Mandatory Reliability Standards for Critical Infrastructure Protection, 43970-44013 [E7-14710]

Agencies

• DEPARTMENT OF ENERGY
• Federal Energy Regulatory Commission

[Federal Register Volume 72, Number 150 (Monday, August 6, 2007)]
[Proposed Rules]
[Pages 43970-44013]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-14710]



[[Page 43969]]

-----------------------------------------------------------------------

Part IV





Department of Energy





-----------------------------------------------------------------------



Federal Energy Regulatory Commission



-----------------------------------------------------------------------



18 CFR Part 39



Mandatory Reliability Standards for Critical Infrastructure Protection; 
Proposed Rule

Federal Register / Vol. 72, No. 150 / Monday, August 6, 2007 / 
Proposed Rules

[[Page 43970]]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 39

[Docket No. RM06-22-000]


Mandatory Reliability Standards for Critical Infrastructure 
Protection

July 20, 2007.
AGENCY: Federal Energy Regulatory Commission, Department of Energy.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: Pursuant to section 215 of the Federal Power Act (FPA), the 
Federal Energy Regulatory Commission (Commission), proposes to approve 
eight Critical Infrastructure Protection (CIP) Reliability Standards 
submitted to the Commission for approval by the North American Electric 
Reliability Corporation (NERC). The CIP Reliability Standards require 
certain users, owners, and operators of the Bulk-Power System to comply 
with specific requirements to safeguard critical cyber assets. In 
addition, pursuant to section 215(d)(5) of the FPA, the Commission 
proposes to direct NERC to develop modifications to the CIP Reliability 
Standards to address specific concerns identified by the Commission. 
Approval of these standards will help protect the nation's Bulk-Power 
System against potential disruptions from cyber attacks.

DATES: Comments are due October 5, 2007.

ADDRESSES: You may submit comments, identified by docket number by any 
of the following methods:
     Agency Web Site: https://ferc.gov. Follow the instructions 
for submitting comments via the eFiling link found in the Comment 
Procedures section of the preamble.
     Mail/Hand Delivery: Commenters unable to file comments 
electronically must mail or hand deliver an original and 14 copies of 
their comments to the Federal Energy Regulatory Commission, Secretary 
of the Commission, 888 First Street, NE., Washington, DC 20426. Please 
refer to the Comment Procedures section of the preamble for additional 
information on how to file paper comments.

FOR FURTHER INFORMATION CONTACT: Gary Cohen (Legal Information), Office 
of the General Counsel, Federal Energy Regulatory Commission, 888 First 
Street, NE., Washington, DC 20426, (202) 502-8321.
    Paul Silverman (Legal Information), Office of the General Counsel, 
Federal Energy Regulatory Commission, 888 First Street, NE., 
Washington, DC 20426, (202) 502-8683.
    Regis Binder (Technical Issues), Office of Energy Markets and 
Reliability, Federal Energy Regulatory Commission, 888 First Street, 
NE., Washington, DC 20426, (202) 502-6460.
    Jan Bargen (Technical Issues), Office of Energy Markets and 
Reliability, Federal Energy Regulatory Commission, 888 First Street, 
NE., Washington, DC 20426, (202) 502-6333.

SUPPLEMENTARY INFORMATION:

                            Table of Contents
 
                                                               Paragraph
                                                                Numbers
 
I. Background...............................................          2.
    A. EPAct 2005 and Mandatory Reliability Standards.......          2.
    B. Development of CIP Reliability Standards.............          7.
    C. CIP Assessment.......................................         11.
II. Discussion..............................................         13.
    A. General Issues.......................................         13.
        1. Cyber Security Challenges........................         13.
        2. Applicability....................................         21.
        3. Compliance Measured by Outcome...................         32.
        4. Implementation Plan..............................         42.
        5. Issues Presented by Terminology..................         50.
        6. Guidance for Improving CIP Reliability Standards.         87.
    B. Discussion of Each CIP Reliability Standard..........         89.
        1. CIP-002-1--Critical Cyber Asset Identification...         89.
        2. CIP-003-1--Security Management Controls..........        120.
        3. CIP-004-1--Personnel and Training................        149.
        4. CIP-005-1--Electronic Security Perimeter(s)......        176.
        5. CIP-006-1--Physical Security of Critical Cyber           204.
         Assets.............................................
        6. CIP-007-1--Systems Security Management...........        223.
        7. CIP-008-1--Incident Reporting and Response               265.
         Planning...........................................
        8. CIP-009-1--Recovery Plans for Critical Cyber             289.
         Assets.............................................
    C. Violation Risk Factors...............................        321.
        1. Background.......................................        321.
        2. Commission Proposal..............................        324.
III. Information Collection Statement.......................        332.
IV. Environmental Analysis..................................        339.
V. Regulatory Flexibility Act Certification.................        340.
VI. Comment Procedures......................................        350.
VII. Document Availability..................................        353.
Appendix A List of Commenters...............................  ..........
Appendix B Violation Risk Factors: Proposed Dispositions....  ..........
 

