Physical Security Reliability Standard, 42734-42743 [2014-17231]

Agencies

• DEPARTMENT OF ENERGY
• Federal Energy Regulatory Commission

[Federal Register Volume 79, Number 141 (Wednesday, July 23, 2014)]
[Proposed Rules]
[Pages 42734-42743]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-17231]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM14-15-000]


Physical Security Reliability Standard

AGENCY: Federal Energy Regulatory Commission.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the section regarding Electric Reliability of the 
Federal Power Act, the Federal Energy Regulatory Commission 
(Commission) proposes to approve Reliability Standard CIP-014-1 
(Physical Security). The North American Electric Reliability 
Corporation, the Commission-certified Electric Reliability 
Organization, submitted the proposed Reliability Standard for 
Commission approval in response to a Commission order issued on March 
7, 2014. The purpose of proposed Reliability Standard CIP-014-1 is to 
enhance physical security measures for the most critical Bulk-Power 
System facilities and thereby lessen the overall vulnerability of the 
Bulk-Power System against physical attacks. The Commission proposes to 
approve Reliability Standard CIP-014-1. In addition, the Commission 
proposes to direct NERC to develop two modifications to the physical 
security Reliability Standard and seeks comment on other issues.

DATES: Comments are due September 8, 2014. Reply comments are due 
September 22, 2014.

ADDRESSES: Comments, identified by docket number, may be filed in the 
following ways:
     Electronic Filing through https://www.ferc.gov/: Documents 
created electronically using word processing software should be filed 
in native applications or print-to-PDF format and not in a scanned 
format.
     Mail/Hand Delivery: Those unable to file electronically 
may mail or hand-deliver comments to: Federal Energy Regulatory 
Commission, Secretary of the Commission, 888 First Street NE., 
Washington, DC 20426.
    Instructions: For detailed instructions on submitting comments and 
additional information on the rulemaking process, see the Comment 
Procedures Section of this document

FOR FURTHER INFORMATION CONTACT:

Regis Binder (Technical Information), Office of Electric Reliability, 
Division of Reliability Standards and Security, Federal Energy 
Regulatory Commission, 888 First Street NE., Washington, DC 20426, 
Telephone: (301) 665-1601, Regis.Binder@ferc.gov.
Matthew Vlissides (Legal Information), Office of the General Counsel, 
Federal Energy Regulatory Commission, 888 First Street NE., Washington, 
DC 20426, Telephone: (202) 502-8408, Matthew.Vlissides@ferc.gov.

SUPPLEMENTARY INFORMATION:
    1. Pursuant to section 215 of the Federal Power Act (FPA), the

[[Page 42735]]

Commission proposes to approve Reliability Standard CIP-014-1 (Physical 
Security). The North American Electric Reliability Corporation (NERC), 
the Commission-certified Electric Reliability Organization (ERO), 
submitted the proposed Reliability Standard for Commission approval in 
response to a Commission order issued on March 7, 2014.\1\ The purpose 
of the proposed Reliability Standard CIP-014-1 is to enhance physical 
security measures for the most critical Bulk-Power System facilities 
and thereby lessen the overall vulnerability of the Bulk-Power System 
facilities against physical attacks. The Commission proposes to approve 
Reliability Standard CIP-014-1. In addition, the Commission proposes to 
direct NERC to develop two modifications to the physical security 
Reliability Standard. Further, the Commission seeks comment on other 
concerns regarding the proposed Reliability Standard, as discussed 
below.
---------------------------------------------------------------------------

    \1\ Reliability Standards for Physical Security Measures, 146 
FERC ] 61,166 (2014) (March 7 Order).
---------------------------------------------------------------------------

I. Background

A. Section 215 and Mandatory Reliability Standards

    2. Section 215 of the FPA requires the Commission to certify an ERO 
to develop mandatory and enforceable Reliability Standards, subject to 
Commission review and approval.\2\ Once approved, the Reliability 
Standards may be enforced in the United States by the ERO, subject to 
Commission oversight, or by the Commission independently.\3\
---------------------------------------------------------------------------

    \2\ 16 U.S.C. 824o.
    \3\ Id. 824o(e).
---------------------------------------------------------------------------

B. March 7 Order

    3. In the March 7 Order, the Commission determined that physical 
attacks on the Bulk-Power System could adversely impact the reliable 
operation of the Bulk-Power System, resulting in instability, 
uncontrolled separation, or cascading failures. Moreover, the 
Commission observed that the current Reliability Standards do not 
specifically require entities to take steps to reasonably protect 
against physical security attacks on the Bulk-Power System. 
Accordingly, to carry out section 215 of the FPA and to provide for the 
reliable operation of the Bulk-Power System, the Commission directed 
NERC, pursuant to FPA section 215(d)(5), to develop and file for 
approval proposed Reliability Standards that address threats and 
vulnerabilities to the physical security of critical facilities on the 
Bulk-Power System.\4\
---------------------------------------------------------------------------

    \4\ Id. 824o(d)(5).
---------------------------------------------------------------------------

    4. The March 7 Order indicated that the Reliability Standards 
should require owners or operators of the Bulk-Power System to take at 
least three steps to address the risks that physical security attacks 
pose to the reliable operation of the Bulk-Power System. Specifically, 
the March 7 Order directed that: (1) The Reliability Standards should 
require owners or operators of the Bulk-Power System to perform a risk 
assessment of their systems to identify their ``critical facilities;'' 
(2) the Reliability Standards should require owners or operators of the 
identified critical facilities to evaluate the potential threats and 
vulnerabilities to those identified facilities; and (3) the Reliability 
Standards should require those owners or operators of critical 
facilities to develop and implement a security plan designed to protect 
against attacks to those identified critical facilities based on the 
assessment of the potential threats and vulnerabilities to their 
physical security.
    5. The March 7 Order stated that the risk assessment used by an 
owner or operator to identify critical facilities should be verified by 
an entity other than the owner or operator, such as by NERC, the 
relevant Regional Entity, a reliability coordinator, or another 
entity.\5\ In addition, the March 7 Order indicated that the 
Reliability Standards should include a procedure for the verifying 
entity, as well as the Commission, to add or remove facilities from an 
owner's or operator's list of critical facilities.\6\ The March 7 Order 
further stated that the determination of threats and vulnerabilities 
and the security plan should be reviewed by NERC, the relevant Regional 
Entity, the reliability coordinator, or another entity with appropriate 
expertise.
---------------------------------------------------------------------------

    \5\ March 7 Order, 146 FERC ] 61,166 at P 11.
    \6\ Id.
---------------------------------------------------------------------------

    6. The March 7 Order stated that, because the three steps of 
compliance with the contemplated Reliability Standards could contain 
sensitive or confidential information that, if released to the public, 
could jeopardize the reliable operation of the Bulk-Power System, NERC 
should include in the Reliability Standards a procedure that will 
ensure confidential treatment of sensitive or confidential information 
but still allow for the Commission, NERC and the Regional Entities to 
review and inspect any information that is needed to ensure compliance 
with the Reliability Standards.
    7. The Commission directed NERC to submit the proposed Reliability 
Standards to the Commission for approval within 90 days of issuance of 
the March 7 Order (i.e., June 5, 2014).

