This PDF is the current document as it appeared on Public Inspection on 06/25/2015 at 08:45 am.
Federal Energy Regulatory Commission, DOE.
In compliance with the requirements of the Paperwork Reduction Act of 1995, 44 U.S.C. 3507(a)(1)(D), the Federal Energy Regulatory Commission (Commission or FERC) is submitting its information collection [FERC-725B, Mandatory Reliability Standards for Critical Infrastructure Protection] to the Office of Management and Budget (OMB) for review of the information collection requirements. Any interested person may file comments directly with OMB and should address a copy of those comments to the Commission as explained below. The Commission previously issued a Notice in the Federal Register (80 FR 21230, 4/17/2015) requesting public comments. The Commission received one public comment on the FERC725B. The public comment and FERC's response are provided later in this notice.
Comments on the collection of information are due by July 27, 2015.
Comments filed with OMB, identified by the OMB Control No. 1902-0248, should be sent via email to the Office of Information and Regulatory Affairs: firstname.lastname@example.org Attention: Federal Energy Regulatory Commission Desk Officer. The Desk Officer may also be reached via telephone at 202-395-0710.
A copy of the comments should also be sent to the Commission, in Docket No. IC15-6-000, by either of the following methods:
- eFiling at Commission's Web site: http://www.ferc.gov/docs-filing/efiling.asp. Start Printed Page 36801
- Mail/Hand Delivery/Courier: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE., Washington, DC 20426.
Instructions: All submissions must be formatted and filed in accordance with submission guidelines at: http://www.ferc.gov/help/submission-guide.asp. For user assistance contact FERC Online Support by email at email@example.com, or by phone at: (866) 208-3676 (toll-free), or (202) 502-8659 for TTY.
Docket: Users interested in receiving automatic notification of activity in this docket or in viewing/downloading comments and issuances in this docket may do so at http://www.ferc.gov/docs-filing/docs-filing.asp.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Ellen Brown may be reached by email at DataClearance@FERC.gov, by telephone at (202) 502-8663, and by fax at (202) 273-0873.End Further Info End Preamble Start Supplemental Information
Title: FERC-725B, Mandatory Reliability Standards for Critical Infrastructure Protection
OMB Control No.: 1902-0248
Type of Request: Three-year extension of the FERC-725B information collection requirements with no changes to the reporting requirements.
Abstract: The information collected by the FERC-725B, Reliability Standards for Critical Infrastructure Protection, is required to implement the statutory provisions of Section 215 of the Federal Power Act (FPA) (16 U.S.C. 824o).
On January 18, 2008, the Commission issued order 706, approving eight Critical Infrastructure Protection (CIP) Reliability Standards submitted by the North American Electric Reliability Corporation (NERC) for Commission approval. The CIP version 1 Reliability Standards, (CIP-002-1 through CIP-009-1), require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets. These standards help protect the nation's Bulk-Power System against potential disruptions from cyber-attacks. The CIP Reliability Standards include one actual reporting requirement and several recordkeeping requirements. Specifically, CIP-008-1 requires responsible entities to report cyber security incidents to the Electricity Sector-Information Sharing and Analysis Center (ES-ISAC). In addition, the eight CIP Reliability Standards require responsible entities to develop various policies, plans, programs, and procedures. However, the CIP Reliability Standards do not require a responsible entity to report to the Commission, ERO or Regional Entities, the various policies, plans, programs and procedures. Nonetheless, a showing of the documented policies, plans, programs and procedures is required to demonstrate compliance with the CIP Reliability Standards.
The Commission approved minor changes in CIP versions 2 and 3 Reliability Standards on September 30, 2009, and March 31, 2010, respectively. On April 19, 2012, the Commission issued Order No. 761, approving the CIP version 4 Standards (CIP-002-4 through CIP-009-4) and an implementation plan that scheduled their enforcement to begin October 1, 2014. The fundamental change in the CIP version 4 Standards was that all subject entities would use the same `bright line' criteria to determine which of the facilities they owned were subject to the required policies, plans, programs and procedures (which remained nearly the same as for prior versions).