Before Commissioners: Joseph T. Kelliher, Chairman; Suedeen G. 
Kelly, Marc Spitzer, Philip D. Moeller, and Jon Wellinghoff.
    1. Pursuant to section 215 of the Federal Power Act (FPA), the 
Commission proposes to approve eight Critical Infrastructure Protection 
(CIP) Reliability Standards submitted to the Commission for approval by 
the North American Electric Reliability Corporation (NERC). The CIP 
Reliability Standards require certain users, owners, and operators of 
the Bulk-Power System to comply with specific requirements to safeguard 
critical cyber assets.\1\ In

[[Page 43971]]

addition, pursuant to section 215(d)(5) of the FPA, the Commission 
proposes to direct NERC to develop modifications to the CIP Reliability 
Standards to address specific concerns identified by the Commission.
---------------------------------------------------------------------------

    \1\ In the context of the CIP Reliability Standards, cyber 
assets are programmable electronic devices and communication 
networks including hardware, software, and data. See note 69, infra.
---------------------------------------------------------------------------

I. Background

A. EPAct 2005 and Mandatory Reliability Standards

    2. On August 8, 2005, the Electricity Modernization Act of 2005, 
which is Title XII, Subtitle A, of the Energy Policy Act of 2005 (EPAct 
2005), was enacted into law.\2\ EPAct 2005 adds a new section 215 to 
the FPA, which requires a Commission-certified Electric Reliability 
Organization (ERO) to develop mandatory and enforceable Reliability 
Standards, which are subject to Commission review and approval. Once 
approved, the Reliability Standards may be enforced by the ERO subject 
to Commission oversight, or the Commission can independently enforce 
Reliability Standards.\3\
---------------------------------------------------------------------------

    \2\ Energy Policy Act of 2005, Pub. L. No. 109-58, Title XII, 
Subtitle A, 119 Stat. 594, 941 (2005), to be codified at 16 U.S.C. 
824o.
    \3\ 16 U.S.C. 824o(e)(3).
---------------------------------------------------------------------------

    3. On February 3, 2006, the Commission issued Order No. 672, 
implementing section 215 of the FPA.\4\ Pursuant to Order No. 672, the 
Commission certified one organization, NERC, as the ERO.\5\ The 
Reliability Standards developed by the ERO and approved by the 
Commission will apply to users, owners and operators of the Bulk-Power 
System, as set forth in each Reliability Standard.
---------------------------------------------------------------------------

    \4\ Rules Concerning Certification of the Electric Reliability 
Organization; Procedures for the Establishment, Approval and 
Enforcement of Electric Reliability Standards, Order No. 672, 71 FR 
8662 (Feb. 17, 2006), FERC Stats. & Regs. ] 31,204 (2006), order on 
reh'g, Order No. 672-A, 71 FR 19814 (Apr. 18, 2006), FERC Stats. & 
Regs. ] 31,212 (2006).
    \5\ North American Electric Reliability Corp., 116 FERC ] 61,062 
(ERO Certification Order), order on reh'g & compliance, 117 FERC ] 
61,126 (ERO Rehearing Order) (2006), order on compliance, 118 FERC ] 
61,030 (2007) (Jan. 2007 Compliance Order), appeal docket sub nom. 
Alcoa, Inc. v. FERC, No. 06-1426 (D.C. Cir. Dec. 29, 2006).
---------------------------------------------------------------------------

    4. Pursuant to section 215(d)(2) of the FPA and Sec.  39.5(c) of 
the Commission's regulations, the Commission is required to give due 
weight to the technical expertise of the ERO with respect to the 
content of a Reliability Standard or to a Regional Entity organized on 
an Interconnection-wide basis with respect to a proposed Reliability 
Standard or a proposed modification to a Reliability Standard to be 
applicable within that Interconnection.\6\
---------------------------------------------------------------------------

    \6\ 18 CFR 39.5(c)(1), to be codified at 16 U.S.C.824o.
---------------------------------------------------------------------------

    5. The ERO must file with the Commission each new or modified 
Reliability Standard that it proposes to be made effective under 
section 215 of the FPA. The Commission can then approve or remand the 
Reliability Standard. The Commission also can, among other actions, 
direct the ERO to modify an approved Reliability Standard to address a 
specific matter if it considers this appropriate to carry out section 
215 of the FPA.\7\ Only Reliability Standards approved by the 
Commission will become mandatory and enforceable.
---------------------------------------------------------------------------

    \7\ Section 215(d)(5) of the FPA.
---------------------------------------------------------------------------