C. NERC Petition

    8. On May 23, 2014, NERC petitioned the Commission to approve 
proposed Reliability Standard CIP-014-1 and its associated violation 
risk factors and violation severity levels, implementation plan, and 
effective date.\7\ NERC maintains that the proposed Reliability 
Standard is just, reasonable, not unduly discriminatory, or 
preferential, and in the public interest. In addition, NERC asserts 
that the proposed Reliability Standard complies with the Commission's 
directives in the March 7 Order.
---------------------------------------------------------------------------

    \7\ NERC explains that, to meet the 90-day deadline in the March 
7 Order, the NERC Standards Committee approved waivers to the 
Standard Processes Manual to shorten the comment and ballot periods 
for the Standards Authorization Request and draft Reliability 
Standard. NERC Petition at 13-14. Proposed Reliability Standard CIP-
014-1 is not attached to the notice of proposed rulemaking. The 
complete text of proposed Reliability Standard CIP-014-1 is 
available on the Commission's eLibrary document retrieval system in 
Docket No. RM14-15-000 and is posted on the ERO's Web site, 
available at https://www.nerc.com.
---------------------------------------------------------------------------

    9. NERC explains that proposed Reliability Standard CIP-014-1 
``serves the vital reliability goal of enhancing physical security 
measures for the most critical Bulk-Power System facilities and 
lessening the overall vulnerability of the Bulk-Power System to 
physical attacks.'' \8\ NERC maintains that the ``appropriate focus of 
the proposed Reliability Standard is Transmission stations and 
Transmission substations, which are uniquely essential elements of the 
Bulk-Power System.'' \9\ The proposed Reliability Standard is 
applicable to transmission owners that satisfy the Applicability 
Sections 4.1.1.1, 4.1.1.2, 4.1.1.3, or 4.1.1.4 and to transmission 
operators. NERC states that the transmission facilities covered by 
Applicability Sections 4.1.1.1 through 4.1.1.4 match the ``Medium 
Impact'' transmission facilities listed in Attachment 1 of Reliability 
Standard

[[Page 42736]]

CIP-002-5.1.\10\ According to NERC, the ``standard drafting team 
determined that using the criteria for `Medium Impact' Transmission 
Facilities set forth in Reliability Standard CIP-002-5.1 is an 
appropriate applicability threshold as the Commission has acknowledged 
that it is [ ] a technically sound basis for identifying Transmission 
Facilities, which, if compromised, would present an elevated risk to 
the Bulk-Power System.'' \11\
---------------------------------------------------------------------------

    \8\ NERC Petition at 15-16.
    \9\ Id. at 18. NERC states that, although the terms 
``Transmission stations'' and ``Transmission substations'' are 
sometimes used interchangeably, the proposed Reliability Standard 
uses the term ``Transmission substation'' to refer to a facility 
contained within a physical border (e.g., a fence or wall) that 
contains one or more autotransformers. Id. According to NERC, the 
term ``Transmission station,'' as used in the proposed Reliability 
Standard, refers to a facility that functions as a switching station 
or switchyard but does not contain autotransformers. Id. at 18-19.
    \10\ Id. at 25 (citing Reliability Standard CIP-002-5.1 (Cyber 
Security -- BES Cyber System Categorization), Attachment 1 (Impact 
Rating Criteria)).
    \11\ Id.
---------------------------------------------------------------------------

    10. Proposed Reliability Standard CIP-014-1 has six requirements. 
Requirement R1 requires applicable transmission owners to perform risk 
assessments on a periodic basis to identify their transmission stations 
and transmission substations that, if rendered inoperable or damaged, 
could result in widespread instability, uncontrolled separation, or 
cascading within an Interconnection. Requirement R1 also requires 
transmission owners to identify the primary control center that 
operationally controls each of the identified transmission stations or 
transmission substations.
    11. Requirement R2 requires that each applicable transmission owner 
have an unaffiliated third party with appropriate experience verify the 
risk assessment performed under Requirement R1. Requirement R2 states 
that the transmission owner must either modify its identification of 
facilities consistent with the verifier's recommendation or document 
the technical basis for not doing so. In addition, Requirement R2 
requires each transmission owner to implement procedures for protecting 
sensitive or confidential information made available to third party 
verifiers or developed under the proposed Reliability Standard from 
public disclosure.
    12. Requirement R3 requires the transmission owner to notify a 
transmission operator that operationally controls a primary control 
center identified under Requirement R1 of such identification to ensure 
that the transmission operator has notice of the identification so that 
it may timely fulfill its obligations under Requirements R4 and R5 to 
protect the primary control center.
    13. Requirement R4 requires each applicable transmission owner and 
transmission operator to conduct an evaluation of the potential threats 
and vulnerabilities of a physical attack on each of its respective 
transmission stations, transmission substations, and primary control 
centers identified as critical in Requirement R1.
    14. Requirement R5 requires each transmission owner and 
transmission operator to develop and implement documented physical 
security plans that cover each of their respective transmission 
stations, transmission substations, and primary control centers 
identified as critical in Requirement R1.
    15. Requirement R6 requires that each transmission owner and 
transmission operator subject to Requirements R4 and R5 have an 
unaffiliated third party with appropriate experience review its 
Requirement R4 evaluation and Requirement R5 security plan. Requirement 
R6 states that the transmission owner or transmission operator must 
either modify its evaluation and security plan consistent with the 
recommendation, if any, of the reviewer or document its reasons for not 
doing so.

II. Discussion

    16. Pursuant to FPA section 215(d)(2), we propose to approve 
proposed Reliability Standard CIP-014-1 as just, reasonable, not unduly 
discriminatory or preferential, and in the public interest. In 
addition, the Commission proposes to approve the violation risk 
factors, violation severity levels, implementation plan, and effective 
date proposed by NERC.
    17. The proposed Reliability Standard CIP-014-1 largely satisfies 
the directives in the March 7 Order concerning the development and 
submittal of proposed physical security Reliability Standards. However, 
as discussed below, the Commission proposes to direct NERC to develop a 
modification to the physical security Reliability Standard to allow 
applicable governmental authorities (i.e., the Commission and any other 
appropriate federal or provincial authorities) to add or subtract 
facilities from an applicable entity's list of critical facilities 
under Requirement R1. The Commission also proposes to direct NERC to 
modify the physical security Reliability Standard to remove the term 
``widespread.''
    18. In addition to the proposed modifications to the physical 
security Reliability Standard, the Commission proposes to direct NERC 
to make an informational filing within six months of the effective date 
of a final rule in this proceeding addressing the possibility that, as 
described below, proposed Reliability Standard CIP-014-1 may not 
provide physical security for all ``High Impact'' control centers, as 
that term is defined in Reliability Standard CIP-002-5.1, necessary for 
the reliable operation of the Bulk-Power System. The Commission also 
proposes to direct NERC to make an informational filing within one year 
of the effective date of a final rule in this proceeding addressing 
possible resiliency measures that can be taken to maintain the reliable 
operation of the Bulk-Power System following the loss of critical 
facilities.
    19. Below, the Commission discusses and seeks comment from NERC and 
interested entities on the following issues: (A) Providing for 
applicable governmental authorities to add or subtract facilities from 
an entity's list of critical facilities; (B) the standard for 
identifying critical facilities; (C) control centers; (D) exclusion of 
generators from the applicability section of the proposed Reliability 
Standard; (E) third-party recommendations; (F) resiliency; (G) 
violation risk factors and violation severity levels; and (H) 
implementation plan and effective date.