On November 22, 2013, the Commission issued Order No. 791, approving the CIP version 5 Standards (CIP-002-5 through CIP-009-5, CIP-010-1 and CIP-011-1) and the proposed implementation plan. The CIP version 5 Standards are currently scheduled to be implemented and enforceable beginning April 2016. Order No. 791 eliminated the enforceability of the CIP version 4 Standards. The Commission also approved nineteen new or revised definitions associated with the CIP version 5 Standards for inclusion in the Glossary of Terms Used in NERC Reliability Standards (NERC Glossary). The CIP version 5 Standards identify and categorize Bulk Electric System (BES) Cyber Systems using a new methodology based on whether a BES Cyber System has a Low, Medium, or High Impact on the reliable operation of the bulk electric system. At a minimum, a BES Cyber System must be categorized as a Low Impact asset. Once a BES Cyber System is categorized, a responsible entity must comply with the associated requirements of the CIP version 5 Standards that apply to the impact category. The CIP version 5 Standards include 12 requirements with new cyber security controls, which address Electronic Security Perimeters (CIP-005-5), Systems Security Management (CIP-007-5), Incident Reporting and Response Planning (CIP-008-5), Recovery Plans for BES Cyber Systems (CIP-009-5), and Configuration Change Management and Vulnerability Assessments (CIP-010-1).
Type of Respondents: Entities registered with the North American Electric Reliability Corporation.
Estimate of Annual Burden:  There are three items presenting burden associated with CIP Reliability Standards in the following section.
- The first table illustrates burden associated with CIP version 5 Reliability Standards.
- The second table illustrates burden associated with CIP version 3 and 4 Reliability Standards.
- The third item (bulleted list) is a sum of the total burden for all active CIP-related Reliability Standards (i.e. CIP Versions 3-5).
|Groups of registered entities||Classes of entity's facilities requiring CIP||Number of entities||Total hours in year 1 (hours)||Total hours in year 2 (hours)||Total hours in year 3 (hours)|
|Start Printed Page 36802|
|Group C||Medium (New)||78||1,248||19,136||19,136|
|Group C||Low (Blackstart)||283||22,640||6 −206,024||6 −206,024|
|Group C||Medium or High||316||257,856||131,456||131,456|
The total annual burden (related to CIP Version 5 only) is 672,708 hours when averaging Years 1-3 [(1,133,220 hours + 731,980 hours + 152,924 hours) ÷ 3 = 672,708 hours]. The total annual cost averaged over Years 1-3 is $50,883,633 (672,708 hours * $75.64  = $50,883,633).
Regarding CIP standards unaffected by CIP Version 5, the estimated burden has been adjusted to account for a reduction in affected entities. The applicable estimate related to CIP Version 3 and 4 standards (related to the active components) is provided in the table below. (For display purposes, the numbers in the tables below have been rounded, however exact figures were used in the calculations.)
|Number of respondents||Annual number of responses per respondent||Total number of responses||Average burden & cost per response||Total annual burden hours & total annual cost||Cost per respondent ($)|
|(1)||(2)||(1) * (2) = (3)||(4)||(3) * (4) = (5)||(5) ÷ (1)|
|1,415||1||1,415||10 383 $28,937||11 541,334 $40,946,496||$28,937|
The following items represent the estimated total annual burden for FERC-725B and includes all burden associated with CIP Reliability Standards.
- Number of respondents: 1,415 (Not all entities with CIP-related functions will be obligated to comply with every CIP reliability standard.)
- Total Annual Burden Hours: 1,214,042
- Total Annual Cost: $91,830,137 (1,214,042 hours * $75.64 = $91,830,137)
- Average Cost per Respondent: $64,898  ($91,830,137 ÷ 1,415 entities = $64,898).
Public comments received about the FERC-725B information collection: FERC received one comment from Robert S. Lynch and Associates. The comment pertained to the the burden and cost of responding to a Freedom of Information Act (FOIA) request related to the FERC-725B and the information collection not being safeguarded against a request under the FOIA.
