725(1B)_supp statement final rule RM22-3 (5)

Download: docx | pdf

Supporting Statement for

Final Rule, Docket No. RM22-3, FERC-725(1B),

Procedures for Electric Reliability Standards

The Federal Energy Regulatory Commission (Commission or FERC) requests that the Office of Management and Budget (OMB) review and approve FERC-725(1B) (Procedures for Electric Reliability Standards) in the Final Rule in Docket No. RM22-3.

FERC-725(1B) is a temporary, placeholder information collection number. FERC-725(1B) is being used because the 3-year renewal of FERC-725 (OMB Control No. 1902-0225) is pending review at OMB, and only one item per OMB Control No. can be pending review at a time. Otherwise Docket No. RM22-3 would be submitted to OMB under FERC-725.

1. CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY

The Energy Policy Act of 2005 added section 215 to the Federal Power Act (FPA),¹ enhancing the Commission’s ability to strengthen the reliability of the interstate electric grid. Section 215 of the FPA aids the Commission’s efforts to strengthen the reliability of the interstate grid by granting authority to provide for a system of mandatory Reliability Standards developed by the Electric Reliability Organization (ERO) and reviewed and approved by FERC.

On February 3, 2006, the Commission issued Order No. 672² certifying a single ERO [the North American Electric Reliability Corporation (NERC)], to oversee the reliability of the United States’ portion of the interconnected North American Bulk-Power System, subject to Commission oversight. The ERO is responsible for developing and enforcing the mandatory Reliability Standards. The Reliability Standards apply to all users, owners and operators of the Bulk-Power System.

The Commission has the authority to approve all ERO actions, to order the ERO to carry out its responsibilities under these statutory provisions, and (as appropriate) to enforce Reliability Standards. The ERO may delegate its enforcement responsibilities to a Regional Entity. Delegation is effective only after the Commission approves the delegation agreement. A Regional Entity also may propose a Reliability Standard to the ERO for submission to the Commission for approval.

More information on FERC’s Electric Reliability program is posted at https://www.ferc.gov.

Final Rule in RM22-3. The final rule in RM22-3 directs NERC to develop new or modified Reliability Standards that require network security monitoring internal to a Critical Infrastructure Protection (CIP) networked environment (internal network security monitoring or INSM) for high and medium impact Bulk Electric System (BES) Cyber Systems.

2. HOW, BY WHOM AND FOR WHAT PURPOSE IS THE INFORMATION TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION

The FERC-725(1B) will contain the following information collection elements.

Reliability Standards Development:³ Under Section 215 of the FPA, the ERO is charged with developing Reliability Standards. Regional Entities may also develop regional specific standards.

The Commission implements its responsibilities related to FERC-725(1B) [and the related FERC-725] through 18 CFR Part 39.

Without the FERC-725(1B) information collection in RM22-3, the FERC, ERO, and Regional Entities will not have information to determine what measures should be taken to further ensure the reliability of the nation’s electric grid. The absence of INSM constitutes a gap in the NERC CIP Reliability Standards. Currently, the only locations that require mandatory network security monitoring are the electronic access points at high and medium impact BES Cyber Systems at control centers. Given the increased sophistication of cyberattacks, relying on network perimeter defense and other currently-existing controls leaves trust zones internal to a CIP networked environment vulnerable. For example, in a network without INSM, the attacker who has bypassed all perimeter defenses and has gained access to the network could communicate with and move freely between devices within a trust zone with little likelihood of detection. The attacker could then access the Supervisory Control and Data Acquisition (SCADA) system and control equipment, like circuit breakers, dropping generating resources or load, and potentially causing BES instability or uncontrolled separation.

2. DESCRIBE ANY CONSIDERATION OF THE USE OF IMPROVED INFORMATION TECHNOLOGY TO REDUCE BURDEN AND THE TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN

All of the information that is reported to the Commission in this collection may be submitted electronically, through the Commission’s eFiling system (as described at http://www.ferc.gov/docs-filing/efiling.asp).

4. DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2.

Filing requirements are periodically reviewed as OMB review dates arise, or as the Commission may deem necessary in carrying out its responsibilities, in order to eliminate duplication and ensure that filing burden is minimized. The Commission believes there are no similar sources of information available that can be used or modified for these purposes.

5. METHODS USED TO MINIMIZE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES

We are directing NERC, the Commission-certified ERO, to develop modified Reliability Standards that require internal network security monitoring within a trusted Critical Infrastructure Protection networked environment for high and medium impact BES Cyber Systems. NERC is not a small entity.

6. CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY

As discussed in Docket No. RM22-3, the information collection focuses on electric reliability reporting requirements that are not currently contained within any Reliability Standards. The Commission approves of these requirements as necessary for the reliable operation of the bulk electric system. Any reduction in frequency may diminish the ability of NERC, Regional Entities, or FERC in maintaining reliability on the bulk electric system.

7. EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION

There are no special circumstances related to this collection.

8. DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND THE AGENCY’S RESPONSE TO THESE COMMENTS

The Commission published the Notice of Proposed Rulemaking in Docket No. RM22-3 in the Federal Register on January 27, 2022 (87 FR 4173) and requested public comment. No public comment was received. The Commission published the “Final Action” (the functional equivalent of a final rule) in the Federal Register on February 9, 2023 (88 FR 8354). The effective date was April 10, 2023, and NERC was directed to develop the relevant Reliability Standard(s) within 15 months after the effective date.

9. EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS

There are no payments or gifts to respondents.

10. DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS

The Commission generally does not consider the data to be confidential. However, certain actions have confidentiality provisions which prevent the disclosure of information relating to enforcement actions and Critical Energy/Electric Infrastructure Information (CEII).⁴ A request for material to be treated as CEII or privileged may be made under 18 CFR Part 388.

18 C.F.R. 388.112 provides that, “any person submitting a document to the Commission may request privileged treatment by claiming that some or all of the information contained in a particular document is exempt from the mandatory public disclosure requirements of the Freedom of Information Act, 5 U.S.C. 552, and should be withheld from public disclosure.”

11. PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE, SUCH AS SEXUAL BEHAVIOR AND ATTITUDES, RELIGIOUS BELIEFS, AND OTHER MATTERS THAT ARE COMMONLY CONSIDERED PRIVATE

The Commission does not consider any of the questions to be sensitive or private.

12. ESTIMATED BURDEN OF COLLECTION OF INFORMATION

For the following reasons, we are using placeholders of 1 respondent, 1 response, and 1 burden hour for FERC-725(1B) in order to submit this request to OMB for PRA review.

1. The reporting requirements and burden for the information collection in Docket No. RM22-3 are already included in FERC-725 under the ERO’s responsibility for Reliability Standards Development,⁵ but FERC-725 was pending review by OMB at the time that Docket No. RM22-3 was initiated.

2. Submittal to OMB of the information collection in Docket RM22-3 through the ROCIS system requires estimated figures for respondent, response, and burden.

To approximate NERC’s cost for the temporary, placeholder FERC-725(1B), we are using the estimated average of $87/hour (for wages and benefits) for 2021 for a FERC employee. Therefore the estimated annual cost of the 1 placeholder burden hour is $87.

13. ESTIMATE OF TOTAL ANNUAL COST OF BURDEN TO RESPONDENTS

All costs are related to the placeholder burden hour and are discussed in Questions 12 and 15.

14. ESTIMATED ANNUALIZED COST TO FEDERAL GOVERNMENT

	Number of Employees (FTEs)	Estimated Annual Federal Cost
PRA6 Administration Cost		$8,279
Data Processing and Analysis [This is covered under FERC-725.]	0 [This is covered under FERC-725.]	$0 [This is covered under FERC-725.]
FERC Total		$8,279

The Paperwork Reduction Act (PRA) Administrative Cost (updated June 2021) is the average annual FERC cost associated with preparing, issuing, and submitting materials necessary to comply with the PRA for rulemakings, orders, or any other vehicle used to create, modify, extend, or discontinue an information collection. It also includes the cost of publishing the necessary notices in the Federal Register.

15. REASONS FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE

As discussed in Question 12, we are using placeholders of 1 respondent, 1 response, and 1 burden hour for FERC-725(1B) in order to submit this request to OMB for PRA review.

The burden and requirements for the information collection in Docket No. RM22-3 are covered by FERC-725. However, FERC-725 was pending OMB review for the 3-year renewal request (ICR No. 202201-1902-001) at the time RM22-3 was initiated, so we were and are using a temporary information collection no. (i.e., FERC-725(1B)) to submit the information collection in Docket No. RM22-3 to OMB.

FERC-725(1B)	Total Request	Previously Approved	Change due to Adjustment in Estimate	Change Due to Agency Discretion
Annual Number of Responses	1	0	0	1
Annual Time Burden (Hr.)	1	0	0	1
Annual Cost Burden ($)	$0	0	0	$0

The format, labels, and definitions of the table above follow the ROCIS system’s “ICR Summary of Burden” for the meta-data.

16. TIME SCHEDULE FOR PUBLICATION OF DATA

There are no plans for tabulation, statistical analysis or publication. The data are used for regulatory purposes only.

17. DISPLAY OF EXPIRATION DATE

The OMB expiration dates are posted on http://www.ferc.gov/docs-filing/info-collections.asp .

18. EXCEPTIONS TO THE CERTIFICATION STATEMENT

There are no exceptions.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified	0000-00-00
File Created	2023-08-02