A. Applicable Governmental Authority's Ability To Add or Subtract 
Facilities From an Entity's List of Critical Facilities

March 7 Order
    20. In the March 7 Order, the Commission stated that:

    [T]he risk assessment used by an owner or operator to identify 
critical facilities should be verified by an entity other than the 
owner or operator. Such verification could be performed by NERC, the 
relevant Regional Entity, a Reliability Coordinator, or another 
entity. The Reliability Standards should include a procedure for the 
verifying entity, as well as the Commission, to add or remove 
facilities from an owner's or operator's list of critical 
facilities. Similarly, the determination of threats and 
vulnerabilities and the security plan should also be reviewed by 
NERC, the relevant Regional Entity, the Reliability Coordinator, or 
another entity with appropriate expertise. Finally, the Reliability 
Standards should require that the identification of the critical 
facilities, the assessment of the potential risks and 
vulnerabilities, and the security plans be periodically reevaluated 
and revised to ensure their continued effectiveness. NERC should 
establish a timeline for when such reevaluations should occur.\12\
---------------------------------------------------------------------------

    \12\ March 7 Order, 146 FERC ] 61,166 at P 11.
---------------------------------------------------------------------------

NERC Petition
    21. The proposed Reliability Standard does not include a procedure 
that allows the Commission to add or subtract facilities from an 
applicable entity's list of critical facilities under Requirement R1. 
Instead, NERC states that the Commission has the existing authority to 
enforce NERC Reliability Standards pursuant to FPA section

[[Page 42737]]

215(e)(3).\13\ NERC explains that a transmission owner must be able to 
demonstrate that its method for performing its risk assessment under 
Requirement R1 ``was technically sound and reasonably designed to 
identify its critical Transmission stations and Transmission 
substations.'' \14\ NERC maintains that if ``in the course of assessing 
an entity's compliance with the proposed Reliability Standard, NERC, a 
Regional Entity or [the Commission] finds that the entity's 
transmission analysis was patently deficient and that the Requirement 
R2 verification process did not cure those deficiencies, they could use 
their enforcement authority to compel Transmission Owners to re-perform 
the risk assessment using assumptions designed to identify the 
appropriate critical facilities.'' \15\
---------------------------------------------------------------------------

    \13\ NERC Petition at 37.
    \14\ Id.
    \15\ Id.
---------------------------------------------------------------------------

Discussion
    22. The proposed Reliability Standard does not include a procedure 
that allows the Commission to add or subtract facilities from an 
applicable entity's list of critical facilities. Accordingly, if the 
Commission determines through an audit of an applicable entity, or 
through some other means, that a critical facility does not appear on 
the entity's list of critical facilities, there is no provision in the 
proposed Reliability Standard to allow the Commission to require its 
inclusion. We agree with NERC that failure to identify a critical 
facility would be a violation of Requirement R1, and thus could subject 
the relevant applicable entity to compliance or enforcement actions. 
However, we believe that NERC's proposal is not an equally efficient or 
effective alternative to the directive in the March 7 Order. While the 
Commission anticipates that we would exercise such authority only 
rarely, we propose to direct NERC to modify the physical security 
Reliability Standard to include a procedure that would allow applicable 
governmental authorities to add or subtract facilities from an 
applicable entity's list of critical facilities.
    23. As discussed above, we agree with NERC that an applicable 
entity's failure to develop an appropriate list of critical facilities 
consistent with Requirement R1, even if the list is verified by a 
third-party under Requirement R2, constitutes non-compliance with 
Requirement R1. According to NERC, the corrective action for non-
compliance would be to require the applicable entity to correct and 
repeat the Requirement R1 assessment, with the expectation that the 
omitted facility would then be assessed as critical. While NERC appears 
to expect that correcting and re-performing the assessment would result 
in the applicable entity adding to its critical facilities list the 
previously omitted facility or facilities that the Commission thought 
critical, there is no guarantee that would happen in a timely manner, 
if at all. We are concerned that, as currently proposed, the 
Commission, NERC, or Regional Entities cannot ``effectively require 
Transmission Owners to add or remove facilities'' under Requirement 
R1.\16\ Accordingly, we propose to determine that NERC's proposal does 
not satisfy the directive in the March 7 Order, either directly or in 
an equally efficient and effective manner. We therefore propose to 
direct that NERC develop a modification to the physical security 
Reliability Standard to include a procedure that would allow applicable 
governmental authorities, i.e., the Commission and any other 
appropriate federal or provincial authorities, to add or subtract 
facilities from an applicable entity's list of critical facilities.
---------------------------------------------------------------------------

    \16\ Id.
---------------------------------------------------------------------------

    24. The Commission seeks comment on this proposed directive.

B. Standard for Identifying Critical Facilities

March 7 Order
    25. The March 7 Order stated that a critical facility is ``one 
that, if rendered inoperable or damaged, could have a critical impact 
on the operation of the interconnection through instability, 
uncontrolled separation or cascading failures on the Bulk-Power 
System.'' \17\
---------------------------------------------------------------------------

    \17\ March 7 Order, 146 FERC ] 61,166 at P 6.
---------------------------------------------------------------------------

NERC Petition
    26. The proposed Reliability Standard states that its purpose is to 
``identify and protect Transmission stations and Transmission 
substations, and their associated primary control centers, that if 
rendered inoperable or damaged as a result of a physical attack could 
result in widespread instability, uncontrolled separation, or Cascading 
within an Interconnection.'' Requirement R1 of the proposed Reliability 
Standard states that the ``initial and subsequent risk assessments 
shall consist of a transmission analysis or transmission analyses 
designed to identify the Transmission station(s) and Transmission 
substation(s) that if rendered inoperable or damaged could result in 
widespread instability, uncontrolled separation, or Cascading within an 
Interconnection.'' In the technical guidance document appended to the 
proposed Reliability Standard, which is intended to assist applicable 
entities to identify critical facilities under Requirement R1, NERC 
indicates that, in performing its risk assessment to identify critical 
transmission stations and transmission substations, ``[a]n entity could 
remove all lines, without regard to the voltage level, to a single 
Transmission station or Transmission substation and review the 
simulation results to assess system behavior to determine if Cascading 
of Transmission Facilities, uncontrolled separation, or voltage or 
frequency instability is likely to occur over a significant area of the 
Interconnection.'' \18\ The NERC petition also uses the term 
``uncontrollable impact'' to describe the scope of the proposed 
Reliability Standard.\19\
---------------------------------------------------------------------------

