FERC-725B (OMB Control No. 1902-0248)
RD21-6-000
Supporting Statement for
FERC-725B, Mandatory Reliability Standards: Critical Infrastructure Protection Reliability Standards (Revisions Approved in Docket No. RD21-6-000)
The Federal Energy Regulatory Commission (Commission or FERC) requests that the Office of Management and Budget (OMB) review the revised collection of information designated as FERC-725B (Mandatory Reliability Standards: Critical Infrastructure Protection Reliability Standards).
As previously approved, the information collection (IC) listed in FERC-725B implements Critical Infrastructure Protection (CIP) Reliability Standards that require electric entities to comply with specific requirements to safeguard critical cyber assets. On September 15, 2021, NERC filed a petition requesting approval of two modified Reliability Standards: CIP-004-7 (Cyber Security, Personnel and Training) and CIP-011-3 (Cyber Security, Information Protection). This IC request applies only to the effects of those two revised Reliability Standards within FERC-725B.
The Commission issued a notice of the NERC petition on September 22, 2021, with interventions and comments due by October 6, 2021. The Commission did not receive any interventions or comments.
On December 7, 2021, the Commission issued a Designated Letter Order (DLO) in Docket No. RD21-6-000 approving the two proposed Reliability Standards because they will enhance security.
The Commission issued a 60-day notice in Docket No. RD21-6-000 on December 21, 2021. That notice was published on December 28, 2021 (86 FR 73752). In that notice, the Commission characterized this IC as FERC-725B4 -- an interim information collection number that, as of December 2021 (when the 60-day notice was issued for this information collection request), accommodated the need to seek timely approval during the pendency of an unrelated IC request pertaining to FERC-725B (OMB Control No. 1902-0248).
After the publication of the 60-day notice for this information collection request, the Office of Management and Budget (OMB) acted twice on IC FERC-725B. The resulting expiration date is June 30, 2026. OMB has approved the IC request for FERC-725B4 and has assigned it OMB Control No. 1902-0330. The Commission now seeks OMB’s approval to add the IC associated with Docket No. RD21-6-000 (and OMB Control No. 1902-0330) to FERC-725B (an OMB Control No. 1902-0248) without changing the current expiration date.
CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY
On August 8, 2005, Congress enacted the Energy Policy Act of 2005.1 The Energy Policy Act of 2005 added a new section 215 to the Federal Power Act (FPA),2 which requires a Commission-certified Electric Reliability Organization to develop mandatory and enforceable Reliability Standards,3 including requirements for cybersecurity protection, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the Electric Reliability Organization subject to Commission oversight, or the Commission can independently enforce Reliability Standards.
On February 3, 2006, the Commission issued Order No. 672,4 implementing FPA section 215. The Commission subsequently certified North American Electric Reliability Corporation (NERC) as the Electric Reliability Organization. The Reliability Standards developed by NERC become mandatory and enforceable after Commission approval and apply to users, owners, and operators of the Bulk-Power System, as set forth in each Reliability Standard.5
The CIP Reliability Standards require entities to comply with specific requirements to safeguard critical cyber assets. These standards are results-based and do not specify a technology or method to achieve compliance, instead leaving it up to the entity to decide how best to comply. On January 18, 2008, the Commission issued Order No. 706,6 approving the initial eight CIP Reliability Standards, CIP version 1 Standards, submitted by NERC. Subsequently, the Commission has approved multiple versions of the CIP Reliability Standards submitted by NERC, partly to address the evolving nature of cyber-related threats to the Bulk-Power System. On November 22, 2013, the Commission issued Order No. 791,7 approving CIP version 5 Standards, the last major revision to the CIP Reliability Standards. The CIP version 5 Standards implement a tiered approach to categorize assets, identifying them as high, medium, or low risk to the operation of the Bulk Electric System (BES)8 if compromised. High impact systems include large control centers. Medium impact systems include smaller control centers, ultra-high voltage transmission, and large substations and generating facilities. The remainder of the BES Cyber Systems9 are categorized as low impact systems. Most requirements in the CIP Reliability Standards apply to high and medium impact systems; however, a technical controls requirement in CIP-003, described below, applies only to low impact systems. Since 2013, the Commission has approved new and modified CIP Reliability Standards that address specific issues such as supply chain risk management, cyber incident reporting, communications between control centers, and the physical security of critical transmission facilities.10
Most recently, on September 15, 2021 NERC filed a petition requesting approval of two Reliability Standards: CIP-004-7 (Cyber Security, Personnel and Training) and CIP-011-3 (Cyber Security, Information Protection). NERC described the proposed Reliability Standards as “Addressing Bulk Electric System Cyber System Information Access Management.” The petition was noticed on September 22, 2021, with interventions and comments due by October 6, 2021.11 The Commission did not receive any interventions or comments.
