80 FR 123 pgs. 36800-36803 - Commission Information Collection Activities (FERC-725B); Comment Request

Next Article Next

Type: NOTICEVolume: 80Number: 123Pages: 36800 - 36803

Docket number: [Docket No. IC15-6-000]

FR document: [FR Doc. 2015-15652 Filed 6-25-15; 8:45 am]

Agency: Energy Department

Sub Agency: Federal Energy Regulatory Commission

Official PDF Version: PDF Version

Pages: 36800, 36801, 36802, 36803

[top]

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. IC15-6-000]

Commission Information Collection Activities (FERC-725B); Comment Request

AGENCY:

Federal Energy Regulatory Commission, DOE.

ACTION:

Comment request.

SUMMARY:

In compliance with the requirements of the Paperwork Reduction Act of 1995, 44 U.S.C. 3507(a)(1)(D), the Federal Energy Regulatory Commission (Commission or FERC) is submitting its information collection [FERC-725B, Mandatory Reliability Standards for Critical Infrastructure Protection] to the Office of Management and Budget (OMB) for review of the information collection requirements. Any interested person may file comments directly with OMB and should address a copy of those comments to the Commission as explained below. The Commission previously issued a Notice in the Federal Register (80 FR 21230, 4/17/2015) requesting public comments. The Commission received one public comment on the FERC725B. The public comment and FERC's response are provided later in this notice.

DATES:

Comments on the collection of information are due by July 27, 2015.

ADDRESSES:

Comments filed with OMB, identified by the OMB Control No. 1902-0248, should be sent via email to the Office of Information and Regulatory Affairs: oira_submission@omb.gov Attention: Federal Energy Regulatory Commission Desk Officer. The Desk Officer may also be reached via telephone at 202-395-0710.

A copy of the comments should also be sent to the Commission, in Docket No. IC15-6-000, by either of the following methods:

[top] • eFiling at Commission's Web site: http://www.ferc.gov/docs-filing/efiling.asp.

• Mail/Hand Delivery/Courier: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE., Washington, DC 20426.

Instructions: All submissions must be formatted and filed in accordance with submission guidelines at: http://www.ferc.gov/help/submission-guide.asp. For user assistance contact FERC Online Support by email at ferconlinesupport@ferc.gov, or by phone at: (866) 208-3676 (toll-free), or (202) 502-8659 for TTY.

Docket: Users interested in receiving automatic notification of activity in this docket or in viewing/downloading comments and issuances in this docket may do so at http://www.ferc.gov/docs-filing/docs-filing.asp.

FOR FURTHER INFORMATION CONTACT:

Ellen Brown may be reached by email at DataClearance@FERC.gov, by telephone at (202) 502-8663, and by fax at (202) 273-0873.

SUPPLEMENTARY INFORMATION:

Title: FERC-725B, Mandatory Reliability Standards for Critical Infrastructure Protection

OMB Control No.: 1902-0248

Type of Request: Three-year extension of the FERC-725B information collection requirements with no changes to the reporting requirements.

Abstract: The information collected by the FERC-725B, Reliability Standards for Critical Infrastructure Protection, is required to implement the statutory provisions of Section 215 of the Federal Power Act (FPA) (16 U.S.C. 824o).

On January 18, 2008, the Commission issued order 706,¹approving eight Critical Infrastructure Protection (CIP) Reliability Standards submitted by the North American Electric Reliability Corporation (NERC) for Commission approval. The CIP version 1 Reliability Standards, (CIP-002-1 through CIP-009-1),²require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets. These standards help protect the nation's Bulk-Power System against potential disruptions from cyber-attacks. The CIP Reliability Standards include one actual reporting requirement and several recordkeeping requirements. Specifically, CIP-008-1 requires responsible entities to report cyber security incidents to the Electricity Sector-Information Sharing and Analysis Center (ES-ISAC). In addition, the eight CIP Reliability Standards require responsible entities to develop various policies, plans, programs, and procedures. However, the CIP Reliability Standards do not require a responsible entity to report to the Commission, ERO or Regional Entities, the various policies, plans, programs and procedures. Nonetheless, a showing of the documented policies, plans, programs and procedures is required to demonstrate compliance with the CIP Reliability Standards.

Footnotes:

¹ Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ¶ 61,040.

² Every version of the CIP Reliability Standards may be found on the NERC Web site at http://www.nerc.com/pa/Stand/Reliability%20Standards%20Complete%20Set/RSCompleteSet.pdf.