    \18\ NERC Petition, Exhibit A (Proposed Reliability Standard) at 
23.
    \19\ NERC Petition at 22.
---------------------------------------------------------------------------

Discussion
    27. The Commission proposes to direct NERC to modify the physical 
security Reliability Standard to remove the term ``widespread'' as it 
appears in the proposed Reliability Standard in the phrase ``widespread 
instability.'' The phrase ``widespread instability'' is undefined by 
NERC and is inconsistent with the March 7 Order's explanation of 
``critical facility'' and the definition of ``reliable operation'' in 
FPA section 215(a)(4).\20\
---------------------------------------------------------------------------

    \20\ ``[A facility] that, if rendered inoperable or damaged, 
could have a critical impact on the operation of the interconnection 
through instability, uncontrolled separation or cascading failures 
on the Bulk-Power System.'' March 7 Order, 146 FERC ] 61,166 at P 6; 
16 U.S.C. 824o(a)(4) (``The term `reliable operation' means 
operating the elements of the bulk-power system within equipment and 
electric system thermal, voltage, and stability limits so that 
instability, uncontrolled separation, or cascading failures of such 
system will not occur as a result of a sudden disturbance, including 
a cybersecurity incident, or unanticipated failure of system 
elements.'').
---------------------------------------------------------------------------

    28. The phrase ``widespread instability'' in Requirement R1 could, 
depending on the meaning of ``widespread,'' narrow the scope (and 
number) of identified critical facilities under the proposed 
Reliability Standard beyond what was contemplated in the March 7 Order. 
The March 7 Order required the identification of facilities whose loss 
could result in instability, uncontrolled separation, or cascading 
failures, which is consistent with the definition of ``reliable 
operation'' in FPA section 215(a)(4). The term ``widespread'' is 
undefined and could potentially render the Reliability Standard 
unenforceable or could lead to an inadequate level of reliability by

[[Page 42738]]

omitting facilities that are critical to the reliable operation of the 
Bulk-Power System.
    29. Accordingly, pursuant to section 215(d)(5) of the FPA, we 
propose to direct that NERC develop a modification to Reliability 
Standard CIP-014-1 to remove the term ``widespread'' as it appears in 
the proposed standard in the phrase ``widespread instability.'' The 
Commission seeks comment on this proposal.

C. Control Centers

March 7 Order
    30. The March 7 Order stated that a ``critical facility is one 
that, if rendered inoperable or damaged, could have a critical impact 
on the operation of the interconnection through instability, 
uncontrolled separation or cascading failures on the Bulk-Power 
System.'' \21\ The March 7 Order, while not mandating that a minimum 
number of facilities be deemed critical under the physical security 
Reliability Standards, explained that the ``Commission expects that 
critical facilities generally will include, but not be limited to, 
critical substations and critical control centers.'' \22\
---------------------------------------------------------------------------

    \21\ March 7 Order, 146 FERC ] 61,166 at P 6.
    \22\ Id. P 6, n.6.
---------------------------------------------------------------------------

NERC Petition
    31. NERC states that the proposed Reliability Standard addresses 
the protection of primary control centers, which NERC defines as 
facilities that ``operationally control[] a Transmission station or 
Transmission substation when the electronic actions from the control 
center can cause direct physical actions at the identified Transmission 
station or Transmission substation, such as opening a breaker.'' \23\
---------------------------------------------------------------------------

    \23\ NERC Petition at 19.
---------------------------------------------------------------------------

    32. NERC maintains that ``[c]ontrol centers that provide back-up 
capability and control centers that cannot operationally control a 
critical Transmission station or Transmission substation do not present 
similar direct risks to Real-time operations if they are the target of 
a physical attack,'' and thus they are not covered by the proposed 
Reliability Standard.\24\ NERC explains that the destruction of a back-
up control center would ``have no direct reliability impact in Real-
time as the entity can continue operating . . . from its primary 
control center.'' \25\ With respect to control centers that do not 
physically operate Bulk-Power System facilities, such as control 
centers operated by reliability coordinators, NERC states that, while 
``certain monitoring and oversight capabilities might be lost as a 
result of a physical attack on such control centers, the Transmission 
Owner or Transmission Operator that operationally controls the critical 
Transmission station or Transmission substation would be able to 
continue operating its transmission system to prevent widespread 
instability, uncontrolled separation, or Cascading within an 
Interconnection.'' \26\
---------------------------------------------------------------------------

    \24\ Id.
    \25\ Id. at 20.
    \26\ Id. at 20-21.
---------------------------------------------------------------------------

    33. NERC acknowledges that certain control centers categorized as 
``High Impact'' or ``Medium Impact'' under Reliability Standard CIP-
002-5.1 (Cyber Security--BES Cyber System Categorization) would not be 
covered control centers under the proposed Reliability Standard.\27\ 
NERC explains that this:
---------------------------------------------------------------------------

    \27\ Reliability Standard CIP-002-5.1 (Cyber Security--BES Cyber 
System Categorization), Attachment 1 (Impact Rating Criteria).

    Reflects the different nature of cyber security risks and 
physical security risks at control centers . . . [a] primary cyber 
security concern for control centers is the corruption of data or 
information and the potential for operators to take action based on 
corrupted data or information . . . [and] [t]his concern exists at 
control centers that operationally control Bulk-Power System 
facilities and those that do not. As such, there is no distinction 
in CIP-002-5.1 between these control centers . . . however, such a 
distinction is appropriate in the physical security context.\28\
---------------------------------------------------------------------------

    \28\ Id. at 22 n.55.

    34. NERC points out that Reliability Standard CIP-006-5 already 
requires physical security protections that are ``designed to restrict 
physical access to locations containing High and Medium Impact Cyber 
Systems,'' which include control centers and backup control centers for 
reliability coordinators, balancing authorities, transmission operators 
and generation operators irrespective of their ability to operationally 
control Bulk-Power System facilities.\29\
---------------------------------------------------------------------------

    \29\ Id. at 21.
---------------------------------------------------------------------------

