Skip to Content

Notice

Commission Information Collection Activities (FERC-725B); Comment Request; Extension

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Federal Energy Regulatory Commission.

ACTION:

Notice of information collection and request for comments.

SUMMARY:

In compliance with the requirements of the Paperwork Reduction Act of 1995, 44 U.S.C. 3506(c)(2)(A), the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comment on the requirements and burden [1] of the information collection described below.

DATES:

Comments on the collection of information are due June 16, 2015.

ADDRESSES:

You may submit comments (identified by Docket No. IC15-6-000) by either of the following methods:

  • eFiling at Commission's Web site: http://www.ferc.gov/​docs-filing/​efiling.asp.
  • Mail/Hand Delivery/Courier: Federal Energy Regulatory Commission, Start Printed Page 21231Secretary of the Commission, 888 First Street NE., Washington, DC 20426.

Instructions: All submissions must be formatted and filed in accordance with submission guidelines at: http://www.ferc.gov/​help/​submission-guide.asp. For user assistance contact FERC Online Support by email at ferconlinesupport@ferc.gov, or by phone at: (866) 208-3676 (toll-free), or (202) 502-8659 for TTY.

Docket: Users interested in receiving automatic notification of activity in this docket or in viewing/downloading comments and issuances in this docket may do so at http://www.ferc.gov/​docs-filing/​docs-filing.asp.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Ellen Brown may be reached by email at DataClearance@FERC.gov, telephone at (202) 502-8663, and fax at (202) 273-0873.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Type of Request: Three-year extension of the information collection requirements for the collection described below with no changes to the current reporting requirements.

Comments: Comments are invited on: (1) Whether the collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency's estimates of the burden and cost of the collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information collection; and (4) ways to minimize the burden of the collection of information on those who are to respond, including the use of automated collection techniques or other forms of information technology.

FERC-725B, Mandatory Reliability Standards for Critical Infrastructure Protection

OMB Control No.: 1902-0248.

Abstract: The information collected by the FERC-725B, Reliability Standards for Critical Infrastructure Protection, is required to implement the statutory provisions of Section 215 of the Federal Power Act (FPA) (16 U.S.C. 824o).

On January 18, 2008, the Commission issued order 706,[2] approving eight Critical Infrastructure Protection (CIP) Reliability Standards submitted by the North American Electric Reliability Corporation (NERC) for Commission approval. The CIP version 1 Reliability Standards, (CIP-002-1 through CIP-009-1),[3] require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets. These standards help protect the nation's Bulk-Power System against potential disruptions from cyber-attacks. The CIP Reliability Standards include one actual reporting requirement and several recordkeeping requirements. Specifically, CIP-008-1 requires responsible entities to report cyber security incidents to the Electricity Sector-Information Sharing and Analysis Center (ES-ISAC). In addition, the eight CIP Reliability Standards require responsible entities to develop various policies, plans, programs, and procedures. However, the CIP Reliability Standards do not require a responsible entity to report to the Commission, ERO or Regional Entities, the various policies, plans, programs and procedures. Nonetheless, a showing of the documented policies, plans, programs and procedures is required to demonstrate compliance with the CIP Reliability Standards.

The Commission approved minor changes in CIP versions 2 and 3 Reliability Standards on September 30, 2009, and March 31, 2010,[4] respectively. On April 19, 2012, the Commission issued Order No. 761, approving the CIP version 4 Standards (CIP-002-4 through CIP-009-4) and an implementation plan that scheduled their enforcement to begin October 1, 2014.[5] The fundamental change in the CIP version 4 Standards was that all subject entities would use the same `bright line' criteria to determine which of the facilities they owned were subject to the required policies, plans, programs and procedures (which remained nearly the same as for prior versions).

On November 22, 2013, the Commission issued Order No. 791, approving the CIP version 5 Standards (CIP-002-5 through CIP-009-5, CIP-010-1 and CIP-011-1) and the proposed implementation plan. The CIP version 5 Standards are currently scheduled to be implemented and enforceable beginning April 2016. Order No. 791 eliminated the enforceability of the CIP version 4 Standards. The Commission also approved nineteen new or revised definitions associated with the CIP version 5 Standards for inclusion in the Glossary of Terms Used in NERC Reliability Standards (NERC Glossary). The CIP version 5 Standards identify and categorize BES Cyber Systems using a new methodology based on whether a BES Cyber System has a Low, Medium, or High Impact on the reliable operation of the bulk electric system. At a minimum, a BES Cyber System must be categorized as a Low Impact asset. Once a BES Cyber System is categorized, a responsible entity must comply with the associated requirements of the CIP version 5 Standards that apply to the impact category. The CIP version 5 Standards include 12 requirements with new cyber security controls, which address Electronic Security Perimeters (CIP-005-5), Systems Security Management (CIP-007-5), Incident Reporting and Response Planning (CIP-008-5), Recovery Plans for BES Cyber Systems (CIP-009-5), and Configuration Change Management and Vulnerability Assessments (CIP-010-1).

Type of Respondent: Entities registered with the North American Electric Reliability Corporation.

