FERC-725B (OMB Control No. 1902-0248)
RIN: 1902-AG36
NOPR Issued September 18, 2025; published on September 23, 2025 (90 FR 45679)
Supporting Statement for:
FERC-725B, Revisions in RM24-8, Critical Infrastructure Protection Reliability Standards for NOPR for CIP Standards update of CIP-002-7, CIP-004-8, CIP-005-8, CIP-006-7.1, CIP-007-7.1, CIP-008-7.1, CIP-009-7.1, CIP-010-5, CIP-011-4.1, and CIP-013-3
The Federal Energy Regulatory Commission (Commission or FERC) requests that the Office of Management and Budget (OMB) review the revised collection of information designated as FERC-725B (Mandatory Reliability Standards: Critical Infrastructure Protection Reliability Standards) in RM24-8-000. The Commission proposes to approve four new definitions and 18 modified definitions in the North American Electric Reliability Corporation (NERC) Glossary of Terms Used in Reliability Standards (NERC Glossary). The Commission also proposes to approve eleven modified Critical Infrastructure Protection (CIP) Reliability Standards.
CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY
On August 8, 2005, The Electricity Modernization Act of 2005, which is Title XII of the Energy Policy Act of 2005 (EPAct 2005), was enacted into law. EPAct 2005 added a new section 215 to the Federal Power Act (FPA),1 which provides that the Commission may certify an Electric Reliability Organization (ERO), the purpose of which is to establish and enforce Reliability Standards, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently.2 In 2006, the Commission certified the North American Electric Reliability Corporation (NERC) as the ERO pursuant to FPA section 215.3
The CIP Reliability Standards require entities to comply with specific requirements to safeguard critical cyber assets. These standards are results-based and do not specify a technology or method to achieve compliance, instead leaving it up to the entity to decide how best to comply. On January 18, 2008, the Commission issued Order No. 706, approving the initial eight CIP Reliability Standards, CIP version 1 Standards, submitted by NERC. Subsequently, the Commission has approved multiple versions of the CIP Reliability Standards submitted by NERC, partly to address the evolving nature of cyber-related threats to the Bulk-Power System. On November 22, 2013, the Commission issued Order No. 791, approving CIP version 5 Standards, the last major revision to the CIP Reliability Standards. The CIP version 5 Standards implement a tiered approach to categorize assets, identifying them as high, medium, or low risk to the operation of the BES if compromised.
HOW, BY WHOM AND FOR WHAT PURPOSE IS THE INFORMATION TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION
NERC submitted the proposed modifications to update the CIP Reliability Standards to enable the application of virtualization and other new technologies in a secure manner4.The proposed modifications do not obligate entities to adopt virtualization, rather, if approved, the proposed CIP Reliability Standards would accommodate responsible entities that choose to do so.
The
proposed rule does not mandate or require action by any responsible
entity that owns or operates high-impact or medium-impact BES Cyber
Systems other than the possible eventual updating of compliance
documentation for processes related to the proposed Reliability
Standards.
Responsible
entities that do not intend to modify their networks will only need
to make minimal revisions to their compliance programs to align with
the proposed CIP Reliability Standards. This limited impact will
consist of incorporating four new definitions (Cyber System,
Management Interface, Shared Cyber Infrastructure, and Virtual Cyber
Asset) into the documentation for each of the 11 affected Reliability
Standards. Additionally, responsible entities will need to maintain
documents to demonstrate compliance with the 11 affected Reliability
Standards.
The 11 modified CIP Reliability Standards are:
CIP-002-7 (Cyber Security – BES Cyber System Categorization)
CIP-003-10 (Cyber Security - Security Management Controls)5
CIP-004-8 (Cyber Security – Personnel & Training)
CIP-005-8 (Cyber Security – Electronic Security Perimeter(s))
CIP-006-7.1 (Cyber Security – Physical Security of BES Cyber Systems)6
CIP-007-7.1 (Cyber Security – Systems Security Management)
CIP-008-7.1 (Cyber Security – Incident Reporting and Response Planning)
CIP-009-7.1 (Cyber Security – Recovery Plans for BES Cyber Systems)
CIP-010-5 (Cyber Security – Configuration Change Management and Vulnerability Assessments)
CIP-011-4.1 (Cyber Security – Information Protection)
CIP-013-3 (Cyber Security – Supply Chain Risk Management)
According to NERC, the proposed Reliability Standards would allow responsible entities to fully implement virtualization and address risks associated with virtualized environments, such as “side channel” attacks where virtual systems executing on the same hardware could affect one another. NERC also states that the use of security objectives within the CIP Reliability Standards establishes a framework adaptable to newer technologies. NERC explains that its revisions would: (1) support different security models by adjusting language around perimeter-based models to accommodate other security models; (2) recognize “virtualization infrastructure and virtual machines through new and revised terms in the NERC Glossary;” (3) broaden “change management approaches beyond a baseline-only configuration to recognize the dynamic nature of virtualized technologies,” e.g., where such virtualized systems are no longer installed on specific servers; and (4) manage “accessibility and attack surfaces of a virtualized configuration.” In addition to the changes to facilitate virtualization, the proposed Reliability Standards incorporate clarifications found during the implementation of prior versions of the CIP Standards.