    6. On April 4, 2006, as modified on August 28, 2006, NERC submitted 
to the Commission a petition seeking approval of 107 proposed 
Reliability Standards. On March 16, 2007, the Commission issued a final 
rule, Order No. 693, approving 83 of these 107 Reliability Standards 
and directing other action related to these Reliability Standards.\8\
---------------------------------------------------------------------------

    \8\ Mandatory Reliability Standards for the Bulk-Power System, 
Order No. 693, 72 FR 16416 (Apr. 4, 2007), FERC Stats. & Regs. ] 
31,242 (2007); reh'g pending.
---------------------------------------------------------------------------

B. Development of CIP Reliability Standards

    7. In August 2003, NERC approved the Urgent Action 1200 standard, 
which was the first comprehensive cyber security standard for the 
electric industry. This voluntary standard applied to control areas 
(i.e., balancing authorities), transmission owners and operators, and 
generation owners and operators that perform defined functions. 
Specifically, it established a self-certification process relating to 
the security of system control centers of the applicable entities. The 
Urgent Action 1200 standard remained in effect on a voluntary basis 
until June 1, 2006, at which time the eight CIP Reliability Standards 
that are the subject of the current rulemaking replaced the Urgent 
Action 1200 standard.
    8. On August 28, 2006, NERC submitted to the Commission for 
approval the following eight proposed CIP Reliability Standards:\9\
---------------------------------------------------------------------------

    \9\ The proposed Reliability Standards are not proposed to be 
codified in the CFR and are not attached to the NOPR. They are, 
however, available on the Commission's eLibrary document retrieval 
system in Docket No. RM06-22-000 and are available on the ERO's Web 
site, https://www.nerc.com/filez/standards/Reliability_
Standards.html#Critical_Infrastructure_Protection.
---------------------------------------------------------------------------

     CIP-002-1--Cyber Security--Critical Cyber Asset 
Identification: Requires a responsible entity to identify its critical 
assets and critical cyber assets using a risk-based assessment 
methodology.
     CIP-003-1--Cyber Security--Security Management Controls: 
Requires a responsible entity to develop and implement security 
management controls to protect critical cyber assets identified 
pursuant to CIP-002-1.
     CIP-004-1--Cyber Security--Personnel & Training: Requires 
personnel with access to critical cyber assets to have an identity 
verification and a criminal check. It also requires employee training.
     CIP-005-1--Cyber Security--Electronic Security Perimeters: 
Requires the identification and protection of an electronic security 
perimeter and access points. The electronic security perimeter is to 
encompass the critical cyber assets identified pursuant to the risk-
based assessment methodology required by CIP-002-1.
     CIP-006-1--Cyber Security--Physical Security of Critical 
Cyber Assets: Requires a responsible entity to create and maintain a 
physical security plan that ensures that all cyber assets within an 
electronic security perimeter are kept in an identified physical 
security perimeter.
     CIP-007-1--Cyber Security--Systems Security Management: 
Requires a responsible entity to define methods, processes, and 
procedures for securing the systems identified as critical cyber 
assets, as well as the non-critical cyber assets within an electronic 
security perimeter.
     CIP-008-1--Cyber Security--Incident Reporting and Response 
Planning: Requires a responsible entity to identify, classify, respond 
to, and report cyber security incidents related to critical cyber 
assets.
     CIP-009-1--Cyber Security--Recovery Plans for Critical 
Cyber Assets: Requires the establishment of recovery plans for critical 
cyber assets using established business continuity and disaster 
recovery techniques and practices.
    9. NERC stated that these Reliability Standards provide a 
comprehensive set of requirements to protect the Bulk-Power System from 
malicious cyber attacks.\10\ They require Bulk-Power System users, 
owners, and operators to establish a risk-based vulnerability 
assessment methodology and use that methodology to identify and 
prioritize critical assets and critical cyber assets. Once the critical 
cyber assets are identified, the CIP Reliability Standards require, 
among other things, that the responsible entities establish plans,

[[Page 43972]]

protocols, and controls to safeguard physical and electronic access, to 
train personnel on security matters, to report security incidents, and 
to be prepared for recovery actions. Further, NERC explained that, 
because of the expanded scope of facilities and entities covered by the 
eight CIP Reliability Standards, and the investment in security 
upgrades required in many cases, NERC has also developed an 
implementation plan that provides for a three-year phase-in to achieve 
full compliance with all requirements.\11\
---------------------------------------------------------------------------

    \10\ NERC Filing at 24.
    \11\ Id. at 24: Exhibit B (Implementation Plan for Cyber 
Security Standards).
---------------------------------------------------------------------------

    10. Each proposed Reliability Standard uses a common organizational 
format that includes five sections, as follows: (A) Introduction, which 
includes ``Purpose'' and ``Applicability'' sub-sections; (B) 
Requirements; (C) Measures; (D) Compliance; and (E) Regional 
Differences. In this NOPR, these section titles are capitalized when 
referencing a designated provision of a Reliability Standard.

