FERC-725U (OMB Control No.: 1902-0274)
Supporting Statement for
FERC-725U, Mandatory Reliability Standards: Reliability Standard CIP-014
(Three-year approval for extension requested)
The Federal Energy Regulatory Commission (FERC or Commission) requests that the Office of Management and Budget (OMB) review and renew the information collection requirements in FERC-725U under OMB Control No. 1902-0274. This supporting statement covers the requirements of the FERC-725U information collection. The reporting requirements in the FERC-725U are also contained in FERC’s regulations in 18 Code of Federal Regulations (CFR) Part 40.
CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY
On August 8, 2005, the Electricity Modernization Act of 2005, which is Title XII of the Energy Policy Act of 2005 (EPAct 2005), was enacted into law. EPAct 2005 added a new Section 215 to the Federal Power Act (FPA)1, which requires a Commission-certified Electric Reliability Organization (ERO) to develop mandatory and enforceable Reliability Standards, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the ERO, subject to Commission oversight. In 2006, the Commission certified the North American Electric Reliability Corporation (NERC) as the ERO pursuant to FPA section 215.2
HOW, BY WHOM, AND FOR WHAT PURPOSE THE INFORMATION IS TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION
Reliability Standard CIP-014-1 (inactive as of 10/1/2015)
On 11/20/2014, FERC issued an order3 approving Reliability Standard CIP-014-1. Reliability Standard CIP-014-1 enhanced physical security measures for the critical Bulk-Power System facilities and lessened the overall vulnerability of the Bulk-Power System against physical attacks.
Reliability Standard CIP-014-2 (current)
On 7/14/2015, FERC issued a letter order approving Reliability Standard CIP-014-2 (the current version of the Reliability Standard). Reliability Standard CIP-014-2 modified Reliability Standard CIP-014-1 by removing the term “widespread” from Requirement R1. Removing the term ensured that:
Applicable entities identify appropriate critical facilities under Requirement R1, and
The electric reliability organization enforces the CIP-014-2 Reliability Standard in a more consistent manner.
Reliability Standard CIP-014-2 requires applicable transmission owners and transmission operators to identify and protect transmission stations and transmission substations, and their associated primary control centers that if rendered inoperable or damaged resulting from a physical attack could result in widespread instability, uncontrolled separation, or cascading within an Interconnection.
In terms of information collection requirements, an applicable entity must create or maintain documentation showing compliance, when appropriate, with each requirement of the Reliability Standard. Reliability Standard CIP-014-2 has six requirements:
Requirement R1 requires applicable transmission owners (TO) to perform risk assessments on a periodic basis4 to identify their transmission stations and transmission substations that, if rendered inoperable or damaged, could result in widespread instability, uncontrolled separation, or cascading within an Interconnection. Requirement R1 also requires transmission owners to identify the primary control center that operationally controls each of the identified transmission stations or transmission substations. Examples of acceptable evidence may include dated written or electronic documentation of the risk assessment of its transmission stations and transmission substations (existing and planned to be in service within 24 months) that meet the criteria in Applicability Section 4.1.1 as specified in Requirement R1.
Requirement R2 requires that each applicable transmission owner have an unaffiliated third party with appropriate experience verify the risk assessment performed under Requirement R1. Requirement R2 states that the transmission owner must either modify its identification of facilities consistent with the verifier’s recommendation or document the technical basis for not doing so. In addition, Requirement R2 requires each transmission owner to implement procedures for protecting sensitive or confidential information made available to third-party verifiers or developed under the Reliability Standard from public disclosure. Examples of acceptable evidence may include dated written or electronic documentation that the transmission owner completed an unaffiliated third party verification of the Requirement R1 risk assessment and satisfied all of the applicable provisions of Requirement R2, including, if applicable, documenting the technical basis for not modifying the Requirement R1 identification as specified under Part 2.3.
Requirement R3 requires the transmission owner to notify a transmission operator (TOP) that operationally controls a primary control center identified under Requirement R1 of such identification to ensure that the transmission operator has notice of the identification so that it may timely fulfill its obligations under Requirements R4 and R5 to protect the primary control center. Examples of acceptable evidence may include dated written or electronic communications that the transmission owner notified each transmission operator, as applicable, according to Requirement R3.
Requirement R4 requires each applicable transmission owner and transmission operator to conduct an evaluation of the potential threats and vulnerabilities of a physical attack on each of its respective transmission stations, transmission substations, and primary control centers identified as critical in Requirement R1. Examples of evidence may include dated written or electronic documentation that the transmission owner or transmission operator conducted an evaluation of the potential threats and vulnerabilities of a physical attack to their respective transmission station(s), transmission substation(s) and primary control center(s) as specified in Requirement R4.
