		8,640 hrs.; $699,840

The estimated burden is averaged over Years 1-3 in the following ways:

• The one-time burden of 186,048 hours will be averaged over three years (186,048 hours ÷ 3 = 62,016 hours/year over three years).

• The ongoing burden of 8,640 hours applies to only Years 2 and beyond. Averaged over Years 1-3 (for ROCIS submission), the annualized ongoing burden is 5,760 hours/year.

• The number of one-time responses is averaged over three years (864 responses in Year One ÷ 3 = 288 responses/year over Years 1-3).

• The number of ongoing responses is 192 (288 responses * 2 = 864 responses ÷ 3 = 192 responses) annually for Years 1-3.

• Annually, the number of responses for both one-time and ongoing responses (accounting for all averaging) is 480 responses/year.

The responses and burden averaged for Years 1-3 will total respectively as follows:

Year 1: 480 responses; 62,016 hours

Year 2: 480 responses; 62,016 hours + 8,640 hours = 70,656 hours

Year 3: 480responses; 62,016 hours + 8,640 hours = 70,656 hours

For submission in ROCIS, the average annual response and burden hour totals for Years 1-3 are:

• Responses: 480/year

• Burden: 67,776 hours/year¹¹

The paperwork burden estimate includes costs associated with the initial development of a policy to address requirements relating to: (1) developing the supply chain risk management plan; (2) updating the procedures related to remote access requirements; (3) developing the procedures related to software integrity and authenticity. Further, the estimate reflects the assumption that costs incurred in year 1 will pertain to plan and procedure development, while costs in years 2 and 3 will reflect the burden associated with maintaining the Supply Chain Risk Management (SCRM) plan and modifying it as necessary on a 15 month basis¹².

13. ESTIMATE OF THE TOTAL ANNUAL COST BURDEN TO RESPONDENTS

There are no start-up or other non-labor costs.

Total Capital and Start-up cost: $0

Total Operation, Maintenance, and Purchase of Services: $0

All of the costs in the NOPR are associated with burden hours (labor) and described in Questions #12 and #15 in this supporting statement.

14. ESTIMATED ANNUALIZED COST TO FEDERAL GOVERNMENT

Any involvement by the Commission is covered under the FERC-725 (OMB Control No. 1902-0255). The data are not submitted to FERC.

The Commission does incur the costs associated with obtaining OMB clearance for FERC-725B collection under the Paperwork Reduction Act (PRA). The PRA Administrative Cost is a Federal Cost associated with preparing, issuing, and submitting materials necessary to comply with the PRA for rulemakings, orders, or any other vehicle used to create, modify, extend, or discontinue an information collection. This average annual cost includes requests for extensions, all associated rulemakings and orders, other changes to the collection, and associated publications in the Federal Register. FERC estimates the annual cost for this effort to be $4,931.00.

FERC-725B	Number of Employees (FTEs)	Estimated Annual Federal Cost
Analysis of Filings	0	$0
Processing of Filings	0	$0
Paperwork Reduction Act Administrative Cost		$4,931
TOTAL		$4,931

15. REASONS FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE

As the Commission previously recognized, the global supply chain provides the opportunity for significant benefits to customers, including low cost, interoperability, rapid innovation, a variety of product features and choice. However, the global supply chain also enables opportunities for adversaries to directly or indirectly affect the management or operations of companies that may result in risks to end users. Supply chain risks may include the insertion of counterfeits, unauthorized production, tampering, theft, or insertion of malicious software, as well as poor manufacturing and development practices. The supply chain risk management Reliability Standards submitted by NERC constitute substantial progress in addressing the supply chain cyber security risks identified by the Commission.

NERC registered entities that operate applicable systems listed in Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 must develop and implement:

• one or more method(s) for determining active vendor remote access sessions;

• one or more method(s) to disable active vendor remote access;

• a method to verify the identity of the software source; and the integrity of the software obtained from the software source when the method to do so is available;

• one or more documented supply chain cyber security risk management plan(s) for high and medium impact BES Cyber Systems which must address as applicable

  • Notification by the vendor of vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;

  • Coordination of responses to vendor-identified incidents related to the products or services provided to the Responsible Entity that pose cyber security risk to the Responsible Entity;

  • Notification by vendors when remote or onsite access should no longer be granted to vendor representatives;

  • Disclosure by vendors of known vulnerabilities related to the products or services provided to the Responsible Entity;

  • Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System;

  • Coordination of controls for:

    • vendor-initiated Interactive Remote Access;

    • system-to-system remote access with a vendor(s)

  • Each Responsible Entity shall implement its supply chain cyber security risk management plan(s).

A summary of the burden added to FERC-725B information collection due to the Final Rule in RM17-13-000 follows:

FERC-725B	Total Request	Previously Approved	Change due to Adjustment in Estimate	Change Due to Agency Discretion
Annual Number of Responses	223,362	222,882	0	480
Annual Time Burden13	1,996,520	1,928,744	0	67,776
Annual Cost Burden ($)	$0	$0	$0	$0

16. TIME SCHEDULE FOR THE PUBLICATION OF DATA

There are no tabulating, statistical or tabulating analysis or publication plans for the collection of information.

17. DISPLAY OF THE EXPIRATION DATE

The expiration date is displayed in a table posted on ferc.gov at http://www.ferc.gov/docs-filing/info-collections.asp.

18. EXCEPTIONS TO THE CERTIFICATION STATEMENT

There are no exceptions.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	RM17-13 NOPR supporting statement
Author	[email protected]
File Modified	0000-00-00
File Created	2021-01-20