On December 7, 2021, the Commission issued Designated Letter Order (DLO) in Docket No. RD21-6-000, approved the proposed Reliability Standards, and found that the modified Reliability Standards enhance security as discussed below.
HOW, BY WHOM, AND FOR WHAT PURPOSE THE INFORMATION IS TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION
The CIP Reliability Standards specify requirements that entities must follow to ensure the cyber and physical security of the Bulk-Power System. This request pertains only to effects of CIP-004-7 and CIP-011-3 on FERC-725B.
Before the issuance of the DLO, Reliability Standard CIP-004-6 required Responsible Entities to control access to Bulk Electric System Cyber System Information (BCSI) by managing access to a designated storage location, such as an electronic document or physical file room. Reliability Standard CIP-004-7 removes references to “designated storage locations” of BCSI and requires an access management program to authorize, verify and revoke provisioned access to BCSI. This change updates CIP-004 by focusing on controls at the file level (e.g., rights, permissions, privileges) of BCSI and reduces the need for access to only a physical, designated storage location for BCSI.
Before the issuance of the DLO, Reliability Standard CIP-011-2 required entities to prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to mis-operation or instability in the BES. Reliability Standard CIP-011-3 clarifies the requirements of protecting and handling BCSI with the goal of providing flexibility for Responsible Entities to use third-party data storage and analysis systems. Specifically, Reliability Standard CIP-011-3 requires Responsible Entities to implement specific controls related to BCSI during storage handling use, and disposal of information when implementing services provided by third parties.
DESCRIBE ANY CONSIDERATION OF THE USE OF IMPROVED TECHNOLOGY TO REDUCE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN.
The use of current or improved technology and the medium are not covered in Reliability Standards and are therefore left to the discretion of each respondent. We think that nearly all of the respondents are likely to make and keep related records in an electronic format. The compliance portals allow documents developed by the registered entities to be attached and uploaded to the Regional Entity’s portal. Compliance data can also be submitted by filling out data forms on the portals. These portals are accessible through an internet browser password-protected user interface.
DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2
Filing requirements are periodically reviewed as OMB review dates arise or as the Commission may deem necessary in carrying out its regulatory responsibilities under the FPA in order to eliminate duplication and ensure that filing burden is minimized. There are no similar sources for information available that can be used or modified for these reporting purposes.
METHODS USED TO MINIMIZE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES
The Commission estimates one-time and ongoing increases in reporting burden on variety of NERC-registered entities (including Reliability Coordinators, Generator Operators, Generator Owners, Interchange Coordinators, Transmission Operators, Balancing Authorities, Transmission Owners) due to the changes in the revised Reliability Standards, with no other increase in the cost of compliance (when compared with the current standards). Approximately 585 of the 714 affected entities are expected to meet the SBA’s definition for a small entity.12
The Reliability Standards do not contain provisions for minimizing the burden of the collection for small entities. All the requirements in the Reliability Standards apply to every applicable entity. However, small entities generally can reduce their burden by taking part in a joint registration organization or a coordinated function registration. These options allow an entity the ability to share its compliance burden with other similar entities. Detailed information regarding these options is available in NERC’s Rules of Procedure at Section 1502, Paragraph 2, available at NERCs website.
CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY
The consequences of not collecting the data associated with the Reliability Standard will result in an unmitigated risk from communication links and sensitive bulk electric system data communicated between bulk electric system Control Centers of the NERC registered entities which operate the bulk electric system. Since the documentation is a plan to protect, not collecting the information and not having a plan will prevent the protection of Real-time Assessment and Real-time monitoring data while being transmitted between Control Centers.
EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION
FERC-725B has no special circumstances.
DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND THE AGENCY'S RESPONSE TO THESE COMMENTS
The Commission issued a 60-day notice in Docket No. RD21-6-000 on December 21, 2021. That notice was published on December 28, 2021 (86 FR 73752). The Commission received no public comments in response.
The Commission issued a 30-day notice in Docket No. RD21-6-000 on July 7, 2022. That notice was published on July 13, 2022 (87 FR 41707).
EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS
No payments or gifts have been made to respondents.
DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS
According to the NERC Rules of Procedure,13 “…a Receiving Entity shall keep in confidence and not copy, disclose, or distribute any Confidential Information or any part thereof without the permission of the Submitting Entity, except as otherwise legally required.” This serves to protect confidential information submitted to NERC or Regional Entities.
Responding entities do not submit the information collected due to the Reliability Standards to FERC. Rather, they submit the information to NERC, the regional entities, or maintain it internally. Since there are no submissions made to FERC, FERC provides no specific provisions in order to protect confidentiality.
PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE, SUCH AS SEXUAL BEHAVIOR AND ATTITUDES, RELIGIOUS BELIEFS, AND OTHER MATTERS THAT ARE COMMONLY CONSIDERED PRIVATE
This collection does not contain any questions of a sensitive nature.
ESTIMATED BURDEN OF COLLECTION OF INFORMATION
The DLO removes two IC activities, and replaces them with two new IC activities. The number of responses in the two sets of activities is identical, but the estimated number of burden hours for the new IC activities is less than the number of burden hours for the replaced IC activities. The Commission estimates that the new IC activities in the DLO result in 686 responses annually, per-response burdens of 10 hours and $918.10, and total burdens of 6,860 hours and $629,817.60.
The Commission itemizes those burdens as shown below.
Table
12
Estimated Annual Burdens in FERC-725B Due to Docket No.
RD21-6-000
|
A. Number of Respondents14 |
B. Annual Number of Responses per Respondent |
C. Total Number of Responses (Column A x Column B) |
D. |
E. Total Annual Burden Hours & Total Annual Cost (Column C x Column D) |
F. Cost per Respondent ($) (Column E ÷ Column A) |
Addition of CIP-004-7 |
343 |
1 |
343 |
10 hours & $918.10 |
3,430 hours & $314,908.30 |
$918.10 |
Addition of CIP-011-3 |
343 |
1 |
343 |
10 hours & $918.10 |
3,430 hours & $314,908.30 |
$918.10 |
Totals |
686 |
|
686 |
|
6,860 hours & $629,817.60 |
|
ESTIMATE OF THE TOTAL ANNUAL COST BURDEN TO RESPONDENTS
There are no start-up or other non-labor costs.
Total Capital and Start-up cost: $0
Total Operation, Maintenance, and Purchase of Services: $0
All of the costs due to this Final Rule are associated with burden hours (labor) and described in Questions #12 and #15 in this supporting statement.
ESTIMATED ANNUALIZED COST TO FEDERAL GOVERNMENT
The Regional Entities and NERC do almost all of the data processing, monitoring and compliance work for Reliability Standards. The information is not submitted to FERC.
The Commission does incur the costs associated with obtaining OMB clearance under the Paperwork Reduction Act (PRA). The PRA Administrative Cost is a Federal Cost associated with preparing, issuing, and submitting materials necessary to comply with the PRA for rulemakings, orders, or any other vehicle used to create, modify, extend, or discontinue an information collection. This average annual cost includes requests for extensions, all associated rulemakings and orders, other changes to the collection, and associated publications in the Federal Register.
Table 14
Federal Costs
FERC-725B |
Number of Employees (FTEs) |
Estimated Annual Federal Cost |
Analysis and Processing of Filings |
0 |
$0 |
Paperwork Reduction Act Administrative Cost |
|
$8,279 |
TOTAL |
|
$8,279 |
REASONS FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE
The ICs associated with the DLO do not change the number of respondents and they do not change the number of responses. All of the estimated burden hours resulting from the DLO are program changes. As shown below, the replacement of two previously approved Reliability Standards with two new Reliability Standards results in a net decrease in the estimated annual hour burdens of FERC-725B. However, in ROCIS, the addition of two new Reliability Standards is also recognized as an increase in the estimated annual burdens of FERC-725B, notwithstanding the fact that the two new Reliability Standards replace two previously approved Reliability Standards.
Table 15
Changes in FERC-725B Due to Docket No. RD21-6-000
A. Requested Type of Response |
B. Previously
Approved |
C. Requested Responses and Burden Hours |
D. Program Changes Due to Agency Discretion (Column C – Column B) |
CIP-004-7 |
Burdens for CIP-004-6: 343 responses; 193,795 hours |
343 responses; 3,430 hours |
0 responses; -190,365 hours |
CIP-011-3 |
Burdens for CIP-011-2: 343 responses; 29,498 hours |
343 responses; 3,430 hours |
0 responses; -26,068 hours |
TIME SCHEDULE FOR THE PUBLICATION OF DATA
There is no schedule for publishing the data, and there are no plans to publish the data.
DISPLAY OF THE EXPIRATION DATE
The expiration date is displayed in a table posted on ferc.gov at https://www.ferc.gov/information-collections
EXCEPTIONS TO THE CERTIFICATION STATEMENT
There are no exceptions.
1 Energy Policy Act of 2005, Pub. L. No. 109-58, sec. 1261 et seq., 119 Stat. 594 (2005).
2 16 U.S.C. 824o.
3 The FPA, at 16 U.S.C. 824o(a)(3), defines “Reliability Standard” as a requirement, approved by the Commission, to provide for reliable operation of the bulk-power system. This definition includes cybersecurity protection, and the design of planned additions or modifications to bulk-power facilities to the extent necessary to provide for reliable operation of the Bulk-Power System. However, the term does not include any requirement to enlarge such facilities or to construct new transmission capacity or generation capacity.