Requirement R5 requires each transmission owner and transmission operator to develop and implement documented physical security plans that cover each of their respective transmission stations, transmission substations, and primary control centers identified as critical in Requirement R1. Examples of evidence may include dated written or electronic documentation of its physical security plan(s) that covers their respective identified and verified transmission station(s), transmission substation(s), and primary control center(s) as specified in Requirement R5, and additional evidence demonstrating implementation of the physical security plan.
Requirement R6 requires that each transmission owner and transmission operator subject to Requirements R4 and R5 have an unaffiliated third party with appropriate experience review its Requirement R4 evaluation and Requirement R5 security plan. Requirement R6 states that the transmission owner or transmission operator must either modify its evaluation and security plan consistent with the recommendation, if any, of the reviewer or document its reasons for not doing so. In addition, Requirement R6 requires each transmission owner to implement procedures for protecting sensitive or confidential information made available to third-party reviewers or developed under the Reliability Standard from public disclosure. Examples of evidence may include written or electronic documentation that the transmission owner or transmission operator had an unaffiliated third party review the evaluation performed under Requirement R4 and the security plan(s) developed under Requirement R5 as specified in Requirement R6 including, if applicable, documenting the reasons for not modifying the evaluation or security plan(s) in accordance with a recommendation under Part 6.3.
Transmission owners and transmission operators must keep data or evidence to show compliance with the standard for three years unless directed by its Compliance Enforcement Authority. If a responsible entity is found non-compliant, it must keep information related to the non-compliance until mitigation is complete and approved, or for the three years, whichever is longer.
DESCRIBE ANY CONSIDERATION OF THE USE OF IMPROVED INFORMATION TECHNOLOGY TO REDUCE THE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN
This collection does not require industry to file the information with the Commission. However, FERC-725U does contain information collection and record retention requirements for which using current technology is an option.
The information technology to meet the information collection requirements is not specifically covered in the Reliability Standard.
DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2
The Commission periodically reviews filing requirements concurrent with OMB review or as the Commission deems necessary to eliminate duplicative filing and to minimize the filing burden. The Commission is unaware of any other source of information related to bulk-electric system physical security.
METHODS USED TO MINIMIZE THE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES
In general, small entities may reduce their burden by taking part in a joint registration organization or a coordinated functional registration. These options allow a small entity to share the compliance burden with other entities and, thus, to minimize their own compliance burden. Detailed information regarding these options is available in NERC’s Rule of Procedure at Sections 507 and 5085.
CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY
The paperwork requirements are related with documenting compliance with substantive requirements (including the preparation of a physical security plan), and maintaining such documents. The frequency of the paperwork requirements was vetted and approved by industry consensus in the NERC standard development process and is ultimately meant to support the reliability of the bulk electric system.
EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION
There are no special circumstances related to the FERC-725U information collection.
DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND THE AGENCY’S RESPONSE
The ERO process to establish Reliability Standards is a collaborative process with the ERO, Regional Entities, and other stakeholders developing and reviewing drafts and providing comments.6 The NERC-approved Reliability Standards were then submitted by NERC to the FERC for review and approval.
In accordance with OMB requirements, the Commission published a 60-day notice7 and a 30-day notice8 to the public regarding this information collection on 12/14/2020 and 2/24/2021 respectively. Within the public notices, the Commission noted that it would be requesting a three-year extension of the public reporting burden. The Commission received no comments from the public in response to either published notice regarding the FERC-725U information collection.
EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS
There are no gifts or payments given to the respondents.
DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS
According to the NERC Rules of Procedure9, “…a Receiving Entity shall keep in confidence and not copy, disclose, or distribute any Confidential Information or any part thereof without the permission of the Submitting Entity, except as otherwise legally required.” This serves to protect confidential information submitted to NERC or Regional Entities.
Responding entities do not submit the information collected under the Reliability Standard to FERC. Rather, they maintain it internally. Since there are no submissions made to FERC, FERC provides no specific provisions in order to protect confidentiality.
PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE, SUCH AS SEXUAL BEHAVIOR AND ATTITUDES, RELIGIOUS BELIEFS, AND OTHER MATTERS THAT ARE COMMONLY CONSIDERED PRIVATE.
This collection does not include any questions of a sensitive nature.
ESTIMATED BURDEN OF COLLECTION OF INFORMATION
The burden for the FERC-725U information collection is reflected in the table below:
This renewal requests three years of extension/approval.
