Download: docx | pdf

174 FERC ¶ 61,030

UNITED STATES OF AMERICA

FEDERAL ENERGY REGULATORY COMMISSION

Before Commissioners: James P. Danly, Chairman;

Neil Chatterjee, Richard Glick,

Allison Clements, and Mark C. Christie.

North American Electric Reliability Corporation

Docket No.

RR19-7-001

ORDER ON COMPLIANCE FILINGS

(Issued January 19, 2021)

1. On June 1, 2020 and September 28, 2020, the North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted compliance filings in accordance with the Commission’s order accepting NERC’s 2019 Five-Year Performance Assessment.¹ In addition to providing the required information on its various programs, NERC requests Commission approval of its proposal to replace the audits contemplated in Appendix 4A of the NERC Rules of Procedure, and requests approval of modifications to its Rules of Procedure related to: (1) the Electricity Information Sharing and Analysis Center (E-ISAC) (section 1003); (2) Sanction Guidelines (Appendix 4B); and (3) Registration and Certification (section 500 and Appendices 2, 5A, 5B, and 5C).

2. We approve NERC’s proposed modifications to its Rules of Procedure related to: (1) the E-ISAC (section 1003); (2) Sanction Guidelines (Appendix 4B); and (3) Registration and Certification (section 500 and Appendices 2, 5A, 5B, and 5C). However, for the reasons discussed below, the Commission denies NERC’s proposal to replace its Appendix 4A audit process with an alternative program and directs NERC to submit completed reports on its audits of all six Regional Entities by June 30, 2023. We accept NERC’s description of its Reliability Guidelines process, its explanation on E-ISAC operations, and its explanation of its All Points Bulletins (APBs) issuances; however, we direct NERC to submit a further compliance filing within 120 days of this order that: (1) further clarifies information sharing between NERC and the E-ISAC, including the gap analysis process that is currently under development; and (2) revises its Rules of Procedure to explicitly require that NERC must share all APBs with the Commission no later than at the time of issuance.

1. Performance Assessment Order

3. Section 215(c) of the Federal Power Act (FPA) requires the ERO to develop and enforce mandatory Reliability Standards that provide for an adequate level of reliability of the Bulk-Power System.² Order No. 672 amended the Commission’s regulations to implement the requirements of FPA section 215, and, among other things, requires the ERO to submit periodic assessments of its performance every five years.³ On July 22, 2019, NERC filed its Five-Year ERO Performance Assessment Report (2019 Performance Assessment) as required by Commission regulations.

4. On January 23, 2020, the Commission issued an order accepting NERC’s 2019 Performance Assessment, finding that NERC continues to satisfy the statutory and regulatory criteria for certification as the ERO, and finding that the Regional Entities continue to satisfy applicable statutory and regulatory criteria. In addition, the Commission directed NERC to submit two compliance filings to: (1) provide additional information on NERC’s oversight of the Regional Entities’ Compliance Monitoring and Enforcement Program (CMEP) activities, the reliability guideline development process, the E-ISAC, and the development and issuance of APBs; and (2) make certain modifications to its Rules of Procedure regarding the E-ISAC, the NERC Sanction Guidelines, and the NERC Organization Certification Program.

5. With regard to NERC’s oversight of the Regional Entities’ CMEP activities, the Commission noted that, from 2011 through the end of 2018, NERC may not have performed comprehensive audits of the Regional Entities to assess their conformance to the NERC CMEP, as required by both NERC’s Rules of Procedure and regional delegation agreements. In the Performance Assessment Order, the Commission directed NERC to submit the following:

(1) a definitive statement of whether NERC has performed any audits of the Regional Entities during the performance assessment period covering the scope of Appendix 4A, and if so, provide its audit reports in compliance with its Rules of Procedure; and (2) if it has not performed such audits, provide a plan to perform those audits within the next 18 months and going forward. If NERC would like to implement an alternative oversight process for the Regional Entities that it believes is as efficient and effective as the comprehensive [Appendix 4A] audits conducted every five years, then its compliance filing should include a detailed explanation of how its oversight process accomplishes the aims of Order No. 672.⁴

6. The Commission also directed NERC to provide additional detail regarding its NERC Reliability Guidelines, specifically: (1) its guidance development process; including how and when it evaluates the need to develop, approve, and post a guideline document; (2) the methodology and metrics NERC proposes to use to determine if that guidance document is addressing the risks that led to its development; and (3) how and at what interval NERC will evaluate whether components of guidance documents should be incorporated into the Reliability Standards.⁵

7. Regarding the E-ISAC, the Commission directed NERC to file additional information on: (1) how NERC receives information from the E-ISAC and how the E-ISAC determines what data to share with NERC; (2) once NERC receives such information, what NERC does with the information and how NERC determines whether such information is used to develop or inform the development of Reliability Standards; (3) the oversight role of the Member Executive Committee (an advisory group formed out of the Electricity Subsector Coordinating Council (ESCC)); (4) the development of E-ISAC’s performance metrics and how they assist NERC in its oversight responsibility of the E-ISAC; and (5) the development and issuance of APBs.