Discussion
    35. The Commission proposes to direct NERC to make an informational 
filing within six months of the effective date of a final rule in this 
proceeding indicating whether the development of Reliability Standards 
that provide physical security for all ``High Impact'' control centers, 
as that term is defined in Reliability Standard CIP-002-5.1, is 
necessary for the reliable operation of the Bulk-Power System.
    36. Proposed Reliability Standard CIP-014-1, Requirement R1.2 
requires applicable transmission owners to ``identify the primary 
control center that operationally controls each Transmission station or 
Transmission substation identified in the Requirement R1 risk 
assessment.'' Thus the proposed Reliability Standard, while addressing 
transmission owners' primary control centers, does not encompass 
transmission owner back-up control centers or any control centers owned 
or operated by other functional entity types, such as reliability 
coordinators, balancing authorities, and generator operators.
    37. Primary and back-up control centers of functional entities 
other than transmission owners and operators identified as ``High 
Impact'' may warrant assessment and physical security controls under 
this Reliability Standard because a successful attack could prevent or 
impair situational awareness, especially from a wide-area perspective, 
or could allow attackers to distribute misleading and potentially 
harmful data and operating instructions that could result in 
instability, uncontrolled separation, or cascading failures.
    38. NERC's petition recognizes that Reliability Standard CIP-006-5 
(Cyber Security--Physical Security of BES Cyber Systems) already 
requires certain physical security protections for applicable primary 
and backup control centers of reliability coordinators, balancing 
authorities, transmission operators, and generator operators. 
Reliability Standard CIP-006-5 applies to primary and backup control 
centers containing BES Cyber Systems that are ``High Impact'' or 
``Medium Impact,'' as defined in Reliability Standard CIP-002-5.1, 
Attachment 1. ``High Impact'' facilities include the control centers 
and backup control centers of reliability coordinators and certain 
balancing authorities, transmission operators, and generator operators. 
The ``Medium Impact'' categorization applies to all transmission 
operator primary and backup control centers not categorized as ``High 
Impact'' and to primary and backup control centers for certain 
generator operators and balancing authorities.
    39. The proposed informational filing should address whether there 
is a need for consistent treatment of ``High Impact'' control centers 
for cybersecurity and physical security purposes through the 
development of Reliability Standards that afford physical protection to 
all ``High Impact'' control centers. The Commission notes that the 
development of physical security protections for all ``High Impact'' 
control centers would not be

[[Page 42739]]

without precedent because, as noted above, Reliability Standard CIP-
006-5 already requires that ``High Impact'' control centers have some 
physical protections, including restrictions on physical access, to 
protect BES Cyber Assets. However, the security measures required by 
Reliability Standard CIP-006-5 may not be comparable to those required 
by proposed Reliability Standard CIP-014-1, and thus may not be 
sufficient to ``deter, detect, delay, assess, communicate, and respond 
to potential threats and vulnerabilities'' as required in Requirement 
R5 of the proposed Reliability Standard. Further, Reliability Standard 
CIP-006-5 does not require an ``unaffiliated third party review'' of 
the evaluation and security plan required by proposed Reliability 
Standard CIP-014-1.
    40. The Commission seeks comment on this proposal.

D. Generators

March 7 Order
    41. The March 7 Order did not direct NERC to make the physical 
security Reliability Standards applicable to specific functional entity 
types. The March 7 Order stated that ``some of the requirements imposed 
by these newly proposed Reliability Standards may best be performed by 
the owner and other activity may best be performed by the operator,'' 
and that NERC should clearly indicate which entity is responsible for 
each requirement.\30\ With regard to the applicable types of 
facilities, the Commission stated that it ``is not requiring NERC to 
adopt a specific type of risk assessment, nor is the Commission 
requiring that a mandatory number of facilities be identified as 
critical facilities under the Reliability Standards.'' \31\
---------------------------------------------------------------------------

    \30\ March 7 Order, 146 FERC ] 61,166 at P 6, n.4.
    \31\ Id. P 6.
---------------------------------------------------------------------------

NERC Petition
    42. In explaining why the proposed Reliability Standard does not 
include generator owners and generator operators as applicable 
entities, the standard drafting team found that:

    It was not necessary to include Generator Operators and 
Generator Owners in the Reliability Standard. First, Transmission 
stations or Transmission substations interconnecting generation 
facilities are considered when determining applicability. 
Transmission Owners will consider those Transmission stations and 
Transmission substations that include a Transmission station on the 
high side of the Generator Step-up transformer (GSU) using 
Applicability Section 4.1.1.1 and 4.1.1.2 . . . Second, the 
transmission analysis or analyses conducted under Requirement R1 
should take into account the impact of the loss of generation 
connected to applicable Transmission stations or Transmission 
substations. Additionally, the [Commission] order does not 
explicitly mention generation assets and is reasonably understood to 
focus on the most critical Transmission Facilities.\32\

    \32\ NERC Petition, Exhibit A (Proposed Reliability Standard) at 
23. The standard drafting team provided the following example: ``a 
Transmission station or Transmission substation identified as a 
Transmission Owner facility that interconnects generation will be 
subject to the Requirement R1 risk assessment if it operates at 500 
kV or greater or if it is connected at 200 kV-499 kV to three or 
more other Transmission stations or Transmission substations and has 
an `aggregate weighted value' exceeding 3000 according to the table 
in Applicability Section 4.1.1.2.'' Id. at 23.

    43. NERC explains that generator owners and generator operators 
were not included in the applicability section because, ``while the 
loss of a generator facility due to a physical attack may have local 
reliability effects, the loss of the facility is unlikely to have the 
widespread, uncontrollable impact'' contemplated in the March 7 
Order.\33\ NERC maintains that a ``generation facility does not have 
the same critical functionality as certain Transmission stations and 
Transmission substations due to the limited size of generating plants, 
the availability of other generation capacity connected to the grid, 
and planned resilience of the transmission system to react to the loss 
of a generation facility.'' \34\
---------------------------------------------------------------------------

    \33\ NERC Petition at 22.
    \34\ Id.
---------------------------------------------------------------------------

Discussion

    44. The Commission proposes to approve the applicability section of 
the proposed Reliability Standard without the inclusion of generator 
owners and generator operators. Omitting generator owners and generator 
operators from the applicability section is consistent with the March 7 
Order. The March 7 Order explained that the ``number of facilities 
identified as critical will be relatively small compared to the number 
of facilities that comprise the Bulk-Power System.'' \35\ We affirm 
this understanding and approach to physical security. The directive 
from the March 7 Order was intended to fill a recognized gap in the 
reliable operation of the Bulk-Power System. From that perspective, it 
is reasonable to focus attention on the most critical facilities in 
order to provide the most effective use of resources while adequately 
addressing the identified reliability gap.
---------------------------------------------------------------------------

    \35\ March 7 Order, 146 FERC ] 61,166 at P 12.
---------------------------------------------------------------------------

    45. Accordingly, we propose to accept NERC's justification for 
excluding generator owners and operators because it is in keeping with 
the March 7 Order's focus on protecting the most critical facilities. 
NERC explains that a generation facility ``does not have the same 
critical functionality as certain Transmission stations and 
Transmission substations due to the limited size of generating plants, 
the availability of other generation capacity connected to the grid, 
and planned resilience of the transmission system to react to the loss 
of a generation facility.'' \36\ Also, as NERC points out, Requirement 
R1 mandates a transmission analysis that accounts for transmission 
owner or transmission operator-owned substations that connect 
generating stations to the Bulk-Power System with step-up transformers. 
The Commission seeks comment on this proposal. In addition, while we 
propose to accept the applicability section of the proposed Reliability 
Standard, we note that NERC's proposed omission of generator owners and 
generator operators could potentially exempt substations owned or 
operated by generators. The Commission seeks comment on the potential 
reliability impact of excluding generator owned or operated 
substations.
---------------------------------------------------------------------------

    \36\ NERC Petition at 22.
---------------------------------------------------------------------------

