Federal Energy Regulatory Commission, Energy.
Notice of proposed information collection and request for comments.
In compliance with the requirements of section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995, 44 U.S.C. 3506(c)(2)(A) (2006), (Pub. L. 104-13), the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comment on the proposed information collection described below.
Comments in consideration of the collection of information are due December 27, 2010.
Commenters must send an original of their comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street, NE., Washington, DC 20426. Comments may be filed either on paper or on CD/DVD, and should refer to Docket No. IC11-725B-000. Documents must be prepared in an acceptable filing format and in compliance with Commission submission guidelines at http://www.ferc.gov/help/submission-guide.asp. eFiling and eSubscription are not available for Docket No. IC11-725B-000, due to a system issue.
All comments and FERC issuances may be viewed, printed or downloaded remotely through FERC's eLibrary at http://www.ferc.gov/docs-filing/elibrary.asp, by searching on Docket No. IC11-725B. For user assistance, contact FERC Online Support by e-mail at email@example.com, or by phone at: (866) 208-3676 (toll-free), or (202) 502-8659 for TTY.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Ellen Brown may be reached by e-mail at DataClearance@FERC.gov, telephone at (202) 502-8663, and fax at (202) 273-0873.End Further Info End Preamble Start Supplemental Information
The information collected by the FERC-725B, Reliability Standards for Critical Infrastructure Protection (OMB Control No. 1902-0248), is required to implement the statutory provisions of section 215 of the Federal Power Act (FPA) (16 U.S.C. 824o). On August 8, 2005, the Electricity Modernization Act of 2005, which is Title XII, Subtitle A, Start Printed Page 65619of the Energy Policy Act of 2005 (EPAct 2005), was enacted into law. EPAct 2005 added a new section 215 to the FPA, requiring a Commission-certified Electric Reliability Organization (ERO) to develop mandatory and enforceable Reliability Standards, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced in the United States by the ERO subject to Commission oversight, or the Commission can independently enforce Reliability Standards.
On February 3, 2006, the Commission issued Order No. 672, implementing section 215 of the FPA. Pursuant to Order No. 672, the Commission certified one organization, North American Electric Reliability Corporation (NERC), as the ERO. The Reliability Standards developed by the ERO and approved by the Commission apply to users, owners and operators of the Bulk-Power System, as set forth in each Reliability Standard.
On January 18, 2008, the Commission issued order 706, approving eight Critical Infrastructure Protection (CIP) Reliability Standards submitted by the NERC for Commission approval. The CIP Reliability Standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets. These standards help protect the nation's Bulk-Power System against potential disruptions from cyber attacks.
The eight CIP Reliability Standards address the following topics:
- Critical Cyber Asset Identification.
- Security Management Controls.
- Personnel and Training.
- Electronic Security Perimeters.
- Physical Security of Critical Cyber Assets.
- Systems Security Management.
- Incident Reporting and Response Planning.
- Recovery Plans for Critical Cyber Assets.
The CIP Reliability Standards include one actual reporting requirement and several recordkeeping requirements. Specifically, CIP-008-1 requires responsible entities to report cyber security incidents to the Electricity Sector-Information Sharing and Analysis Center (ES-ISAC). In addition, the eight CIP Reliability Standards require responsible entities to develop various policies, plans, programs, and procedures. For example, each responsible entity must develop and document a risk-based assessment methodology to identify critical assets, which is then used to develop a list of critical cyber assets (CIP-002-1). A responsible entity that identifies any critical cyber assets must also document: A cyber security policy (CIP-003-1); a security awareness program (CIP-004-1, Requirement R1); a personnel risk assessment program (CIP-004-1, Requirement R3); an electronic security perimeter and processes for control of electronic access to all electronic access points to the perimeter (CIP-005-1, Requirements R1 and R2); a physical security plan (CIP-006-1); procedures for securing certain cyber assets (CIP-007-1); and recovery plans for critical cyber assets (CIP-008-1). To demonstrate compliance with the CIP Reliability Standards, responsible entities are required to maintain various lists and access logs. All responsible entities are required to be auditably compliant with the CIP Reliability Standards by the end of 2010, including all required documentation.
The CIP Reliability Standards do not require a responsible entity to report to the Commission, ERO or Regional Entities, the various policies, plans, programs and procedures. However, a showing of the documented policies, plans, programs and procedures is required to demonstrate compliance with the CIP Reliability Standards.
Action: The Commission is requesting a three-year extension of the FERC-725B reporting requirements, with no changes.