8. With regard to the second compliance filing, the Commission directed NERC to propose updates to: (1) section 1003 of its Rules of Procedure to correct any inconsistencies, particularly regarding the ESCC, and to reflect current operational practices and oversight of the E-ISAC;⁶ (2) its Sanction Guidelines to provide more transparency as to how NERC and the Regional Entities apply the Base Penalty, Adjustment Factors and Non-Monetary Sanctions;⁷ and (3) to include in the certification process: (A) an updated scope section covering the tools and skills needed to perform the registered function; (B) the minimum criteria for certification, including verification that the entity’s tools, personnel, facilities, and processes can fully support the function; and (C) a mechanism to reject the request for certification if the entity does not meet the requirements for certification. The Commission also directed NERC to consider whether it should permit a conditional approval of an entity that does not meet the requirements for certification if it includes an approved mitigation plan.⁸

2. NERC’s Compliance Filings

9. On June 1, 2020, NERC submitted its first compliance filing.⁹

10. On September 28, 2020, NERC submitted its second compliance filing.¹⁰

3. Notice of Filings and Responsive Pleadings

11. Notice of NERC’s June Compliance Filing was issued on June 3, 2020, and published in the Federal Register, 85 Fed. Reg. 35,303 (June 9, 2020), with comments due on or before June 22, 2020. Public Citizen filed timely joint comments with the National Association of State Utility Consumer Advocates (NASUCA) (jointly, Consumer Advocates).¹¹

12. Notice of NERC’s September Compliance Filing was issued on September 30, 2020, and published in the Federal Register, 85 Fed. Reg. 63,109 (Oct. 6, 2020) with comments due on or before October 19, 2020. No interventions or comments were filed.

4. Discussion

13. We accept NERC’s June Compliance Filing’s discussion addressing Reliability Guidelines and the E-ISAC. However, we reject NERC’s proposal to change its Rules of Procedure to remove the Appendix 4A audit requirements, combining them with sections 406 and 506. We accept NERC’s description of its Reliability Guidelines process and its explanation on E-ISAC operations. We accept NERC’s September compliance filing and approve NERC’s proposed modifications to its Rules of Procedure: (1) the E-ISAC (section 1003); (2) Sanction Guidelines (Appendix 4B); and (3) Registration and Certification (section 500 and Appendices 2, 5A, 5B, and 5C). In addition, we accept NERC’s description of its APBs. However, as discussed below, we direct NERC to modify its Rules of Procedure to explicitly require NERC to share all APBs with the Commission no later than the time of issuance.

1. Periodic Regional Entity CMEP Audits

June Compliance Filing

14. In the June Compliance Filing, NERC states that it has completed two audits of the Regional Entities during the period and they were limited to the areas of the CMEP related to: (1) confidential information and conflict of interest procedures; and (2) internal controls evaluations of registered entities.¹² NERC included the audit report from the confidential information audit but not from the internal controls evaluations. NERC adds it completed two non-CMEP audits of the Regional Entities’ event analysis processes and FPA section 215 accounting for non-statutory activities. NERC included the two non-CMEP audit reports with the non-public compliance filing.

15. Rather than providing a plan to complete Appendix 4A audits within an 18-month period, NERC elected to propose changes to its internal audit process. NERC describes modifications that it would make to its Rules of Procedure to implement the proposal. Specifically, NERC proposes to: (1) expand the scope of sections 406 and 506¹³ in the Rules of Procedure to encompass CMEP and Organization Registration and Certification Program (ORCP) activities; (2) clarify that sections 406 and 506 allow for participants from its Compliance and Certification Committee and applicable governmental authorities (e.g., the Commission); (3) delete the procedural and substantive requirements of Appendix 4A; and (4) make conforming changes eliminating all references to Appendix 4A.