E. Third-Party Recommendations

March 7 Order
    46. In the March 7 Order, the Commission stated that ``the risk 
assessment used by an owner or operator to identify critical facilities 
should be verified by an entity other than the owner or operator . . . 
[and] [s]imilarly, the determination of threats and vulnerabilities and 
the security plan should also be reviewed by NERC, the relevant 
Regional Entity, the Reliability Coordinator, or another entity with 
appropriate expertise.'' \37\
---------------------------------------------------------------------------

    \37\ March 7 Order, 146 FERC ] 61,166 at P 11.
---------------------------------------------------------------------------

NERC Petition
    47. Requirement R2 of the proposed Reliability Standard requires 
transmission owners to have their risk assessments verified by an 
unaffiliated third party. Requirement R6, likewise, requires each 
transmission owner and transmission operator to have its vulnerability 
and threat assessment(s) along with its security plan(s) for any 
critical facilities reviewed by an unaffiliated third party.
    48. Regarding how an applicable entity is supposed to address any 
recommendations by a third-party verifier, the proposed Reliability 
Standard, in Requirement R2.3, states that the transmission owner must 
either

[[Page 42740]]

(a) ``modify its identification . . . consistent with the 
recommendation'' or (b) ``document the technical basis for not 
modifying the identification in accordance with the recommendation.'' 
Similarly, Requirement R6.3 explains the procedure for considering any 
recommendations from the reviewing entity as to the threat assessments 
and security plans: the applicable entity must either (a) ``modify its 
evaluation or security plan(s) consistent with the recommendation'' or 
(b) ``document the reason(s) for not modifying the evaluation or 
security plan(s) consistent with the recommendation.''
    49. NERC states that ``[r]equiring documentation of the technical 
basis for not modifying the identification in accordance with the 
recommendation will help ensure that a Transmission Owner meaningfully 
considers the verifier's recommendations and follows those 
recommendations unless it can technically justify its reasons for not 
doing so. To comply with Part 2.3, the technical justification must be 
sound and based on acceptable approaches to conducting transmission 
analyses.'' \38\ The NERC petition contains a similar explanation for 
the third-party review (Requirement R6) of the threat assessments and 
security plans mandated in Requirements R4 and R5.\39\
---------------------------------------------------------------------------

    \38\ NERC Petition at 36.
    \39\ Id. at 50.
---------------------------------------------------------------------------

Discussion
    50. We propose to approve the proposed Reliability Standard, 
including the third-party verification and review method proposed by 
NERC in Requirements R2 and R6. Failure to provide a written, 
technically justifiable reason for rejecting a third-party 
recommendation would render the applicable entity non-compliant. With 
that understanding, we propose to approve NERC's proposal regarding 
third-party verification and review in Requirements R2 and R6 of the 
proposed Reliability Standard as an equally efficient and effective 
alternative to the directive in the March 7 Order.
    51. The Commission seeks comment on this proposal.

F. Resiliency

March 7 Order
    52. In the March 7 Order, the Commission stated that the 
development of physical security Reliability Standards ``will help 
provide for the resiliency and reliable operation of the Bulk-Power 
System. To that end, the proposed Reliability Standards should allow 
owners or operators to consider resiliency of the grid in the risk 
assessment when identifying critical facilities, and the elements that 
make up those facilities, such as transformers that typically require 
significant time to repair or replace. As part of this process, owners 
or operators may consider elements of resiliency such as how the system 
is designed, operated, and maintained, and the sophistication of 
recovery plans and inventory management.'' \40\
---------------------------------------------------------------------------

    \40\ March 7 Order, 146 FERC ] 61,166 at P 7.
---------------------------------------------------------------------------

NERC Petition
    53. The proposed Reliability Standard mentions resiliency in 
Requirement R5, stating in Requirement R5.1 that the physical security 
plans that entities develop shall include, among other attributes: 
``Resiliency or security measures designed collectively to deter, 
detect, delay, assess, communicate, and respond to potential physical 
threats and vulnerabilities identified during the evaluation conducted 
in Requirement R4.'' The NERC petition describes Requirement R5.1, with 
regard to resiliency, as referring to ``steps an entity may take that, 
while not specifically targeted as hardening the physical security of 
the site, help to decrease the potential adverse impact of a physical 
attack . . . including modifications to system topology or the 
construction of a new Transmission station . . . that would lessen the 
criticality of the facility.'' \41\
---------------------------------------------------------------------------

    \41\ NERC Petition at 42.
---------------------------------------------------------------------------

Discussion
    54. The NERC petition describes resiliency measures that could be 
included in the required physical security plans. However, specific 
resiliency measures are not required by the proposed Reliability 
Standard, which is consistent with the March 7 Order. Instead, the 
proposed Reliability Standard allows the security plans to be flexible 
in order to meet different threats and protect varying Bulk-Power 
System configurations.
    55. Resiliency is as, or even more, important than physical 
security given that physical security cannot protect against all 
possible attacks. In the case of the loss of a substation, the Bulk-
Power System may depend on resiliency to minimize the impact of the 
loss of facilities and restore blacked-out portions of the Bulk-Power 
System as quickly as possible. Some entities may implement resiliency 
measures rather than security measures, such as by adding facilities or 
operating procedures that reduce or eliminate the importance of 
existing critical facilities. Such measures could significantly improve 
reliability and resiliency.
    56. According to the NERC petition, the NERC Board of Trustees 
expects NERC management to monitor and assess the implementation of the 
proposed Reliability Standard on an ongoing basis.\42\ According to 
NERC, this effort includes: The number of assets identified as critical 
under the proposed Reliability Standard; the defining characteristics 
of the assets identified as critical; the scope of security plans 
(i.e., the types of security and resiliency measures contemplated under 
the various security plans); the timelines included in the security 
plan for implementing the security and resiliency measures; and 
industry progress in implementing the proposed Reliability Standard. 
NERC explains that this information could be used to provide regular 
updates to Commission staff.\43\ The Commission proposes to rely on 
NERC's ongoing assessment of the proposed Reliability Standard's 
implementation and to require NERC to make such information available 
to Commission staff upon request.
---------------------------------------------------------------------------

    \42\ NERC Petition at 14-15.
    \43\ Id.
---------------------------------------------------------------------------

    57. In addition, the Commission proposes to direct NERC to submit 
an informational filing that addresses the resiliency of the Bulk-Power 
System when confronted with the loss of critical facilities. The 
informational filing should explore what steps can be taken, in 
addition to those required by the proposed Reliability Standard, to 
maintain the reliable operation of the Bulk-Power System when faced 
with the loss or degradation of critical facilities. In this regard, we 
note that NERC issued a report on severe impact resilience in 2012.\44\ 
The filing proposed here could draw on NERC's 2012 report but should 
also reflect subsequent work and development on this topic, 
particularly non-confidential information regarding supply chain, 
transporting and other logistical issues for equipment such as large 
transformers. The Commission proposes to direct NERC to submit the 
informational filing within one year after the effective date of the 
final rule in this proceeding. The Commission seeks comment on this 
proposal.
---------------------------------------------------------------------------