The Commission approved minor changes in CIP versions 2 and 3 Reliability Standards on September 30, 2009, and March 31, 2010,³respectively. On April 19, 2012, the Commission issued Order No. 761, approving the CIP version 4 Standards (CIP-002-4 through CIP-009-4) and an implementation plan that scheduled their enforcement to begin October 1, 2014.⁴The fundamental change in the CIP version 4 Standards was that all subject entities would use the same `bright line' criteria to determine which of the facilities they owned were subject to the required policies, plans, programs and procedures (which remained nearly the same as for prior versions).

Footnotes:

³ 129 FERC ¶ 61,236 (2009) (approving Version 2 of the CIP Reliability Standards); North American Electric Reliability Corp., and 130 FERC ¶ 61,271 (2010) (approving Version 3 of the CIP Reliability Standards).

⁴ Version 4 Critical Infrastructure Protection Reliability Standards, Order No. 761, 77 FR 24,594 (Apr. 25, 2012), 139 FERC ¶ 61,058 (2012), order denying reh'g, 140 FERC ¶ 61,109 (2012).

On November 22, 2013, the Commission issued Order No. 791, approving the CIP version 5 Standards (CIP-002-5 through CIP-009-5, CIP-010-1 and CIP-011-1) and the proposed implementation plan. The CIP version 5 Standards are currently scheduled to be implemented and enforceable beginning April 2016. Order No. 791 eliminated the enforceability of the CIP version 4 Standards. The Commission also approved nineteen new or revised definitions associated with the CIP version 5 Standards for inclusion in the Glossary of Terms Used in NERC Reliability Standards (NERC Glossary). The CIP version 5 Standards identify and categorize Bulk Electric System (BES) Cyber Systems using a new methodology based on whether a BES Cyber System has a Low, Medium, or High Impact on the reliable operation of the bulk electric system. At a minimum, a BES Cyber System must be categorized as a Low Impact asset. Once a BES Cyber System is categorized, a responsible entity must comply with the associated requirements of the CIP version 5 Standards that apply to the impact category. The CIP version 5 Standards include 12 requirements with new cyber security controls, which address Electronic Security Perimeters (CIP-005-5), Systems Security Management (CIP-007-5), Incident Reporting and Response Planning (CIP-008-5), Recovery Plans for BES Cyber Systems (CIP-009-5), and Configuration Change Management and Vulnerability Assessments (CIP-010-1).

Type of Respondents: Entities registered with the North American Electric Reliability Corporation.

Estimate of Annual Burden: ⁵There are three items presenting burden associated with CIP Reliability Standards in the following section.

Footnotes:

⁵ The Commission defines burden as the total time, effort, or financial resources expended by persons to generate, maintain, retain, or disclose or provide information to or for a Federal agency. For further explanation of what is included in the information collection burden, reference 5 Code of Federal Regulations 1320.3.

• The first table illustrates burden associated with CIP version 5 Reliability Standards.

• The second table illustrates burden associated with CIP version 3 and 4 Reliability Standards.

• The third item (bulleted list) is a sum of the total burden for all active CIP-related Reliability Standards ( i.e. CIP Versions 3-5).

[top]

Groups of registered entities	Classes of entity's facilities requiring CIP	Number of entities	Total hours in year 1 (hours)	Total hours in year 2 (hours)	Total hours in year 3 (hours)
Group A	Low	41	2,540	2,540	564
Group B	Low	1,058	554,392	554,392	110,032
Group B	Medium	260	128,960	64,896	64,896
Group C	Low	316	165,584	165,584	32,864
Group C	Medium (New)	78	1,248	19,136	19,136
Group C	Low (Blackstart)	283	22,640	⁶ -206,024	⁶ -206,024
Group C	Medium or High	316	257,856	131,456	131,456
Total			1,133,220	731,980	152,924

The total annualburden (related to CIP Version 5 only) is 672,708 hours when averaging Years 1-3 [(1,133,220 hours + 731,980 hours + 152,924 hours) ÷ 3 = 672,708 hours]. The total annual cost averaged over Years 1-3 is $50,883,633 (672,708 hours * $75.64⁷= $50,883,633).

Footnotes:

⁶ These figures (in the context of this table) represent a removal of requirements and burden for Group C (Blackstart) respondents in Years 2 and 3 due to CIP Version 5 changes. Since these numbers are stated as negative figures, they represent a reduction in OMB-approved burden estimate.