16. NERC’s June Compliance Filing proposes that its internal audit department conduct audits of both NERC and the Regional Entities. Under NERC’s proposal, NERC’s internal auditors would evaluate not only NERC’s CMEP and ORCP, but also NERC’s relationship with the Regional Entities’ CMEP programs. NERC proposes that its audits of the Regional Entities would examine what NERC calls the “regulatory programs” (i.e., CMEP, ORCP, and Bulk Electric System Exceptions) at least once every three years.¹⁴ These audits may, but would not be required to, use an independent auditor and would take place at NERC, without Appendix 4A’s site visits.¹⁵ NERC explains that the audits would examine “shall statements” related to the regulatory programs and its internal audit department would “determine the specific scope of each audit in collaboration with any independent auditors and participating observers.”¹⁶ NERC proposes submitting the resulting audit reports to the Commission after providing them to the NERC Board of Trustees.

17. NERC states that its proposal is consistent with the requirements of Order No. 672 because it provides for “(i) Audits within a defined frequency; (ii) Commission visibility into results (i.e., submission of audit reports); and (iii) Commission participation in any audit of Regional Entities.”¹⁷ NERC explains it believes its proposal is more effective and efficient than a single five-year audit because including regulatory program audits within NERC’s independent audit of CMEP and ORCP activities will “support a robust, independent, audit that is consistent with the intent in Order No. 672, while enhancing frequency of audits, increasing efficiency, and streamlining procedures.”¹⁸

Commission Determination

18. While the Performance Assessment Order permitted NERC to propose an alternative oversight program for the Regional Entities, we find that NERC failed to demonstrate that its proposed alternative oversight program would accomplish the aims of Order No. 672.¹⁹ Although NERC’s proposal provides for a defined audit frequency, submittal of audit reports to the Commission, and Commission staff participation, we find that it does not sufficiently assess the Regional Entities’ compliance and performance.²⁰

19. The alternative proposal is insufficient in that it limits the scope of audits of the Regional Entities to evaluations of whether “shall statements” associated with the Rules of Procedure and the regional delegation agreements are met. Unlike in Appendix 4A, NERC does not propose any required scope or procedural rules, but instead explains that NERC internal audit will determine the scope of the audits. In addition, NERC’s proposal effectively reduces the scope of the required audits and fails to consider that, in accordance with the existing Rules of Procedure, audits of Regional Entities must be qualitative reviews with the objective of ensuring consistency and fairness of the Regional Entities’ CMEPs.

20. While NERC maintains that its proposed audit process would identify and evaluate compliance with “shall statements” in the NERC Rules of Procedure and other documents, NERC’s description of its audit or oversight activities does not explain how NERC’s alternative process considers risk in the determination of elements to review, the timing of audit activities, or how it would assess the quality of audited Regional Entities’ performance. Moreover, NERC does not explain how its internal audit department will prioritize sections of the Rules of Procedure for audit, nor does it provide examples of past audits conducted pursuant to sections 406 and 506 to consider.

21. The aims of Order No. 672 include the mandate that the ERO “retains responsibility to ensure that a Regional Entity implements its enforcement program in a consistent manner . . . .”²¹ Appendix 4A satisfies the requirements of Order No. 672 by providing defined content and procedures for NERC audits of the Regional Entities’ CMEPs. In lieu of Appendix 4A, NERC proposes that a single entity within NERC, referred to as “internal audit,” will: (1) audit the success and effectiveness of NERC’s [CMEP] (which under current NERC Rules of Procedure section 406 is performed by an independent auditor); (2) “evaluate the relationship between NERC and the Regional Entity [CMEPs] and the effectiveness of the [Regional Entity CMEPs] in ensuring reliability;” and (3) evaluate the Regional Entities’ CMEPs. In addition to the potential conflict of NERC evaluating its own CMEP and its relationship with the Regional Entities, a single audit evaluating NERC’s and the Regional Entities’ CMEPs at the same time would appear to erode the ERO/Regional Entity structure required by Order No. 672.

22. For these reasons, we reject NERC’s proposal to change its Rules of Procedure to remove the Appendix 4A audit requirements, combining them with sections 406 and 506. We direct NERC to complete Regional Entity audits consistent with section 402 and Appendix 4A and provide the resulting audit reports to the Commission by June 30, 2023. Consistent with Appendix 4A, Commission staff shall be given the opportunity to participate in the audits as observers.