    \44\ See NERC, Severe Impact Resilience: Considerations and 
Recommendations (May 2012), available at https://www.nerc.com/comm/OC/SIRTF%20Related%20Files%20DL/SIRTF_Final_May_9_2012-Board_Accepted.pdf.
---------------------------------------------------------------------------

G. Violation Risk Factors and Violation Severity Levels

    58. Each requirement of proposed Reliability Standard CIP-014-1 
includes one violation risk factor and has an

[[Page 42741]]

associated set of at least one violation severity level. The ranges of 
penalties for violations will be based on the sanctions table and 
supporting penalty determination process described in the Commission-
approved NERC Sanction Guidelines, according to the NERC petition. The 
Commission proposes to approve the proposed violation risk factors and 
violation severity levels for the requirements proposed in Reliability 
Standard CIP-014-1 as consistent with the Commission's established 
guidelines.\45\
---------------------------------------------------------------------------

    \45\ North American Electric Reliability Corp., 135 FERC ] 
61,166 (2011).
---------------------------------------------------------------------------

H. Implementation Plan and Effective Date

    59. The NERC petition proposes that proposed Reliability Standard 
CIP-014-1 become effective the ``first day of the first calendar 
quarter that is six months beyond the date that this standard is 
approved by applicable regulatory authorities.'' In other words, the 
effective date of the proposed Reliability Standard would be the first 
day of the first calendar quarter that is six months after the 
effective date of a final rule in this proceeding approving the 
proposed Reliability Standard.\46\ NERC states that the initial risk 
assessment required under Requirement R1 must be completed by or before 
the effective date of the proposed Reliability Standard.\47\ As 
described in the requirements of the proposed Reliability Standard, 
NERC also identifies when Requirements R2, R3, R4, R5, and R6 must be 
complied with following the effective date of the proposed Reliability 
Standard. The Commission proposes to approve NERC's implementation plan 
and effective date for proposed Reliability Standard CIP-014-1.
---------------------------------------------------------------------------

    \46\ NERC Petition, Exhibit B (Implementation Plan) at 1.
    \47\ Id.
---------------------------------------------------------------------------

III. Information Collection Statement

    60. The Office of Management and Budget (OMB) regulations require 
approval of certain information collection requirements imposed by 
agency rules. Upon approval of a collection(s) of information, OMB will 
assign an OMB control number and an expiration date. Respondents 
subject to the filing requirements of an agency rule will not be 
penalized for failing to respond to these collections of information 
unless the collections of information display a valid OMB control 
number. The Paperwork Reduction Act (PRA) requires each federal agency 
to seek and obtain OMB approval before undertaking a collection of 
information directed to ten or more persons, or contained in a rule of 
general applicability.
    61. The Commission is submitting these reporting requirements to 
OMB for its review and approval under section 3507(d) of the PRA. 
Comments are solicited on the Commission's need for this information, 
whether the information will have practical utility, ways to enhance 
the quality, utility, and clarity of the information to be collected, 
and any suggested methods for minimizing the respondent's burden, 
including the use of automated information techniques.
    62. The Commission based its paperwork burden estimates on the NERC 
compliance registry as of May 28, 2014. According to the registry, 
there are 357 transmission owners and 197 transmission operators. The 
NERC compliance registry also shows that there are only 19 transmission 
operators that are not also registered as a transmission owner.
    63. The following table shows the Commission's burden and cost 
estimates, broken down by requirement and year:

----------------------------------------------------------------------------------------------------------------
                                                                                  Average burden
   Requirements in reliability       Number of       Number of     Total number   hours and cost   Total burden
     standard CIP-014-1 over        respondents    responses per   of responses    per response      hours and
                                                    respondent                         \48\         total cost
Years 1-3                                    (1)             (2)     (1)*(2)=(3)             (4)         (3)*(4)
----------------------------------------------------------------------------------------------------------------
Year 1:
    R1..........................             357               1             357              20           7,140
                                                                                          $1,220        $435,540
    R2..........................             357               1             357              34          12,138
                                                                                          $2,342        $836,094
    R3..........................               2               1               2               1               2
                                                                                            $128            $256
    R4..........................              32               1              32              80           2,560
                                                                                          $4,880        $156,160
    R5..........................              32               1              32             320          10,240
                                                                                         $19,520        $624,640
    R6..........................              32               1              32             304           9,728
                                                                                         $18,812        $601,984
    Record Retention............             359               1             359               2             718
                                                                                             $64         $22,976
Year 2:
    Record Retention............             359               1             359               2             718
                                                                                             $64         $22,976
Year 3:
    R1..........................              30               1              30              20             600
                                                                                          $1,220         $36,600
    R2..........................              30               1              30              34           1,029
                                                                                          $2,342         $70,260
    R3..........................               2               1               2               1               2
                                                                                            $128            $256
    R4..........................              32               1              32              80           2,560
                                                                                          $4,880        $156,160
    R5..........................              32               1              32              80           2,560
                                                                                          $4,880        $156,160
    R6..........................              32               1              32             134           4,288
                                                                                          $8,442        $270,144

[[Page 42742]]

 
    Record Retention............             359               1             359               2             718
                                                                                             $64         $22,976
                                 -------------------------------------------------------------------------------
        Year 1 Total............  ..............  ..............  ..............  ..............          42,526
                                                                                                      $2,677,650
                                 -------------------------------------------------------------------------------
        Year 2 Total............  ..............  ..............  ..............  ..............             718
                                                                                                         $22,976
                                 -------------------------------------------------------------------------------
        Year 3 Total............  ..............  ..............  ..............  ..............          11,748
                                                                                                        $712,556
                                 ===============================================================================
            Total...............  ..............  ..............  ..............  ..............          54,992
                                                                                                      $3,413,182
----------------------------------------------------------------------------------------------------------------

     
---------------------------------------------------------------------------

    \48\ The estimates for cost per response are derived using the 
following formula: Average Burden Hours per Response * XX per Hour = 
Average Cost per Response. The hourly cost figures are based on 
wages plus benefits for engineers ($61/hr), attorneys ($128/hr), and 
administrative staff ($32/hr). These figures are based on Bureau of 
Labor Statistics wage and benefit data obtainable at https://www.bls.gov/oes/current/naics3_221000.htm and https://www.bls.gov/news.release/ecec.nr0.htm.
---------------------------------------------------------------------------

    64. In arriving at the figures in the above table, the Commission 
made the following assumptions:
    a. Requirement R1: We assume that responsible entities will 
complete the required risk assessment at approximately the same time as 
they complete the assessments required under the existing TPL 
Reliability Standards. Accordingly, the burden for proposed Reliability 
Standard CIP-014-1 only represents the documentation required in 
addition to what entities currently prepare. Conservatively, we assume 
that in the first year all transmission owners and transmission 
operators will complete the required risk assessment.\49\ In the third 
year, we assume that only 30 transmission operators will be required to 
do another risk assessment and that the entities with critical 
facilities after the first risk assessment will still have critical 
facilities after the second risk assessment.
---------------------------------------------------------------------------