4 Rules Concerning Certification of the Elec. Reliability Org.; and Procedures for the Establishment, Approval, and Enf’t of Elec. Reliability Standards, Order No. 672, 71 FR 8661 (Feb. 17, 2006), 114 FERC ¶ 61,104, order on reh’g, Order No. 672-A, 71 FR 19814 (Apr. 28, 2006), 114 FERC ¶ 61,328 (2006).
5 NERC uses the term “registered entity” to identify users, owners, and operators of the Bulk-Power System responsible for performing specified reliability functions with respect to NERC Reliability Standards. See, e.g., Version 4 Critical Infrastructure Protection Reliability Standards, Order No. 761, 77 FR 24594 (Apr. 25, 2012), 139 FERC ¶ 61,058, at P 46, order denying clarification and reh’g, 140 FERC ¶ 61,109 (2012). Within the NERC Reliability Standards are various subsets of entities responsible for performing various specified reliability functions. We collectively refer to these as “entities.”
6 Order No. 706, 122 FERC ¶ 61,040 at P 1.
7 Version 5 Critical Infrastructure Protection Reliability Standards, Order No. 791, 78 FR 72755 (Dec. 13, 2013), 145 FERC ¶ 61,160 (2013), order on reh’g, Order No. 791-A, 146 FERC ¶ 61,188 (2014).
8 In general, NERC defines BES to include all Transmission Elements operated at 100 kV or higher and Real Power and Reactive Power resources connected at 100 kV or higher. This does not include facilities used in the local distribution of electric energy. See NERC, Bulk Electric System Definition Reference Document, Version 3, at page iii (August 2018). In Order No. 693, the Commission found that NERC’s definition of BES is narrower than the statutory definition of Bulk-Power System. The Commission decided to rely on the NERC definition of BES to provide certainty regarding the applicability of Reliability Standards to specific entities. See Mandatory Reliability Standards for the Bulk-Power System, Order No. 693, 72 FR 16415 (Apr. 4, 2007), 118 FERC ¶ 61,218, at PP 75, 79, 491, order on reh’g, Order No. 693-A, 72 FR 49717 (July 25, 2007), 120 FERC ¶ 61,053 (2007).
9 NERC defines BES Cyber System as “[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.” NERC, Glossary of Terms Used in NERC Reliability Standards, at 5 (2020), https://www.nerc.com/files/glossary_of_terms.pdf NERC Glossary of Terms). NERC defines BES Cyber Asset as
A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, mis-operation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems.
Id. at 4.
10 See, e.g., Order No. 791, 78 FR 72755; Revised Critical Infrastructure Protection Reliability Standards, Order No. 822, 81 FR 4177 (Jan. 26, 2016), 154 FERC ¶ 61,037, reh’g denied, Order No. 822-A, 156 FERC ¶ 61,052 (2016); Revised Critical Infrastructure Protection Reliability Standard CIP-003-7 – Cyber Security – Security Management Controls, Order No. 843, 163 FERC ¶ 61,032 (2018).
11 86 FR 52667, at 52668.
12 Public utilities may fall under one of several different categories, each with a size threshold based on the company’s number of employees, including affiliates, the parent company, and subsidiaries. For the analysis in this Final Rule, we are using a 500-employee threshold due to each affected entity falling in the role of Electric Bulk Power Transmission and Control (NAISC Code: 221121).
13 Section 1502, Paragraph 2, available at NERCs website.
14 The number of respondents is based on the NERC Compliance Registry as of June 22, 2021. Currently there are 1,508 unique NERC Registered Entities, subtracting 16 Canadians Entities yields 1,492 U.S. NERC Registered Entities subject to the CIP Standards. However, only those NERC Registered Entities that own Medium Impact or High Impact BES Cyber System are subject to the CIP Standards in this filing which is estimated to be 343 NERC Registered Entities.
15 Of the average estimated twenty (20) hours per response, all twenty (20) hours (total of both standards) are for the one-time effort of updating or changing documentation for record-keeping burden that is already accounted for.
16 Commission staff estimates that the average industry hourly cost for this information collection is $91.81/hour based on the following occupations from the Bureau of Labor Statistics: 1) Manager (Occupational Code: 11-0000): $106.33/hour; and 2) Electrical Engineer (Occupational Code 17-2071): $77.29/hour. Source: Sector 22 - Utilities - May 2022 OEWS Industry-Specific Occupational Employment and Wage Estimates (bls.gov).
17 The numbers shown in this column are those that are shown in ROCIS, which automatically rounded some of the numbers shown in the supporting statement.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | RM18-20 NOPR supporting statement |
| Author | [email protected] |
| File Modified | 0000-00-00 |
| File Created | 2023-12-21 |