2. Reliability Guidelines

June Compliance Filing

23. NERC’s June Compliance Filing presents a new framework to formalize how NERC will address known and emerging risks and evaluate what tool(s) or sequence of tool(s) are most appropriate to address each risk. NERC describes this six-step framework as: (1) risk identification; (2) risk prioritization; (3) mitigation identification and evaluation; (4) deployment; (5) measurement of success; and (6) monitoring.²² NERC explains that it will use steps one through three to determine whether a potential risk is best addressed through a voluntary Reliability Guideline, a Reliability Standard, or some other method. NERC provides examples of methods to identify risks and factors to prioritize risks for mitigation. NERC explains that mitigation activities could include Reliability Standards, Reliability Guidelines, Technical Engagements, Reliability Assessments, Alerts, and other potential mechanisms. NERC examines the likelihood and impact of reliability risks, dividing all risks into four categories: high likelihood-high impact; high likelihood-low impact; low likelihood-high impact; and low likelihood-low impact. NERC provides example tools for how it would mitigate risks that fall into these four categories, with Reliability Standards as a potential tool for only the high impact categories and Reliability Guidelines as a potential tool for all but high impact-high likelihood.²³

24. NERC explains that its Reliability and Security Technical Committee (RSTC) Charter has combined the procedures for developing Reliability Guidelines under its areas of responsibility. NERC explains that all Reliability Guidelines go through public comment and RSTC approval before being posted on NERC’s website. After a Guideline is posted, the RSTC would assess industry’s implementation and the effectiveness of the Guideline.

25. NERC explains that its RSTC will assess the implementation and effectiveness of all new or revised Reliability Guidelines two years after receiving RSTC approval.²⁴ NERC intends to apply a methodology to evaluate whether a Reliability Guideline is sufficient to address a risk to reliability. The methodology would assess metrics surrounding how the Bulk-Power System performed before and after a Reliability Guideline was posted, based on long-term and seasonal reliability assessments. Finally, NERC stated that it would develop metrics specific to each Reliability Guideline through its design, triennial review, and any resulting revision.²⁵ NERC’s RSTC has the initial responsibility of working through the six-step framework and evaluating the performance of Reliability Guidelines, which NERC would then evaluate after receiving the RSTC’s recommendations.

Commission Determination

26. The June Compliance Filing is the first time NERC has identified a framework for evaluating voluntary Reliability Guidelines. We find that NERC’s June Compliance Filing, including its commitment to conduct triennial reviews of its Reliability Guidelines,²⁶ addresses our directives by providing a high level plan for evaluating whether a Reliability Guideline is appropriate for a given risk and assessing the efficacy of each Reliability Guideline to determine whether there is a need for further updates or modifications or whether they should be converted into Reliability Standards. In that vein, we clarify our expectation that NERC will use its voluntary Reliability Guidelines as a tool to support its Reliability Standards or in situations where it lacks sufficient technical support to draft a technically correct Reliability Standard, but not as a substitute for Reliability Standards. NERC’s statutory authority as the ERO is to develop and enforce mandatory Reliability Standards.

3. E-ISAC Data-Sharing, Oversight, and Performance Metrics

June Compliance Filing

27. NERC’s June Compliance Filing clarifies that the E-ISAC can share sanitized (i.e., with entity-specific details redacted) information with NERC, and by extension, NERC’s Standards department.²⁷ NERC describes its intent to enhance the coordination between the E-ISAC and the NERC Standards department by increasing knowledge exchange between subject matter experts in E-ISAC and the ERO Enterprise, initiating quarterly meetings between the E-ISAC and Standards department personnel to discuss E-ISAC information, subject to the Code of Conduct restrictions. NERC adds that the E-ISAC may share with the NERC Standards department any mandatory reports submitted to the E-ISAC in accordance with the Critical Infrastructure Protection Reliability Standard CIP-008 (Cyber Security – Incident Reporting and Response Planning). NERC also commits to establishing a process whereby Standards personnel and ERO Enterprise subject matter experts for CIP Reliability Standards review E-ISAC information, subject to the Code of Conduct restrictions, perform reliability gap analysis.

28. NERC clarifies that the Members Executive Committee (MEC) has influence on the E-ISAC as an advisory body only and does not possess any approval power. NERC explains that the MEC may propose or endorse action for the E-ISAC, but that the NERC Board of Trustees is ultimately responsible for approving those actions—and NERC management for implementing them. NERC states that “[t]he ESCC’s and the MEC’s expectation is that NERC management and the NERC Board give due consideration to the MEC’s proposals and endorsements within the context of fulfilling its legal and fiduciary obligations.”²⁸

29. NERC further explains in its filing that the scope of the E-ISAC’s metrics measure the E-ISAC performance against the three pillars of the E-ISAC Long-Term Strategic Plan and its effectiveness in carrying out the key activities underlying the plan: (1) engagement; (2) information sharing; and (3) analysis. NERC also lays out plans to evolve its E-ISAC performance metrics over time to be a mix of quantitative and qualitative measurements as it progresses, and data sources mature.

