FERC-725B, RM24-8 Final Rule,
Mandatory Reliability Standards for Critical Infrastructure
Protection (CIP)
Revision of a currently approved collection
No
Regular
12/05/2025
Requested
Previously Approved
36 Months From Approved
06/30/2026
262,733
258,552
2,639,597
2,405,177
0
0
Reliability Standards CIP 003 10,
CIP-004-8, CIP-005-8, CIP-006-7.1, CIP-007-7.1, CIP-008-7.1, CIP
009 7.1, CIP-010-5, CIP-011-4.1, and CIP-013-3. According to NERC,
the proposed Reliability Standards would allow responsible entities
to fully implement virtualization and address risks associated with
virtualized environments, such as “side channel” attacks where
virtual systems executing on the same hardware could affect one
another. NERC also states that the use of security objectives
within the CIP Reliability Standards establishes a framework
adaptable to newer technologies. NERC explains that its revisions
would: (1) support different security models by adjusting language
around perimeter-based models to accommodate other security models;
(2) recognize “virtualization infrastructure and virtual machines
through new and revised terms in the NERC Glossary;” (3) broaden
“change management approaches beyond a baseline-only configuration
to recognize the dynamic nature of virtualized technologies,” e.g.,
where such virtualized systems are no longer installed on specific
servers; and (4) manage “accessibility and attack surfaces of a
virtualized configuration.” In addition to the changes to
facilitate virtualization, the proposed Reliability Standards
incorporate clarifications found during the implementation of prior
versions of the CIP Standards.
US Code:
16
USC 824s-1 Name of Law: Federal Power Act
US Code: 16
USC 824d Name of Law: Federal Power Act
US Code: 16
USC 824o Name of Law: Federal Power Act
US Code: 16 USC 824s-1 Name of Law: Federal
Power Act
Program Changes represent 400
burden responses for each CIP standard being updated for RM24-8.
Making the total 4,000 responses and 230,800 burden hrs. The Change
due to Adjustment represents the updated burden for CIP 2-7 which
has just an update in burden due to normal fluctuation, updated
from 1,492 to 1,673 respondents.
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.
2016-02-virtualization-implementation-plan_clean_04032024.pdf
RM24-8-000 (Issued).docx
CIP-013-3 One-time 1-3 Years