FERC's response to the public comment: The burden related to the Federal Energy Regulatory Commission safeguarding of information collection activities against a request under the Freedom of Information Act (FOIA) request does not have a direct collection cost burden on the regulated entities and, thus, is not included in the reported cost burden.
However, to the data vulnerability issue raised by the commenter, the information collected as related to the CIP Reliability Standards is generally protected from FOIA requests because it is retained by the regulated entities themselves and not the Commission. For compliance and enforcement activities of the CIP Reliability Standards, Section 215 of the Federal Power Act (FPA)  required the Commission to appoint an Electric Reliability Organization (ERO). The Commission appointed NERC. The ERO and its designated assignees, generally in exercising its compliance and enforcement activities under Section 215 of the FPA, only reviews the information collected by the regulated entities and only takes possession of the information required to process the enforcement actions. The Commission, in furtherance of the Commission's statutory responsibility under Section 215 of the FPA, reviews and approves enforcement actions undertaken by ERO and, in doing so, does receive information collected related to CIP Reliability Standards. However, the information that is received by the Commission for performing its statutory oversight responsibilities is generally devoid of specific sensitive information. Therefore, FERC does not find it Start Printed Page 36803necessary to make any changes to the collection at this time.
Comments: Comments are invited on: (1) whether the collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency's estimate of the burden and cost of the collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information collection; and (4) ways to minimize the burden of the collection of information on those who are to respond, including the use of automated collection techniques or other forms of information technology.Start Signature
Dated: June 19, 2015.
Kimberly D. Bose,
1. Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ¶ 61,040.Back to Citation
2. Every version of the CIP Reliability Standards may be found on the NERC Web site at http://www.nerc.com/pa/Stand/Reliability%20Standards%20Complete%20Set/RSCompleteSet.pdf.Back to Citation
3. 129 FERC ¶ 61,236 (2009) (approving Version 2 of the CIP Reliability Standards); North American Electric Reliability Corp., and 130 FERC ¶ 61,271 (2010) (approving Version 3 of the CIP Reliability Standards).Back to Citation
4. Version 4 Critical Infrastructure Protection Reliability Standards, Order No. 761, 77 FR 24,594 (Apr. 25, 2012), 139 FERC ¶ 61,058 (2012), order denying reh'g, 140 FERC ¶ 61,109 (2012).Back to Citation
5. The Commission defines burden as the total time, effort, or financial resources expended by persons to generate, maintain, retain, or disclose or provide information to or for a Federal agency. For further explanation of what is included in the information collection burden, reference 5 Code of Federal Regulations 1320.3.Back to Citation
6. These figures (in the context of this table) represent a removal of requirements and burden for Group C (Blackstart) respondents in Years 2 and 3 due to CIP Version 5 changes. Since these numbers are stated as negative figures, they represent a reduction in OMB-approved burden estimate.Back to Citation
7. The estimates for cost per response are derived using the following formula: Average Burden Hours per Response * $75.64 per Hour = Average Cost per Response. The hourly cost figure comes from May 2014 data on the Bureau of Labor Statistics Web site (http://www.bls.gov/oes/current/naics2_22.htm). The figure is a mathematical average of the cost of wages and benefits related to legal services ($129.68), technical employees ($58.17), and administrative support ($39.12).Back to Citation
8. The estimate has been decreased from 1,475 to 1,415. The NERC Compliance Registry indicated that as of 1/14/2015, 1,415 entities were registered for at least one CIP-related function/responsibility.Back to Citation
9. Reliability Standards CIP-002-3, CIP003-3, CIP-004-3a, CIP-005-3a, CIP-006-3a, CIP-007-3c, CIP-008-3, and CIP-009-3.Back to Citation
10. This figure is rounded for display in the table. The actual number is 382.56813 and is used in the calculations above.Back to Citation
11. This figure is rounded for display in the table. The actual number is 541,333.91 and is used in the calculations above.Back to Citation
12. CIP Versions 3 and 4 (remaining components of Version 3 and 4), and 5.Back to Citation
13. This figure is rounded. The actual number is 64,897.623.Back to Citation
[FR Doc. 2015-15652 Filed 6-25-15; 8:45 am]
BILLING CODE 6717-01-P