Commission Determination

We find that NERC has responded to the directives in the Performance Assessment Order and therefore accept NERC’s clarification and additional detail.²⁹ Representing 37.9 percent of NERC’s FPA section 215 funding for the 2021 fiscal year,³⁰ the E-ISAC fills an important role in ensuring the ongoing security of the Bulk-Power System. Through its activities, it is poised to discover emerging threats that could be addressed, in part, through new or modified Reliability Standards. We accept NERC’s clarifications, NERC’s stated intent to improve coordination between the E-ISAC and NERC, and NERC’s commitment to create a process to perform a gap analysis for the Reliability Standards. However, because we are unsure how the E-ISAC Code of Conduct and its limitations prohibiting information sharing with NERC Reliability Standards personnel may restrict this activity, we will require NERC to submit an additional compliance filing within 120 days of the date of this order that outlines this process.

4. Rules of Procedure Revisions Regarding E-ISAC

September Compliance Filing

30. NERC proposes changes to its Infrastructure Security Program in section 1003 of the NERC Rules of Procedure. The proposed modifications clarify that NERC operates the E-ISAC on behalf of the electricity sector. NERC also defines the ESCC as serving as the “primary security communications channel for the electricity sector,” explaining that it “enhances the sector's ability to prepare for and respond to cyber and physical threats, vulnerabilities, and incidents.”³¹ The proposed modifications add that the E-ISAC is required to coordinate with the ESCC in addition to other sectors and councils.³²

Commission Determination

31. The Commission directed NERC to propose updates to section 1003 of its Rules of Procedure to correct any inconsistencies, particularly regarding the ESCC, and to reflect current operational practices and oversight of the E-ISAC.³³ We find NERC met the requirements of the Commission directive and we approve the proposed modifications to NERC’s Rules of Procedure, section 1003.

5. Rules of Procedure Revisions Regarding Sanction Guidelines

September Compliance Filing

32. NERC’s proposed revisions detail how it and the Regional Entities determine the base penalty amount within the range based on Violation Risk Factor and Violation Severity Level and other documented factors. NERC identifies what aggravating and mitigating factors can affect the monetary penalty and describes the potential ranges for each factor, and whether or how non-monetary penalties will be considered in reaching the final monetary penalty amount. NERC also addresses how it and the Regional Entities calculate a single penalty for multiple violations by a single entity, consider the violator’s financial ability to pay the penalty so that no penalty is inconsequential to the violator to whom it is assessed, and how to assess a penalty when dealing with multiple subsidiaries of a parent corporation that commit the same violations. NERC states that other revisions include conforming changes and clarifications to accurately reflect the current practices of NERC and the Regional Entities in the development of monetary and non-monetary penalties.

Commission Determination

33. In the Performance Assessment Order, the Commission directed NERC to provide more transparency in its Sanction Guidelines as to how NERC and the Regional Entities apply the Base Penalty, Adjustment Factors, and Non-Monetary Sanctions.³⁴ We find NERC has provided more clarity and transparency into the penalty assessment process, and thus we accept the proposed modifications to the NERC Sanction Guidelines.

6. Rules of Procedure Revisions Regarding NERC Organization Registration and Certification Program

September Compliance Filing

34. NERC explains that it is adding new subsections to the existing certification process section, which includes how NERC addresses the Commission’s directives on Certification. NERC proposes modifications to its registration and certification procedures in its Rules of Procedure section 500 and Appendices 2, 5A, 5B, and 5C. To address the requirement to include an updated scope section, NERC added that certification activities would “assess the processes, procedures, tools, and training”³⁵ that the entities use in performing their functions. To address the Commission’s directive for a mechanism to reject a request for certification, NERC added that a Regional Entity may reject an application if the entity fails to meet registry criteria or is unable to comply with the relevant NERC Reliability Standards for its functions.³⁶ NERC also added a section to require a timeline with specific milestones for the Certification process. To address the Commission’s directive regarding conditional approvals, NERC added that it can issue a conditional certification to allow an entity to begin operation for a function for which it is not fully approved if an interim transition is warranted. The conditional acceptance is based on the entity’s ability to manage the function with limited risk while completing an implementation plan to address the identified shortcomings. This conditional certification requires review of the impacts of an entity being delayed or failing to be certified and requires an implementation plan to address delayed or failed certification to prevent gaps in reliability coverage.³⁷