NERC explains that to accommodate different security models, the proposed revisions would allow responsible entities to either continue to use a perimeter-model or more policy-based controls through virtual environments. The standard drafting team revised the definitions of Electronic Security Perimeter, Electronic Access Point, and External Routable Connectivity. NERC explains that the proposed Reliability Standards permit responsible entities to use protections that are appropriate and secure for virtualization by applying protections where they are needed rather than relying on a one-to-one relationship between hardware and software in the currently defined cyber assets. To account for virtual machines and their underlying infrastructure, the standard drafting team also revised the definition of Cyber Asset and Virtual Cyber Asset, Shared Cyber Infrastructure, Management Interface, and Cyber Systems.
NERC explains that the proposed Reliability Standards broaden configuration change management to reflect characteristics of the technologies enabled by virtualization. In addition to the virtualization modifications described above, NERC proposes to replace the phrase technical feasibility, which appears in nine Requirements of the currently effective CIP Standards, with the phrase per system capability. NERC also proposes to add the phrase per system capability in six Requirements with no existing technical feasibility exception language. NERC explains that the phrase per system capability is used to “account for different types of technology that will be expected to meet the security objective of a particular CIP Reliability Standard.” According to NERC, “should a Responsible Entity choose to rely on the new term, the Responsible Entity will need to document the limit to the system’s capability and demonstrate during compliance monitoring activities that the system’s incapability prevents the Responsible Entity from implementing the control within the requirement.” NERC adds that it and the Regional Entities have observed a significant decrease in the number of submitted technical feasibility exceptions and the replacement with the phrase per system capability would ease the administrative burden associated the current approach.
NERC’s proposed implementation plan provides that the proposed Reliability Standards and definitions shall become effective on the later of April 1, 2026, or the first day of the first calendar quarter that is 24 months after the effective date of the applicable governmental authority’s order approving the Reliability Standards and definitions, or as otherwise provided for by the applicable governmental authority.
DESCRIBE ANY CONSIDERATION OF THE USE OF IMPROVED TECHNOLOGY TO REDUCE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN.
This collection does not require industry to file the information with the Commission. However, FERC-725B does contain information collection and record retention requirements for which using current technology is an option.
The use of current or improved technology is not covered in Reliability Standards and is therefore left to the discretion of each reporting entity. Commission staff estimates that nearly all of the respondents are likely to make and keep related records in an electronic format. Each of the eight Regional Entities has a well-established compliance portal for registered entities to electronically submit compliance information and reports. The compliance portals allow documents developed by the registered entities to be attached and uploaded to the Regional Entity’s portal. Compliance data can also be submitted by filling out data forms on the portals. These portals are accessible through an internet browser password protected user interface.
DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2
Filing requirements are periodically reviewed as OMB review dates arise or as the Commission may deem necessary in carrying out its regulatory responsibilities under the FPA to eliminate duplication and ensure that filing burden is minimized. There are no similar sources for information available that can be used or modified for these reporting purposes.
METHODS USED TO MINIMIZE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES
The Commission estimates a one-time and ongoing increases in reporting burden on a variety of NERC-registered entities (including Generator Operators, Generator Owners,) due to the changes in the proposed Reliability Standard, with no other increase in the cost of compliance (when compared with the current Standards). Approximately 288 of the affected entities are expected to meet the Small Business Administration’s definition for a small entity.7
Small entities generally can reduce their burden by taking part in a joint registration organization or a coordinated function registration. These options allow an entity the ability to share its compliance burden with other similar entities. Detailed information regarding these options is available in NERC’s Rules of Procedure at sections 507 and 508, available on NERC’s website.8
CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY
The paperwork requirements are related to documenting compliance with substantive requirements and maintaining such documents of the eleven modified CIP Reliability Standards. The frequency of the paperwork requirements was vetted and approved by industry consensus in the NERC standard development process and is ultimately meant to support the reliability of the Bulk-Power System.
EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION
FERC-725B information collection has no special circumstances.
DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND THE AGENCY'S RESPONSE TO THESE COMMENTS
The ERO process to establish Reliability Standards is a collaborative process with the ERO, Regional Entities, and other industry stakeholders developing and reviewing drafts and providing comments.9 The NERC-approved Reliability Standards were then submitted by NERC to the Commission for review and approval.
