Federal Energy Regulatory Commission, DOE.
In compliance with the requirements of section 3507 of the Paperwork Reduction Act of 1995, 44 U.S.C. 3507, the Federal Energy Regulatory Commission (Commission or FERC) has submitted the information collection described below to the Office of Management and Budget (OMB) for review of the information collection requirements. Any interested person may file comments directly with OMB and should address a copy of those comments to the Commission as explained below. The Commission published a Notice in the Federal Register (75 FR 65618, 10/26/2010) requesting public comments. In addition, FERC published a notice in the Federal Register (76 FR 19333, 4/7/2011) indicating submission to OMB of the information collection described below and that it had not received any comments regarding the collection of information thus far. Subsequently, FERC staff became aware of a comment from the Transmission Agency of Northern California (TANC) that had been submitted in a timely manner but internally was indexed incorrectly. On May 3, 2011 the Commission issued a notice extending the comment period  (on the notice published April 7, 2011) to June 23, 2011. The Commission is revising its submission to OMB to reflect receipt of the comment.
Comments on the collection of information are due by June 30, 2011.
Address comments on the collection of information to the Office of Management and Budget, Office of Information and Regulatory Affairs, Attention: Federal Energy Regulatory Commission Desk Officer. Comments to OMB should be filed electronically, c/o email@example.com and include OMB Control Number 1902-0248 for reference. The Desk Officer may be reached by telephone at 202-395-4638.
A copy of the comments should also be sent to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street, NE., Washington, DC 20426. Comments may be filed either on paper or on CD/DVD, and should refer to Docket No. IC11-725B-001. Documents must be prepared in an acceptable filing format and in compliance with Commission submission guidelines at http://www.ferc.gov/help/submission-guide.asp. eFiling and eSubscription are not available for Docket No. IC11-725B-001, due to a system issue.
All comments may be viewed, printed or downloaded remotely via the Internet through FERC's homepage using the “eLibrary” link. For user assistance, contact firstname.lastname@example.org or toll-free at (866) 208-3676, or for TTY, contact (202) 502-8659.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Ellen Brown may be reached by e-mail at DataClearance@FERC.gov, by telephone at (202) 502-8663, and by fax at (202) 273-0873.End Further Info End Preamble Start Supplemental Information
The information collected by the FERC-725B, Reliability Standards for Critical Infrastructure Protection (OMB Control No. 1902-0248), is required to implement the statutory provisions of section 215 of the Federal Power Act (FPA) (16 U.S.C. 824o). On January 18, 2008, the Commission issued Order No. 706, approving eight Critical Infrastructure Protection Reliability Standards (CIP Standards) submitted by the North American Electric Reliability Corporation (NERC) for Commission approval.
The CIP Standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets. These standards help protect the nation's Bulk-Power System against potential disruptions from cyber attacks. The CIP Standards include one actual reporting requirement and several recordkeeping requirements. Specifically, CIP-008-1 requires responsible entities to report cyber security incidents to the Electricity Sector-Information Sharing and Analysis Center (ES-ISAC). In addition, the eight CIP Standards Start Printed Page 31321require responsible entities to develop various policies, plans, programs, and procedures.
The CIP Standards do not require a responsible entity to report to the Commission, ERO or Regional Entities, the various policies, plans, programs and procedures. However, a showing of the documented policies, plans, programs and procedures is required to demonstrate compliance with the CIP Standards.
Public Comment and FERC Response: TANC stated that they believed that the Commission did not adequately address or articulate the burden that falls on companies in complying with the CIP Standards and in particular, the hourly and cost burdens to comply with the documentation required by the CIP Standards. In looking at the commenter's submittal, FERC has decided to examine more carefully the burden calculations. Relying on OMB guidance in interpreting the requirements of the Paperwork Reduction Act of 1995, FERC has determined that its initial estimate of cost burden was indeed lower than is reasonable for the average respondent.
FERC maintains that the universe of respondents breaks down into three main categories: (1) Entities that have identified Critical Cyber Assets and have undergone a previous audit; (2) Entities that have not identified Critical Cyber Assets but must show compliance with CIP-003 R1 and CIP-002 R1 through R3; and (3) New entities that have come into compliance with the CIP Standards and undergoing their first compliance audit. FERC's revised burden analysis is based on the average amount of time expended annually to obtain or maintain the information necessary in the event of a compliance audit. The fact that the average company may experience a spike in the burden hours immediately proceeding and during a compliance audit is accounted for in the revised estimate.