Burden Statement: The extent of the reporting burden is influenced by the number of identified critical assets and related critical cyber assets pursuant to CIP-002. An entity identifying one or more critical cyber assets, including assets located at remote locations, will likely require more resources to demonstrate compliance with the CIP Reliability Standards compared to an entity that identifies no critical assets. The Commission has developed estimates using data from NERC's compliance registry as well as a 2009 survey that was conducted by NERC to asses the number of entities reporting Critical Cyber Assets.
|Data collection||No. of respondents 6||Average No. of responses per respondent||Average No. of Burden hours per response 7||Total annual hours|
|(1)||(2)||(3)||(1) × (2) × (3)|
|Estimate of U.S. Entities that have identified Critical Cyber Assets||345||1||320||110,400|
|Estimate of U.S. Entities that have not identified Critical Cyber Assets||1,156||1||8||9,248|
|6 The NERC Compliance Registry as of 9/28/2010 indicated that 2,079 entities were registered for NERC's compliance program. Of these, 2,057 were identified as being U.S. entities. Staff concluded that of the 2,057 U.S. entities, only 1,501 were registered for at least one CIP related function. According to an April 7, 2009 memo to industry, NERC's VP and Chief Security officer noted that only 31% of entities responded to an earlier survey and reported that they had at least one Critical Asset, and only 23% reported having a Critical Cyber Asset. Staff applied the 23% reporting to the 1,501 figure to obtain an estimate.|
|7 This figure relates to NERC's audit schedule which requires NERC to engage in a compliance Audit once every 3 to 5 years. For simplicity, staff has divided the total number of hours by 3 to reflect the amount of time annually spent preparing documents. Staff assumed that each CIP audit or spot check would require four individuals 6 weeks to prepare and demonstrate compliance with CIP standards for entities that have identified Critical Cyber Assets. Staff estimated that entities that do not have Critical Cyber Assets would still be required to demonstrate compliance with CIP-002, which would require one individual approximately three days to execute.|
The total estimated annual cost burden to respondents is:
- Entities that have identified Critical Assets = 110,400 hours@$96 = $10,598,400.
- Entities that have not identified Critical Assets = 9,248 hours@$96 = $887,808.
The hourly rate of $96 is the average cost of legal services ($230 per hour), technical employees ($40 per hour) and administrative support ($18 per hour), based on hourly rates from the Bureau of Labor Statistics (BLS) and the 2009 Billing Rates and Practices Survey Report.
The reporting burden includes the total time, effort, or financial resources expended to generate, maintain, retain, disclose, or provide the information including: (1) Reviewing instructions; (2) developing, acquiring, installing, and utilizing technology and systems for the purposes of collecting, validating, verifying, processing, maintaining, disclosing and providing information; (3) adjusting the existing ways to comply with any previously applicable instructions and requirements; (4) training personnel to respond to a collection of information; (5) searching data sources; (6) completing and reviewing the collection of information; and (7) transmitting or otherwise disclosing the information.
The estimate of cost for respondents is based upon salaries for professional and clerical support, as well as direct and indirect overhead costs. Direct costs include all costs directly attributable to providing this information, such as administrative costs and the cost for information technology. Indirect or overhead costs are costs incurred by an organization in support of its mission. These costs apply to activities which benefit the whole organization rather than any one particular function or activity.
Comments are invited on: (1) Whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information to be collected; and (4) ways to minimize the burden of the collection of information on those who are to respond, including the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology e.g. permitting electronic submission of responses.Start Signature
Kimberly D. Bose,
1. Energy Policy Act of 2005, Public Law No.109-58, Title XII, Subtitle A, 119 Stat. 594, 941 (2005), 16 U.S.C. 824o.Back to Citation
3. CIP-002-1, CIP-003-1, CIP-004-1, CIP-005-1, CIP-006-1, CIP-007-1, CIP-008-1, and CIP-009-1.Back to Citation
4. In addition, in accordance with section 215(d)(5) of the FPA, the Commission proposed to direct NERC to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission.Back to Citation
5. For a description of the CIP Reliability Standards, see the Critical Infrastructure Protection Section at NERC's Web site at http://www.nerc.com/page.php?cid=2/20.Back to Citation
8. Bureau of Labor Statistics figures were obtained from http://www.bls.gov/oes/current/naics2_22.htm, and 2009 Billing Rates figure were obtained from http://www.marylandlawyerblog.com/2009/07/average_hourly_rate_for_lawyer.html. Legal services were based on the national average billing rate (contracting out) from the above report and BLS hourly earnings (in-house personnel). It is assumed that 25% of respondents have in-house legal personnel.Back to Citation
[FR Doc. 2010-26988 Filed 10-25-10; 8:45 am]
BILLING CODE 6717-01-P