UNITED STATES OF AMERICA
FEDERAL ENERGY REGULATORY COMMISSION
[Docket No. RD21-6-000]
COMMISSION INFORMATION COLLECTION ACTIVITIES (FERC-725B4); COMMENT REQUEST; EXTENSION
(July 7, 2022)
AGENCY: Federal Energy Regulatory Commission.
ACTION: Notice of information collection and request for comments.
SUMMARY: In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comment on the new information collection designated as FERC-725B4 (Mandatory Reliability Standards: Critical Infrastructure Protection Reliability Standards CIP-004-7 and CIP-011-3), which will be submitted to the Office of Management and Budget (OMB) for a review of the information collection requirements.
DATES: Comments on the collection of information are due [Insert Date 30 days after date of publication in the Federal Register].
ADDRESSES: Send written comments on FERC-725B4 to OMB through www.reginfo.gov/public/do/PRAMain, Attention: Federal Energy Regulatory Commission Desk Officer. Please identify the OMB control number (1902-TBD) in the subject line. Your comments should be sent within 30 days of publication of this notice in the Federal Register.
Please submit copies of your comments (identified by Docket No. RD21-6-000) to the Commission as noted below. Electronic filing through http://www.ferc.gov, is preferred.
Electronic Filing: Documents must be filed in acceptable native applications and print-to-PDF, but not in scanned or picture format.
For those unable to file electronically, comments may be filed by USPS mail or by hand (including courier) delivery.
Mail via U.S. Postal Service Only: Addressed to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street, N.E., Washington, DC 20426.
Hand (including courier) delivery: Deliver to: Federal Energy Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852.
Instructions:
OMB submissions must be formatted and filed in accordance with submission guidelines at www.reginfo.gov/public/do/PRAMain; Using the search function under the “Currently Under Review field,” select Federal Energy Regulatory Commission; click “submit” and select “comment” to the right of the subject collection.
FERC submissions must be formatted and filed in accordance with submission guidelines at: http://www.ferc.gov. For user assistance, contact FERC Online Support by e-mail at [email protected], or by phone at: (866) 208-3676 (toll-free).
Docket: Users interested in receiving automatic notification of activity in this docket or in viewing/downloading comments and issuances in this docket may do so at http://www.ferc.gov.
FOR FURTHER INFORMATION: Ellen Brown may be reached by e-mail at [email protected] and telephone at (202) 502-8663.
SUPPLEMENTARY INFORMATION:
Title: FERC-725B4, Mandatory Reliability Standards: Critical Infrastructure Protection Reliability Standards CIP-004-7 and CIP-011-3.1
OMB Control No.: TBD.
Type of Request: Approval of proposed changes as described in Docket No. RD21-6-000.
Abstract: On September 15, 2021 the North American Electric Reliability Corporation (NERC) filed a petition requesting approval of two Reliability Standards: CIP-004-7 (Cyber Security, Personnel and Training) and CIP-011-3 (Cyber Security, Information Protection). NERC described the proposed Reliability Standards as “Addressing Bulk Electric System Cyber System Information Access Management.” The petition was noticed on September 22, 2021, with interventions and comments due by October 6, 2021.2 The Commission did not receive any interventions or comments.
On December 7, 2021, the Designated Letter Order (DLO) in Docket No. RD21-6-000 approved the proposed Reliability Standards, and found that the modified Reliability Standards enhance security as discussed below.
At present, Reliability Standard CIP-004-6 requires Responsible Entities to control access to Bulk Electric System Cyber System Information (BCSI) by managing access to a designated storage location, such as an electronic document or physical file room. Reliability Standard CIP-004-7 removes references to “designated storage locations” of BCSI and requires an access management program to authorize, verify and revoke provisioned access to BCSI. This change updates CIP-004 by focusing on controls at the file level (e.g., rights, permissions, privileges) of BCSI and reduces the need for access to only a physical, designated storage location for BCSI.
Reliability Standard CIP-011-3 clarifies the requirements of protecting and handling BCSI with the goal of providing flexibility for Responsible Entities to use third-party data storage and analysis systems. Specifically, Reliability Standard CIP-011-3 requires Responsible Entities to implement specific controls related to BCSI during storage handling use, and disposal of information when implementing services provided by third parties.
Type of Respondents: Businesses and other for-profit entities.
Estimate of Annual Burden: The Commission estimates 686 responses annually, and per-response burdens of 10 hours and $850.20. The total estimated burdens per year are 6,860 hours and $583,237.20. These burdens are itemized in the following table:
|
A. Number of Respondents3 |
B. Annual Number of Responses per Respondent |
C. Total Number of Responses (Column A x Column B) |
D. |
E. Total Annual Burden Hours & Total Annual Cost6 (Column C x Column D) |
F. Cost per Respondent ($) (Column E ÷ Column A) |
CIP-004-7 |
343 |
1 |
343 |
10 hours & $850.20 |
3,430 hours & $291,618.60 |
10 hours & $850.20 |
CIP-011-3 |
343 |
1 |
343 |
10 hours & $850.20 |
3,430 hours & $291,618.60 |
10 hours & $850.20 |
Totals |
686 |
|
686 |
|
6,860 hours & $583,237.20 |
20 hours & $1,700.40 |
Comments are invited on: (1) whether the collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency’s estimate of the burden and cost of the collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information collection; and (4) ways to minimize the burden of the
collection of information on those who are to respond, including the use of automated collection techniques or other forms of information technology.
Kimberly D. Bose,
Secretary.
1 FERC-725B4 is an interim information collection number that, as of December 2021 (when the 60-day notice was issued) accommodated the need to seek timely approval during the pendency of an unrelated information collection request pertaining to FERC-725B (OMB Control No. 1902-0248). In addition, the implementation plan for CIP-004-7 and CIP-011-3 provides that those Reliability Standards become effective on the first day of the first calendar quarter that is 24 calendar months after the effective date of the Commission’s order, so that Responsible Entities have sufficient time to come into compliance with the revised Reliability Standards. FERC-725B continues to cover the current requirements of the standards, before implementation of the revised requirements of Docket No. RD21-6-000. FERC-725B has been renewed with an expiration date of May 31, 2025. Thus, if and when OMB approves the information collection request for FERC725B4, the Commission intends to seek OMB’s approval to add this collection of information to FERC-725B.
2 86 FR 52667, at 52668.
3 The number of respondents is based on the NERC Compliance Registry as of June 22, 2021. Currently there are 1,508 unique NERC Registered Entities, subtracting 16 Canadians Entities yields 1,492 U.S. NERC Registered Entities subject to the CIP Standards. However, only those NERC Registered Entities that own Medium Impact or High Impact BES Cyber System are subject to the CIP Standards in this filing which is estimated to be 343 NERC Registered Entities.
4 Of the average estimated twenty (20) hours per response, all twenty (20) hours are for the one-time effort of updating or changing documentation for record-keeping burden that is already accounted for.
5 Commission staff estimates that the average industry hourly cost for this information collection is $85.02/hour based on the following occupations from the Bureau of Labor Statistics: 1) Manager (Occupational Code: 11-0000): $97.89/hour; and 2) Electrical Engineer (Occupational Code 17-2071): $72.15/hour. Source: http://bls.gov/oes/current/naics3_221000.htm, as of June 2021.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Jean Sonneman |
| File Modified | 0000-00-00 |
| File Created | 2023-12-21 |