    \49\ While it is likely that only large transmission owners and 
transmission operators will have critical facilities under 
Requirement R1, the Commission's estimate includes all transmission 
owners and operators because reliable data on what percentage of 
large owners and operators control critical facilities is 
unavailable.
---------------------------------------------------------------------------

    b. Requirement R5: We assume that developing physical security 
plans in the first year will be more time consuming than in later years 
because in later years the plans will likely only need to be updated.
    65. Title: FERC-725U, Mandatory Reliability Standards: Reliability 
Standard CIP-014-1.
    Action: Proposed collection of information.
    OMB Control No: To be determined.
    Respondents: Business or other for profit, and not for profit 
institutions.
    Frequency of Responses: Ongoing.
    Necessity of the Information: The proposed Reliability Standard 
CIP-014-1, if adopted, would implement the Congressional mandate of the 
Energy Policy Act of 2005 to develop mandatory and enforceable 
Reliability Standards to better ensure the reliability of the nation's 
Bulk-Power System. Specifically, the proposal would ensure that 
applicable entities with critical Bulk-Power System facilities develop 
and implement physical security plans to address physical security 
threats and vulnerabilities that could result in instability, 
uncontrolled separation, or cascading within an Interconnection.
    Internal review: The Commission has reviewed the proposed 
Reliability Standard and has determined that the proposed Reliability 
Standard is necessary to ensure the reliability and integrity of the 
Nation's Bulk-Power System.
    66. Interested persons may obtain information on the reporting 
requirements by contacting: Federal Energy Regulatory Commission, 888 
First Street NE., Washington, DC 20426 [Attention: Ellen Brown, Office 
of the Executive Director, email: DataClearance@ferc.gov, Phone: (202) 
502-8663, fax: (202) 273-0873]. Comments on the requirements of this 
rule may also be sent to the Office of Information and Regulatory 
Affairs, Office of Management and Budget, Washington, DC 20503 
[Attention: Desk Officer for the Federal Energy Regulatory Commission]. 
For security reasons, comments should be sent by email to OMB at oira_submission@omb.eop.gov. Comments submitted to OMB should include Docket 
Number RM14-15-000.

IV. Environmental Analysis

    67. The Commission is required to prepare an Environmental 
Assessment or an Environmental Impact Statement for any action that may 
have a significant adverse effect on the human environment.\50\ The 
Commission has categorically excluded certain actions from this 
requirement as not having a significant effect on the human 
environment. Included in the exclusion are rules that are clarifying, 
corrective, or procedural or that do not substantially change the 
effect of the regulations being amended.\51\ The actions proposed here 
fall within this categorical exclusion in the Commission's regulations.
---------------------------------------------------------------------------

    \50\ Regulations Implementing the National Environmental Policy 
Act, Order No. 486, 52 FR 47897 (Dec. 17, 1987), FERC Stats. & Regs. 
Regulations Preambles 1986-1990 ] 30,783 (1987).
    \51\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------

V. Regulatory Flexibility Act

    68. The Regulatory Flexibility Act of 1980 (RFA) \52\ generally 
requires a description and analysis of proposed rules that will have 
significant economic impact on a substantial number of small entities.
---------------------------------------------------------------------------

    \52\ 5 U.S.C. 601-612.
---------------------------------------------------------------------------

    69. The Small Business Administration (SBA) recently revised its 
size standard (effective January 22, 2014) for electric utilities from 
a standard based on megawatt hours to a standard based on the number of 
employees, including affiliates.\53\ Under SBA's new size standards, 
transmission

[[Page 42743]]

owners and transmission operators likely come under the following 
category and associated size threshold: Electric bulk power 
transmission and control, at 500 employees.\54\
---------------------------------------------------------------------------

    \53\ SBA Final Rule on ``Small Business Size Standards: 
Utilities,'' 78 FR 77,343 (Dec. 23, 2013).
    \54\ 13 CFR 121.201, Sector 22, Utilities.
---------------------------------------------------------------------------

    70. Based on U.S. economic census data, the approximate percentage 
of small firms in this category is 57 percent.\55\ Currently, the 
Commission does not have information concerning how the economic census 
data compares with entities registered with NERC and is unable to 
estimate the number of small transmission owners and transmission 
operators using the new SBA definition. However, the Commission 
recognizes that proposed Reliability Standard CIP-014-1 only applies to 
transmission owners and transmission operators that own and/or operate 
certain critical Bulk-Power System facilities. The Commission believes 
that the proposed Reliability Standard will be applicable to a 
relatively small group of large entities and that an even smaller 
subset of large entities will have to comply with each of the 
requirements in the proposed Reliability Standard.
---------------------------------------------------------------------------

    \55\ Data and further information are available on the SBA Web 
site. See SBA Firm Size Data, available at https://www.sba.gov/advocacy/849/12162.
---------------------------------------------------------------------------

    71. Based on the above, the Commission certifies that proposed 
Reliability Standard CIP-014-1 will not have a significant impact on a 
substantial number of small entities. Accordingly, no initial 
regulatory flexibility analysis is required. The Commission seeks 
comment on this proposal.

VI. Comment Procedures

    72. The Commission invites interested persons to submit comments on 
the matters and issues proposed in this notice to be adopted, including 
any related matters or alternative proposals that commenters may wish 
to discuss. Comments are due September 8, 2014. Reply comments are due 
September 22, 2014. Comments must refer to Docket No. RM14-15-000, and 
must include the commenter's name, the organization they represent, if 
applicable, and their address in their comments.
    73. The Commission encourages comments to be filed electronically 
via the eFiling link on the Commission's Web site at https://www.ferc.gov. The Commission accepts most standard word processing 
formats. Documents created electronically using word processing 
software should be filed in native applications or print-to-PDF format 
and not in a scanned format. Commenters filing electronically do not 
need to make a paper filing.
    74. Commenters that are not able to file comments electronically 
must send an original of their comments to: Federal Energy Regulatory 
Commission, Secretary of the Commission, 888 First Street NE., 
Washington, DC 20426.
    75. All comments will be placed in the Commission's public files 
and may be viewed, printed, or downloaded remotely as described in the 
Document Availability section below. Commenters on this proposal are 
not required to serve copies of their comments on other commenters.

VII. Document Availability

    76. In addition to publishing the full text of this document in the 
Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
Internet through the Commission's Home Page (https://www.ferc.gov) and 
in the Commission's Public Reference Room during normal business hours 
(8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A, 
Washington, DC 20426.
    77. From the Commission's Home Page on the Internet, this 
information is available on eLibrary. The full text of this document is 
available on eLibrary in PDF and Microsoft Word format for viewing, 
printing, and/or downloading. To access this document in eLibrary, type 
the docket number excluding the last three digits of this document in 
the docket number field.
    78. User assistance is available for eLibrary and the Commission's 
Web site during normal business hours from the Commission's Online 
Support at 202-502-6652 (toll free at 1-866-208-3676) or email at 
ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at 
public.referenceroom@ferc.gov.

     Issued: July 17, 2014.

    By direction of the Commission.
Nathaniel J. Davis, Sr.,
Deputy Secretary.
[FR Doc. 2014-17231 Filed 7-22-14; 8:45 am]
BILLING CODE 6717-01-P