The Commission published the Proposed Rule in Docket No. RM24-8-000 on September 23, 2026 (90 FR 45685). Comments on the proposed rule are due November 24, 2025.
EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS
No payments or gifts have been made to respondents.
DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS
According to the NERC Rules of Procedure,10 “…a Receiving Entity shall keep in confidence and not copy, disclose, or distribute any Confidential Information or any part thereof without the permission of the Submitting Entity, except as otherwise legally required.” This serves to protect confidential information submitted to NERC or Regional Entities.
Responding entities do not submit the information collected due to the Reliability Standards to FERC. Rather, they submit the information to NERC, the regional entities, or maintain it internally. Since there are no submissions made to FERC, FERC provides no specific provisions in order to protect confidentiality.
PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE, SUCH AS SEXUAL BEHAVIOR AND ATTITUDES, RELIGIOUS BELIEFS, AND OTHER MATTERS THAT ARE COMMONLY CONSIDERED PRIVATE
This collection does not contain any questions of a sensitive nature.
ESTIMATED BURDEN OF COLLECTION OF INFORMATION
The Commission bases its paperwork burden estimates on the additional paperwork burden presented by the proposed revisions to Reliability Standards filed by NERC for Commission approval. Proposed Reliability Standards are objective-based and allow entities to choose compliance approaches best tailored to their systems.
Estimate of Annual Burden:11 As of June 2025, the NERC Compliance Registry identifies approximately 1,673 unique U.S. entities that are subject to mandatory compliance with CIP Reliability Standards. All 1,673 entities would need to conform to modifications proposed under Reliability Standard CIP-002-7. However, as stated in NERC‘s petition, the revisions in proposed Reliability Standard CIP-002-7 are minor, mostly aligning the standard with updates to the NERC Glossary.12 Therefore, we do not envision an increased paperwork burden specifically pertaining to any modifications in proposed Reliability Standard CIP-002-7. However, of the 1,673 total entities, we estimate that 400 entities will face an increased paperwork burden under revisions to proposed Reliability Standards CIP‑003‑10, CIP-004-8, CIP-005-8, CIP-006-7.1, CIP-007-7.1, CIP-008-7.1, CIP‑009‑7.1, CIP-010-5, CIP-011-4.1, and CIP-013-3. Based on these assumptions, the estimated reporting burden is as follows:
Total Changes Proposed by the NOPR in Docket RM24-8-00013 |
||||||
|
Number of Respondents (1) |
Annual Number of Responses per Respondent (2) |
Total Number of Responses (1)*(2)=(3) |
Average Burden & Cost Per Response14 (4) |
Total Annual Burden Hours & Total Annual Cost (3)*(4)=(5) |
Cost per Respondent ($) (5)÷(1) |
Conforming to modifications proposed under Reliability Standard CIP-002-7 |
1673 |
1 |
1673 |
Commission does not anticipate any material information collection costs associated with CIP-002-7. |
Commission does not anticipate any material information collection costs associated with CIP-002-7. |
Commission does not anticipate any material information collection costs associated with CIP-002-7. |
Update
compliance related documentation of one or more process(es)
pertaining to proposed Reliability Standards: |
400 |
1 |
400 |
57.7
hrs.; |
230,800 hrs.;
|
$49,045 |
Total burden |
|
|
4000 |
577 hrs.;
|
230,800
|
$49,045
|
The estimated responses and burden hours for Years 1-3 will total respectively as follows:
• Year 1-3 total: 400 responses; 230,800 hours.
The annual cost burden for each year One to Three is $6,539,333.
ESTIMATE OF THE TOTAL ANNUAL COST BURDEN TO RESPONDENTS
There are no start-up or other non-labor costs.
Total Capital and Start-up cost: $0
Total Operation, Maintenance, and Purchase of Services: $0
All costs due to the final rule are associated with burden hours (labor) and described in Questions #12 and #15 in this supporting statement.
ESTIMATED ANNUALIZED COST TO FEDERAL GOVERNMENT
The Commission would incur costs associated with processing filings under the final rule, and in obtaining OMB clearance under the PRA. The estimated processing cost total $214,093 annually. The Commission estimates receiving 20 informational filings per year under the final rule, with each filing estimated to take approximately 100 hours to analyze and process, totaling the number of hours and cost of one FTE.
The estimated PRA Administrative Cost of $7,978 is a federal cost associated with preparing, issuing, and submitting materials necessary to comply with the PRA for rulemakings, orders, or any other vehicle used to create, modify, extend, or discontinue an information collection. This average annual cost includes requests for extensions, all associated rulemakings and orders, other changes to the collection, and associated publications in the Federal Register.