Commission Determination

35. The Performance Assessment Order directed NERC to include in the certification process: (1) an updated scope section covering the tools and skills needed to perform the registered function; (2) the minimum criteria for certification, including verification that the entity’s tools, personnel, facilities, and processes can fully support the function; and (3) a mechanism to reject the request for certification if the entity does not meet the requirements for certification. The Commission also directed NERC to consider whether it should permit a conditional approval of an entity that does not meet the requirements for certification if it includes an approved mitigation plan.³⁸ We find that NERC met the requirements of the Commission directive and we approve the proposed modifications to its Rules of Procedure section 500 and Appendices 2, 5A, 5B, and 5C.

7. Critical Broadcast Program and All Points Bulletins

September Compliance Filing

36. NERC’s September Compliance Filing explains the purpose of the Critical Broadcast Program (CBP) is to “provide for the rapid dissemination of critical security information to electricity sector asset owners and operators as security threats and attacks develop, and critical, time-sensitive security information becomes available.”³⁹ NERC explains that because cyber and physical security threats and attacks develop quickly, the CBP provides an “established approach for sharing time-sensitive information with electricity sector asset owners and operators to help them prevent an imminent cyber or physical attack on the grid, reduce the scope of a successful attack, or implement ongoing measures to defend against an attack.”⁴⁰ A CBP communication could take the form of a conference call or webinar with relevant entities or the issuance of a written document, referred to as an APB, posted on the E-ISAC portal or disseminated through other channels “as deemed appropriate” by the E-ISAC given the facts and circumstances presented.

37. NERC explains the process for activating the CBP involves: (1) a threshold for activation such as “reports from governmental partners, E-ISAC members, and private-sector partners” or disclosure of cyber vulnerabilities; (2) approving activation, while any E-ISAC staff can start the process of developing an APB, the NERC officer responsible for the E-ISAC makes the final approval—and the NERC President must be informed prior to activation; (3) a targeted audience based on the nature and target of the threat or attack (e.g., all or select groups of asset owners, government, cross-sector partners, executive level or cyber experts, etc.); (4) methods of communication, as NERC explains: “[w]hen activating the CBP, the E-ISAC, as time permits, also works with its governmental partners and the ESCC to share critical information and enhance situational awareness;” and (5) timing of communication where the E-ISAC then determines when to communicate, adding that the E-ISAC aims to communicate within six hours of its awareness of a developing security threat.⁴¹

38. NERC explains that the CBP “works in conjunction with, and complements other information sharing mechanisms, such as the NERC Alert process.”⁴² It differentiates the two because it considers the NERC Alert process to be a more “deliberative and collaborative process for developing a more detailed analysis of security risks and mitigation approaches.”⁴³ NERC adds that issuing an APB does not exclude also developing a NERC Alert or other communication. NERC points to four factors it uses to determine whether to activate the CBP versus a NERC Alert process: (1) the time-sensitive nature of the information; (2) the need for flexibility in the method of communications; (3) the audience; and (4) the need for an industry response.⁴⁴

Commission Determination

We find NERC’s September Compliance Filing addresses the Commission directive to clarify its APB processes. However, to ensure the Commission is properly informed of any cyber and physical security threats and attacks communicated through APBs, we will require NERC to modify its Rules of Procedure to explicitly require NERC to share all APBs with the Commission no later than the time of issuance.⁴⁵ We will require NERC to file such revisions to its Rules of Procedures within 120 days of the date of this order. Due to the time sensitivity of APBs, we will not require at this time that NERC provide advance notice to the Commission prior to issuance; however, when possible, we expect NERC to share APBs with the Commission prior to their issuance.

The Commission orders:

1. The Commission hereby accepts NERC’s compliance filings, as discussed in the body of this order.

2. The Commission hereby denies NERC’s request to modify its Appendix 4A audit requirements, as discussed in the body of this order.

3. The Commission hereby approves NERC’s Rules of Procedure modifications, as discussed in the body of this order.

4. The Commission hereby directs NERC to submit its Appendix 4A audit reports by June 30, 2023, as discussed in the body of this order.

5. The Commission hereby directs NERC to submit a compliance filing within 120 days, as discussed in the body of this order.

By the Commission.

( S E A L )

Kimberly D. Bose,

Secretary.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified	0000-00-00
File Created	2021-02-27