The differences between the first and third categories of respondents is that, as an entity goes through multiple compliance audits, their processes become streamlined and more automated, which then becomes reflected in a lessening of their burden. Other areas that cause the burden numbers to fluctuate deal with the size of the company, the number of overall electric assets they have, the number of critical assets and critical cyber assets that they identify, etc. Therefore, the total numbers currently used by FERC to calculate cost burden are considered the case for an average-sized company with an average number of Critical Assets and Critical Cyber Assets. It is expected that the actual burden experienced by respondents may be higher or lower than the Commission estimate, based on factors listed above.
Based on observations over several audit cycles, FERC now thinks that the preparation of the audit paperwork for an entity undergoing their first compliance audit (respondent category 3) is approximately 3,840 hours. This represents 20 technical personnel working 50% of their time over 8 weeks gathering and compiling all of the required paperwork to show compliance. In addition, a secondary period that is 20% of the primary effort is estimated to be needed to respond and gather information generated from questions arising from the initial submission.
Based on observations over several audit cycles, FERC now thinks that the burden associated with ongoing compliance and preparation for future audits (respondent category 1) is less than entities coming into compliance for the first time (respondent category 3) as they are familiar with the audit compliance process and presumably will have streamlined their processes to handle the data collection effort. FERC estimates this should result in a reduction of 50% of their effort. This would result in a burden of approximately 1,920 hours.
Finally, for those entities that have not identified Critical Cyber Assets but must still show compliance with CIP-003 R1 and CIP-002 R1 through R3 (respondent category 2), FERC agrees with TANC and now estimates that these entities must expend approximately 120 hours or the equivalent of 3 employees working 50% of their time for 2 weeks. FERC believes this is a reasonable estimate as the majority of these entities are small and therefore have fewer electrical assets to examine in order to determine if they have any Critical Assets, which is the first stage of the CIP-002 process.
FERC has also reconsidered dividing the burden hours by three to reflect the NERC audit schedule of 3-5 years and is instead not dividing the burden hours at all. This is due to the fact that a company will have to be obtaining and maintaining the information necessary for an audit on a consistent basis, and not only during an audit that occurs every 3-5 years. Therefore, the revised burden hours presented here represent the average annual burden hours per respondent, including the spikes that may result during an audit.
Action: The Commission is requesting a three-year extension of the existing collection with no changes to the requirements.
Burden Statement: The revised estimated annual burden is shown below in accordance with the discussion above. The Commission has developed estimates using data from NERC's compliance registry as well as a 2009 survey that was conducted by NERC to assess the number of entities reporting Critical Cyber Assets.
|Data collection||Number of respondents 6||Average number of responses per respondent||Average number of burden hours per response 7||Total annual hours|
|(1)||(2)||(3)||(1) × (2) × (3)|
|Category 1—Estimate of U.S. Entities that have identified Critical Cyber Assets||345||1||1,920||662,400|
|Category 2—Estimate of U.S. Entities that have not identified Critical Cyber Assets||1,156||1||120||138,720|
|Category 3—New U.S. Entities that have to come into compliance with the CIP Standards 8||6||1||3,840||23,040|
|Start Printed Page 31322|
|Entities no longer required to comply with CIP Standards (Two category 1 respondents and four category 2 respondents)||Category 1: −2||1||Category 1 (2 respondents): 1,920||−3,840|
|Category 2: −4||Category 2 (4 respondents): 120||−480|
The total estimated annual cost burden to respondents is:
- Category 1, Entities that have identified Critical Assets = 658,560 (662,400−3,840) hours @ $96 = $63,221,760
- Category 2, Entities that have not identified Critical Assets = 138,240 (138,720−480) hours @ $96 = $13,271,040
- Category 3, New U.S. Entities that have to comply with CIP Standards = 23,040 hours @ $96 = $2,211,840
- Storage Costs for Entities that have identified Critical Assets  = 345 Entities @ $15.25 = $5,261
- Total Cost for the FERC-725B = $78,709,901
The hourly rate of $96 is the average cost of legal services ($230 per hour), technical employees ($40 per hour) and administrative support ($18 per hour), based on hourly rates from the Bureau of Labor Statistics (BLS) and the 2009 Billing Rates and Practices Survey Report. The $15.25 rate for storage costs for each entity is an estimate based on the average costs to service and store 1 GB of data to demonstrate compliance with the CIP Standards.
