FERC-725B2, (CLO in Docket RD21-2) Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards

ICR 202102-1902-002

OMB: 1902-0304

Federal Form Document

Forms and Documents

Document Name	Status
RD20-2_725B2_Supporting Statement.docx Supporting Statement A	2021-05-06
Pub.L 109-59 1211, Title XII, Subtitle A Energy Policy Act of 2005.pdf Supplementary Document	2021-05-05
RM17-13-000 (Issued).docx Supplementary Document	2021-05-05
725B2_RD21-2_30-day IC Notice Published.pdf Supplementary Document	2021-05-04
RM15-4-000 CLO.docx Supplementary Document	2021-05-04
Final Rule (Issued) RM17-13-000.docx Supplementary Document	2021-05-04
725B2_RD21-2_30-day IC Notice Issued.docx Supplementary Document	2021-05-03
RD21-2_725B2_60day (Published).pdf Supplementary Document	2021-05-03
20201214-5246_Petition - Supply Chain Risk Management_final.PDF Supplementary Document	2021-02-22
ecfr2-22-2021 Part40.docx Supplementary Document	2021-02-22
20210222-3001_725B2_RD21-2_60 day IC notice_20162021_ss.DOCX Supplementary Document	2021-02-22
16 USC 824(o).pdf Supplementary Document	2018-01-30

IC Document Collections

IC ID	Document Title	Status
245939	RD21-2, CIP-010-4, reporting and recordkeeping (one-time and ongoing)	New
245937	RD21-2, CIP-013-2, reporting and recordkeeping (one-time and ongoing)	New
245934	RD21-2, CIP-005-7, reporting and recordkeeping (one-time and ongoing)	New
229899	RM17-13 NOPR (one-time)	Removed
229894	RM17-13 NOPR (ongoing)	Removed

ICR Details

OMB Control No: 1902-0304	ICR Reference No: 202102-1902-002
Status: Received in OIRA	Previous ICR Reference No: 201801-1902-009
Agency/Subagency: FERC	Agency Tracking No: FERC-725B2
Title: FERC-725B2, (CLO in Docket RD21-2) Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards
Type of Information Collection: New collection (Request for a new OMB Control Number)	Common Form ICR: No
Type of Review Request: Regular	Date Submitted to OIRA: 05/07/2021

	Requested	Previously Approved
Expiration Date	36 Months From Approved
Responses	1,029	0
Time Burden (Hours)	28,926	0
Cost Burden (Dollars)	0	0

Abstract: NOTE: This request related to Docket No. RD21-2 would normally be submitted under FERC-725B (OMB Control No. 1902-0248). Another unrelated item is pending at OMB under FERC-725B, and only one item per OMB Control No. can be submitted for review at a time. Therefore the requirements of RD21-2 are being submitted to OMB under FERC-725B2 (temporary interim information collection number). Additionally, while ROCIS may indicate that this is a new collection, the existing standards are included in FERC-725B and the changes to the standards are being included in FERC-725B2. RD21-2 expands the types of assets to which the reporting and recordkeeping requirements apply, but does not change the reporting or recordkeeping requirements. The burden for the baseline reporting and recordkeeping requirements of the 3 Reliability Standards continues to be covered by FERC-725B. Pursuant to section 215 of the Federal Power Act (FPA), the Commission proposes to approve Reliability Standards CIP-013-2 (Cyber Security – Supply Chain Risk Management), CIP-005-7 (Cyber Security – Electronic Security Perimeter(s)), and CIP-010-4 (Cyber Security – Configuration Change Management and Vulnerability Assessments) . The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted proposed Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 in response to directives in Order No. 829. The proposed reliability standards are intended to augment the currently effective CIP Reliability Standards in order to mitigate cybersecurity risks associated with the supply chain for BES Cyber System. The proposed Reliability Standards CIP-013-1 (Cyber Security – Supply Chain Risk Management), CIP-005-6 (Cyber Security --- Electronic Security Perimeters(s)), and CIP-010-3 (Cyber Security --- Configuration Change Management and Vulnerability Assessments) are to be used by NERC registered entities to mitigate cybersecurity risks associated with the supply chain for BES Cyber System The NERC Compliance Registry, as of December 2017, identifies approximately 1,250 unique U.S. entities that are subject to mandatory compliance with Reliability Standards. Of this total, we estimate that 288 entities will face an increased paperwork burden under proposed Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3.

Authorizing Statute(s): US Code: 18 USC 824o Name of Law: Federal Power Act
PL: Pub.L. 109 - 58 1211, Title XII, Subtitle A Name of Law: Energy Policy Act of 2005

Citations for New Statutory Requirements: None

Associated Rulemaking Information
RIN:	Stage of Rulemaking:	Federal Register Citation:	Date:
	Not associated with rulemaking

Federal Register Notices & Comments
60-day Notice:	Federal Register Citation:	Citation Date:
	86 FR 11760	02/26/2021
30-day Notice:	Federal Register Citation:	Citation Date:
	86 FR 23718	05/04/2021
Did the Agency receive public comments on this ICR? No

Number of Information Collection (IC) in this ICR: 3

IC Title	Form No.	Form Name
RD21-2, CIP-005-7, reporting and recordkeeping (one-time and ongoing)
RD21-2, CIP-010-4, reporting and recordkeeping (one-time and ongoing)
RD21-2, CIP-013-2, reporting and recordkeeping (one-time and ongoing)
RM17-13 NOPR (one-time)
RM17-13 NOPR (ongoing)

ICR Summary of Burden

	Total Request	Change Due to Agency Discretion
Annual Number of Responses	1,029	1,029
Annual Time Burden (Hours)	28,926	28,926
Annual Cost Burden (Dollars)	0	0

Burden increases because of Program Change due to Agency Discretion: Yes

Burden Increase Due to: Miscellaneous Actions

Burden decreases because of Program Change due to Agency Discretion: No

Burden Reduction Due to:

Short Statement: The proposed standards (Reliability Standards CIP-013-2 (Cyber Security – Supply Chain Risk Management), CIP-005-7 (Cyber Security – Electronic Security Perimeter(s)), and CIP-010-4 (Cyber Security – Configuration Change Management and Vulnerability Assessments) are not changing the reporting or recordkeeping requirements, however the proposed standards are expanding the types of assets to which the reporting and recordkeeping requirements apply. The previous ICs related to the NOPR in RM17-13 (480 responses and 67,776 burden hours) were not approved in FERC-725B2 but were later submitted and approved under FERC-725B related to the Final Rule in RM17-3. (Those 480 responses and 67,776 hours are being removed as agency adjustments through the removal of the 2 previous (and now unnecessary) ICs; that is administrative due to ROCIS and unrelated to Docket No. RD21-2.)

Annual Cost to Federal Government: $6,475

Does this IC contain surveys, censuses, or employ statistical methods? No

Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's privacy program when making this determination. No

Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when making this determination. No

Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No

Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? No

Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? No

Is this ICR related to the Pandemic Response? No

Agency Contact: Simon Slobodnik 202 502-6707 [email protected]

Common Form ICR: No