FERC-725U: (Mandatory Reliability Standards: Reliability Standard CIP-014) |
||||||
|
Number
of Respondents10 |
Annual Number of Responses per Respondent (2) |
Total Number of Responses (1)*(2)=(3) |
Average Burden Hours & Cost Per Response (4) |
Total Annual Burden Hours & Total Annual Cost (3)*(4)=(5) |
Average Annual Cost per Respondent (5)÷(1) |
Annual Reporting and Recordkeeping |
336 |
1 |
336 |
32.71 hrs.; $2,714.93 |
10,991 hrs.; $912,253 |
$2,714,93 |
TOTAL FERC-725U |
336 |
1 |
336 |
32.71 hrs.; $2,714.93 |
10,991 hrs.; $912,253 |
$2,714.93 |
ESTIMATE OF THE TOTAL ANNUAL COST BURDEN TO RESPONDENTS
There are no start-up or other non-labor costs.
Total Capital and Start-up cost: $0
Total Operation, Maintenance, and Purchase of Services: $0
All of the costs related to the FERC-725U information collection are associated with burden hours (labor) and described in Questions #12 and #15 in this supporting statement.
ESTIMATED ANNUALIZED COST TO FEDERAL GOVERNMENT
The Regional Entities and NERC do most of the data processing, monitoring and compliance work for Reliability Standards. Any involvement by the Commission is covered under the FERC-725 collection (OMB Control No. 1902-0225) and is not part of this request or package.
The estimated annualized cost to the Federal Government for FERC-725U follows:
FERC-725U |
Number of Employees (FTEs) |
Estimated Annual Federal Cost |
FERC-725U Analysis and Processing of filings |
0 |
$0 |
Paperwork Reduction Act Administrative Cost11 |
|
$6,475 |
TOTAL |
|
$6,475 |
Based on the above table, the total federal cost for FERC-725U is $6,475.
REASONS FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE
The reporting and recordkeeping requirements have not changed. Each requirement (including record-keeping requirements) in CIP-014-2 retains the same related hourly burden per response.12
FERC-725U |
Total Request |
Previously Approved |
Change due to Adjustment in Estimate |
Change Due to Agency Discretion |
Annual Number of Responses |
336 |
336 |
0 |
0 |
Annual Time Burden (Hr.) |
10,991 |
10,991 |
0 |
0 |
Annual Cost Burden ($) |
$0 |
$0 |
$0 |
$0 |
TIME SCHEDULE FOR PUBLICATION OF DATA
There are no tabulating, statistical or tabulating analysis or publication plans for the collection of information.
DISPLAY OF EXPIRATION DATE
The PRA information (including expiration dates and OMB Control Nos.) is posted at http://www.ferc.gov/docs-filing/efiling.asp.
EXCEPTIONS TO THE CERTIFICATION STATEMENT
There are no exceptions.
1 16 U.S.C. 824o.
2 North American Electric Reliability Corp., 116 FERC ¶ 61,062, order on reh’g & compliance, 117 FERC ¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
3 Order No. 802 (79 FR 70069, 11/25/2014)
4 The frequency is detailed in the Reliability Standard. For example, R1 states in part:
“1.1 Subsequent risk assessments shall be performed:
At least once every 30 calendar months for a Transmission Owner that has identified in its previous risk assessment (as verified according to Requirement R2) one or more Transmission stations or Transmission substations that if rendered inoperable or damaged could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection; or
At least once every 60 calendar months for a Transmission Owner that has not identified in its previous risk assessment (as verified according to Requirement R2) any Transmission stations or Transmission substations that if rendered inoperable or damaged could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.
1.2. The Transmission Owner shall identify the primary control center that operationally controls each Transmission station or Transmission substation identified in the Requirement R1 risk assessment. “
6 Details of the ERO standards development process are available on the NERC website at http://www.nerc.com/pa/Stand/Documents/Appendix_3A_StandardsProcessesManual.pdf.
7 85 FR 80778
8 86 FR 11277
9 Section 1502, Paragraph 2, available at NERCs website.
10 The total number of transmission owners and operators equals 336, this represents the unique US entities taken from October 2, 2020 NERC Compliance registry information.
11 The PRA Administrative Cost is a Federal Cost associated with preparing, issuing, and submitting materials necessary to comply with the Paperwork Reduction Act (PRA) for rulemakings, orders, or any other vehicle used to create, modify, extend, or discontinue an information collection. This average annual cost includes requests for extensions, all associated rulemakings, and other changes to the collection.
12 The hourly burden for each CIP-014-2 requirement was established/approved in CIP-014-1 (a previous version of the Reliability Standard in ICR No. 201410-1902-001 on 1/28/2015) and remains unchanged here.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | FERC-725U supporting statement |
| Author | ferc |
| File Modified | 0000-00-00 |
| File Created | 2021-03-02 |