The reporting burden includes the total time, effort, or financial resources expended to generate, maintain, retain, disclose, or provide the information including: (1) Reviewing instructions; (2) developing, acquiring, installing, and utilizing technology and systems for the purposes of collecting, validating, verifying, processing, maintaining, disclosing and providing information; (3) adjusting the existing ways to comply with any previously applicable instructions and requirements; (4) training personnel to respond to a collection of information; (5) searching data sources; (6) completing and reviewing the collection of information; and (7) transmitting, or otherwise disclosing the information.
Comments are invited on: (1) Whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency's estimates of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information to be collected; and (4) ways to minimize the burden of the collections of information on those who are to respond, including the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g. permitting electronic submission of responses.Start Signature
Dated: May 25, 2011.
Kimberly D. Bose,
1. The previous comment period ending on June 23rd will be extended to the date 30 days after publication of this revised notice in the Federal Register as stated in the DATES section of this notice.Back to Citation
2. CIP-002-1, CIP-003-1, CIP-004-1, CIP-005-1, CIP-006-1, CIP-007-1, CIP-008-1, and CIP-009-1.Back to Citation
3. In addition, in accordance with section 215(d)(5) of the FPA, the Commission proposed to direct NERC to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission.Back to Citation
4. For a description of the CIP Standards, see the Critical Infrastructure Protection Section on NERC's Web site at http://www.nerc.com/page.php?cid=2\20.Back to Citation
5. The October notice issued in this docket contains more information on the reporting requirements and can be found at http://elibrary.ferc.gov/idmws/File_list.asp?document_id=13857625. The full text of the standards can be found on NERC's Web site at h ttp://www.nerc.com/page.php?cid=2 / 20.Back to Citation
6. The NERC Compliance Registry as of 9/28/2010 indicated that 2079 entities were registered for NERC's compliance program. Of these, 2057 were identified as being U.S. entities. Staff concluded that of the 2057 U.S. entities, only 1501 were registered for at least one CIP-related function. According to an April 7, 2009, memo to industry, NERC's VP and Chief Security Officer noted that only 31% of entities responded to an earlier survey and reported that they had at least one Critical Asset, and only 23% reported having a Critical Cyber Asset. Staff applied the 23% reporting to the 1501 figure to obtain an estimate. The 6 new entities listed here are assumed to match a similar set of 6 entities that would drop out in an existing year. Thus, the net estimate of respondents remains at 1501 per year.
Respondent category 3:
20 employees × (working 50%) × (40 hrs/week) × (8 weeks) = 3200 hours
20 employees × (working 20%) × (3200 hrs) = 640 hours
Total = 3840
Respondent category 2:
3 employees × (working 50%) × (40 hrs/week) × (2 weeks) = 120 hours
Respondent category 1:
50% of 3840 hours = 1920
8. These respondents and those in the subsequent column of the table (with the corresponding burden and cost figures) were not included in the 60-day public notice due to an oversight by Commission staff.Back to Citation
9. This cost category was not included in the 60-day public notice due to an oversight by Commission staff.Back to Citation
10. Bureau of Labor Statistics figures were obtained from http://www.bls.gov/oes/current/naics2_22.htm, and 2009 Billing Rates figures were obtained from http://www.marylandlawyerblog.com/2009/07/average_hourly_rate_for_lawyer.html. Legal services were based on the national average billing rate (contracting out) from the above report and BLS hourly earnings (in-house personnel). It is assumed that 25% of respondents have in-house legal personnel.Back to Citation
11. Based on the aggregate cost of an IBM advanced data protection server.Back to Citation
[FR Doc. 2011-13475 Filed 5-27-11; 8:45 am]
BILLING CODE 6717-01-P