Estimate of Annual Burden: There are three tables presenting burden associated with CIP Reliability Standards in the following section.

  • The first table illustrates burden associated with CIP version 5 Reliability Standards.
  • The second table illustrates burden associated with CIP version 3 and 4 Reliability Standards.
  • The third and last table is a summation of the total burden for all active CIP-related Reliability Standards (i.e. CIP Versions 3-5).Start Printed Page 21232

Annual Burden Related to CIP Reliability Standards

[Version 5]

Groups of registered entitiesClasses of entity's facilities requiring CIPNumber of entitiesTotal hours in year 1 (hours)Total hours in year 2 (hours)Total hours in year 3 (hours)
Group ALow412,5402,540564
Group BLow1,058554,392554,392110,032
Group BMedium260128,96064,89664,896
Group CLow316165,584165,58432,864
Group CMedium (New)781,24819,13619,136
Group CLow (Blackstart)28322,640−206,024−206,024
Group CMedium or High316257,856131,456131,456
Total1,133,220731,980152,924

The total annual burden (related to CIP Version 5 only) is 672,708 hours when averaging Years 1-3 [(1,133,220 hours + 731,980 hours + 152,924 hours) ÷ 3 = 672,708 hours]. The total annual cost averaged over Years 1-3 is $50,883,633 (672,708 hours * $75.64 [6] = $50,883,633).

Regarding CIP standards unaffected by CIP Version 5, the estimated burden has been adjusted to account for a reduction in affected entities.[7] The applicable estimate related to CIP Version 3 and 4 standards (related to the active components) is provided in the table below. (For display purposes, the numbers in the tables below have been rounded, however exact figures were used in the calculations.)

Burden Related to CIP Reliability Standards

[Version 3 and version 4] 8

Number of respondentsAnnual number of responses per respondentTotal number of responsesAverage burden and cost per responseTotal annual burden hours and total annual costCost per respondent ($)
(1)(2)(1)*(2)=(3)(4)(3)*(4)=(5)(5)÷(1)
1,41511,4159 383 $28,93710 541,334 $40,946,496$28,937

The following items represent the estimated total annual burden for FERC-725B and includes all burden associated with CIP Reliability Standards.[11]

  • Number of respondents: 1,415 (Not all entities with CIP-related functions will be obligated to comply with every CIP reliability standard.)
  • Total Annual Burden Hours: 1,214,042.
  • Total Annual Cost: $91,830,137 (1,214,042 hours * $75.64 = $91,830,137).
  • Average Cost per Respondent: $64,898 [12] ($91,830,137 ÷ 1,415 entities = $64,898).
Start Signature

Dated: April 13, 2015.

Kimberly D. Bose,

Secretary.

End Signature End Supplemental Information

Footnotes

1.  The Commission defines burden as the total time, effort, or financial resources expended by persons to generate, maintain, retain, or disclose or provide information to or for a Federal agency. For further explanation of what is included in the information collection burden, reference 5 Code of Federal Regulations 1320.3.

Back to Citation

2.  Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ¶ 61,040.

Back to Citation

3.  Every version of the CIP Reliability Standards may be found on the NERC Web site at http://www.nerc.com/​pa/​Stand/​Reliability%20Standards%20Complete%20Set/​RSCompleteSet.pdf.

Back to Citation

4.  129 FERC ¶ 61,236 (2009) (approving Version 2 of the CIP Reliability Standards); North American Electric Reliability Corp., and 130 FERC ¶ 61,271 (2010) (approving Version 3 of the CIP Reliability Standards).

Back to Citation

5.  Version 4 Critical Infrastructure Protection Reliability Standards, Order No. 761, 77 FR 24,594 (Apr. 25, 2012), 139 FERC ¶ 61,058 (2012), order denying reh'g, 140 FERC ¶ 61,109 (2012).

Back to Citation

6.  The estimates for cost per response are derived using the following formula: Average Burden Hours per Response * $75.64 per Hour = Average Cost per Response. The hourly cost figure comes from May 2014 data on the Bureau of Labor Statistics Web site (http://www.bls.gov/​oes/​current/​naics2_​22.htm). The figure is a mathematical average of the cost of wages and benefits related to legal services ($129.68), technical employees ($58.17), and administrative support ($39.12).

Back to Citation

7.  The estimate has been decreased from 1,475 to 1,415. The NERC Compliance Registry indicated that as of 1/14/2015, 1,415 entities were registered for at least one CIP-related function/responsibility.

Back to Citation

8.  Reliability Standards CIP-002-3, CIP-003-3, CIP-004-3a, CIP-005-3a, CIP-006-3a, CIP-007-3c, CIP-008-3, and CIP-009-3.

9.  This figure is rounded for display in the table. The actual number is 382.56813 and is used in the calculations above.

10.  This figure is rounded for display in the table. The actual number is 541,333.91 and is used in the calculations above.

Back to Citation

11.  CIP Versions 3 and 4 (remaining components of Version 3 and 4), and 5.

Back to Citation

12.  This figure is rounded. The actual number is 64,897.623.

Back to Citation

[FR Doc. 2015-08875 Filed 4-16-15; 8:45 am]

BILLING CODE 6717-01-P