⁷ The estimates for cost per response are derived using the following formula: Average Burden Hours per Response * $75.64 per Hour = Average Cost per Response. The hourly cost figure comes from May 2014 data on the Bureau of Labor Statistics Web site ( http://www.bls.gov/oes/current/naics2_22.htm ). The figure is a mathematical average of the cost of wages and benefits related to legal services ($129.68), technical employees ($58.17), and administrative support ($39.12).

Regarding CIP standards unaffected by CIP Version 5, the estimated burden has been adjusted to account for a reduction in affected entities.⁸The applicable estimate related to CIP Version 3 and 4 standards (related to the active components) is provided in the table below. (For display purposes, the numbers in the tables below have been rounded, however exact figures were used in the calculations.)

Footnotes:

⁸ The estimate has been decreased from 1,475 to 1,415. The NERC Compliance Registry indicated that as of 1/14/2015, 1,415 entities were registered for at least one CIP-related function/responsibility.

Number of respondents	Annual number of responses per respondent	Total number of responses	Average burden & cost per response	Total annual burden hours & total annual cost	Cost per respondent ($)
(1)	(2)	(1) * (2) = (3)	(4)	(3) * (4) = (5)	(5) ÷ (1)
1,415	1	1,415	¹⁰ 383 $28,937	¹¹ 541,334 $40,946,496	$28,937

The followingitems represent the estimated total annual burden for FERC-725B and includes all burden associated with CIP Reliability Standards.¹²

Footnotes:

⁹ Reliability Standards CIP-002-3, CIP003-3, CIP-004-3a, CIP-005-3a, CIP-006-3a, CIP-007-3c, CIP-008-3, and CIP-009-3.

¹⁰ This figure is rounded for display in the table. The actual number is 382.56813 and is used in the calculations above.

¹¹ This figure is rounded for display in the table. The actual number is 541,333.91 and is used in the calculations above.

¹² CIP Versions 3 and 4 (remaining components of Version 3 and 4), and 5.

• Number of respondents: 1,415 (Not all entities with CIP-related functions will be obligated to comply with every CIP reliability standard.)

• Total Annual Burden Hours: 1,214,042

• Total Annual Cost: $91,830,137 (1,214,042 hours * $75.64 = $91,830,137)

• Average Cost per Respondent: $64,898¹³($91,830,137 ÷ 1,415 entities = $64,898).

Footnotes:

¹³ This figure is rounded. The actual number is 64,897.623.

Public comments received about the FERC-725B information collection: FERC received one comment from Robert S. Lynch and Associates. The comment pertained to the the burden and cost of responding to a Freedom of Information Act (FOIA) request related to the FERC-725B and the information collection not being safeguarded against a request under the FOIA.

FERC's response to the public comment: The burden related to the Federal Energy Regulatory Commission safeguarding of information collection activities against a request under the Freedom of Information Act (FOIA) request does not have a direct collection cost burden on the regulated entities and, thus, is not included in the reported cost burden.

[top] However, to the data vulnerability issue raised by the commenter, the information collected as related to the CIP Reliability Standards is generally protected from FOIA requests because it is retained by the regulated entities themselves and not the Commission. For compliance and enforcement activities of the CIP Reliability Standards, Section 215 of the Federal Power Act (FPA)¹⁴required the Commission to appoint an Electric Reliability Organization (ERO). The Commission appointed NERC. The ERO and its designated assignees, generally in exercising its compliance and enforcement activities under Section 215 of the FPA, only reviews the information collected by the regulated entities and only takes possession of the information required to process the enforcement actions. The Commission, in furtherance of the Commission's statutory responsibility under Section 215 of the FPA, reviews and approves enforcement actions undertaken by ERO and, in doing so, does receive information collected related to CIP Reliability Standards. However, the information that is received by the Commission for performing its statutory oversight responsibilities is generally devoid of specific sensitive information. Therefore, FERC does not find it

necessary to make any changes to the collection at this time.

Footnotes:

¹⁴ 16 U.S.C. 824o.

Comments: Comments are invited on: (1) whether the collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency's estimate of the burden and cost of the collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information collection; and (4) ways to minimize the burden of the collection of information on those who are to respond, including the use of automated collection techniques or other forms of information technology.

Dated: June 19, 2015.

Kimberly D. Bose,

Secretary.

[FR Doc. 2015-15652 Filed 6-25-15; 8:45 am]

BILLING CODE 6717-01-P