As shown in the table below, $ 222,071 is the sum of the estimated annual federal cost of analyzing and processing the filings (which is the annual salary for one Full-Time Equivalent (FTE) of $214,093) plus the estimated PRA administrative cost of $7,978.
Table 14
Estimated Annual Federal Costs
FERC-725B |
Number of Employees (FTEs) |
Estimated Annual Federal Cost |
Analysis and Processing of Filings |
1 |
$214,093 |
Paperwork Reduction Act Administrative Cost |
|
$7,978 |
TOTAL |
|
$222,071 |
REASONS FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE
The updated CIP standards presents new burden of 400 responses and 230,800 hrs. as stated above in the table within section #12. Program Changes represent 400 burden responses for each CIP standard being updated for RM24-8. Making the total 4,000 responses and 230,800 burden hrs. The Change due to Adjustment represents the updated burden for CIP 2-7 which has just an update in burden due to normal fluctuation, updated from 1,492 to 1,673 respondents.
TIME SCHEDULE FOR THE PUBLICATION OF DATA
There is no tabulating, statistical or publication plans in accordance with the final rule.
DISPLAY OF THE EXPIRATION DATE
The expiration date is displayed in a table posted on ferc.gov at https://www.ferc.gov/information-collections.
EXCEPTIONS TO THE CERTIFICATION STATEMENT
There are no exceptions.
1 16 U.S.C. 824o.
2 Id. 824o(e).
3 N. Am. Elec. Reliability Corp., 116 FERC ¶ 61,062, order on reh’g & compliance, 117 FERC ¶ 61,126 (2006), order on compliance, 118 FERC ¶ 61,030, order on compliance, 118 FERC ¶ 61,190, order on reh’g, 119 FERC ¶ 61,046 (2007), aff’d sub nom. Alcoa Inc. v. FERC, 564 F.3d 1342 (D.C. Cir 2009).
4 See NERC Petition at 2-5. Virtualization is “the process of creating virtual, as opposed to physical, versions of computer hardware to minimize the amount of physical hardware resources required to perform various functions.” NERC Petition at 12 (quoting National Institute of Standards and Technology (NIST), Guide to Security for Full Virtualization Technologies, Special Publication 800-125 (Jan. 2011) (NIST Virtualization Security Special Publication)).
5 On December 24, 2024, NERC submitted a petition for approval of proposed Reliability Standard CIP-003-11 (Cyber Security - Security Management Controls), in Docket No. RM25-8-000. In a notice of proposed rulemaking issued concurrent with the immediate NOPR, the Commission proposes to take action on proposed Reliability Standard CIP-003-11 [September 18, 2025].
6 See NERC Supp. Petition at 3 (making errata corrections to several CIP Standards, designated with a “.1” in the version number, e.g., CIP‑006-7.1).
7 Public utilities may fall under one of several different categories, each with a size threshold based on the company’s number of employees, including affiliates, the parent company, and subsidiaries. For the analysis in this Final Rule, we are using a 500-employee threshold due to each affected entity falling in the role of Electric Bulk Power Transmission and Control (NAISC Code: 221121).
8 See generally NERC, Rules of Procedure (2024), https://www.nerc.com/AboutNERC/pages/rules-of-procedure.aspx.
9 Details of the ERO standards development process are available on the NERC website at http://www.nerc.com/pa/Stand/Documents/Appendix_3A_StandardsProcessesManual.pdf.
10 NERC Rules of Procedure, sec. 1502, at 91-92 (revised Nov. 28, 2023).
11 “Burden” is the total time, effort, or financial resources expended by persons to generate, maintain, retain, or disclose or provide information to or for a federal agency. 5 C.F.R. § 1320.3.
12 NERC Petition at 38.
13 The paperwork burden estimate includes costs associated with the initial development of a policy to address the requirements.
14 This burden applies in Year One to Year Three.
The
loaded hourly wage figure (includes benefits) is based on the
average of three occupational categories for May 2024 Wages found on
the Bureau of Labor Statistics website
(http://www.bls.gov/oes/current/naics2_22.htm).
The loaded hourly wage includes fringe benefits divided by 81.70
percent. See
https://data.bls.gov/oes/#/industry/000000:
Legal Occupations (90th percentile) (Occupation Code: 23-0000): $140.76.
Electrical Engineer (mean) (Occupation Code: 17-2071): $71.19.
Office and Administrative Support (90th percentile) (Occupation Code: 43-0000): $43.83
($140.76 + $71.19 + $43.83) ÷ 3 = $85.26.
The figure is rounded to $85.00 for use in calculating wage figures in this NOPR.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | RM18-20 NOPR supporting statement |
| Author | [email protected] |
| File Modified | 0000-00-00 |
| File Created | 2025-12-06 |