C. CIP Assessment

    11. On December 11, 2006, the Commission released a ``Staff 
Preliminary Assessment of the North American Electric Reliability 
Corporation's Proposed Mandatory Reliability Standards on Critical 
Infrastructure Protection'' (CIP Assessment). The CIP Assessment 
identified staff's preliminary observations and concerns regarding the 
eight proposed CIP Reliability Standards. The CIP Assessment described 
issues common to a number of the proposed CIP Reliability Standards. It 
also reviewed and identified issues regarding each individual CIP 
Reliability Standard but did not make specific recommendations 
regarding the appropriate action on a particular proposal.
    12. Comments on the CIP Assessment were due by February 12, 2007. 
Entities that filed comments are listed in Appendix A to this NOPR.

II. Discussion

A. General Issues

1. Cyber Security Challenges
    13. The CIP Reliability Standards represent the most thorough 
attempt to date to address cyber security issues that relate to the 
Bulk-Power System. For many years the control systems for the Bulk-
Power System have operated in a stand-alone environment without 
computer or communication links to an external Information Technology 
(IT) infrastructure. However, over recent years, such stand-alone 
enclaves have been increasingly connected to both the corporate 
environment and the external world.
    14. Modern computer and communication network interconnection 
brings with it the potential for cyber attacks on these systems. These 
concerns become particularly critical when several entities come under 
attack simultaneously. The CIP Assessment identified ``defense in 
depth'' as a widely recognized strategy to address cyber threats. 
Defense in depth involves the layering of various defense mechanisms in 
a way that either discourages an adversary from continuing an attack or 
aids in early detection of cyber threats.
    15. A major challenge to preserving system protection is that 
changes occur rapidly in system architectures, technology, and threats. 
As a result, cyber security strategies must comprise a layered, 
interwoven approach to vigilantly protect the Bulk-Power System against 
evolving cyber security threats.
    16. Cyber security involves a careful balance of the technologies 
available with the existing control equipment and the functions they 
perform. Cyber security does have purely technical components, which 
consist of the various available technologies to defend computer 
systems. The task of balancing technical options comes into play as one 
selects and combines the various available technologies into a 
comprehensive architecture to protect the specific computer 
environment.
    17. A key to the successful cyber protection of the Bulk-Power 
System will be the establishment of CIP Reliability Standards that 
provide sound, reliable direction on how to choose among alternatives 
to achieve an adequate level of security, and the flexibility to make 
those choices. This conclusion is consistent with the lessons learned 
from the August 2003 blackout occurring in the central and northeastern 
United States. The identification of the causes of that and other 
previous major blackouts helped determine where existing Reliability 
Standards need modification or new Reliability Standards need to be 
developed to improve Bulk-Power System reliability. The U.S.--Canada 
Power System Blackout Task Force, in its Blackout Report, developed 
specific recommendations for the improving the then-current voluntary 
standards and development of new Reliability Standards.\12\
---------------------------------------------------------------------------

    \12\ U.S.--Canada Power System Blackout Task Force, Final Report 
on the August 14, 2003 Blackout in the United States and Canada: 
Causes and Recommendations (April 2004) (Blackout Report). The 
Blackout Report is available on the Internet at https://www.ferc.gov/
industries/electric/indus-act/blackout.asp.
---------------------------------------------------------------------------

    18. Thirteen of the 46 Blackout Report Recommendations relate to 
cyber security. They address topics such as the development of cyber 
security policies and procedures; strict control of physical and 
electronic access to operationally sensitive equipment; assessment of 
cyber security risks and vulnerability at regular intervals; capability 
to detect wireless and remote wireline intrusion and surveillance; 
guidance on employee background checks; procedures to prevent or 
mitigate inappropriate disclosure of information; and improvement and 
maintenance of cyber forensic and diagnostic capabilities.\13\ The 
proposed CIP Reliability Standards address these and related topics.
---------------------------------------------------------------------------

    \13\ See Blackout Report at 163-169, Recommendations 32-44.
---------------------------------------------------------------------------

    19. As we noted in Order No. 693, the Blackout Report 
recommendations address key issues for assuring Bulk-Power System 
reliability and represent a well-reasoned and sound basis for 
action.\14\ Likewise, in this NOPR, the Commission recognizes the 
merits of specific Blackout Report recommendations as a basis for 
proposing certain modifications to the eight CIP Reliability Standards 
that the Commission proposes to approve.
---------------------------------------------------------------------------

    \14\ See Order No. 693 at P 234.
---------------------------------------------------------------------------

    20. We recognize that the guidance and directives in the cyber 
security Reliability Standards themselves must also strike a reasonable 
balance. If the provisions are overly prescriptive they tend to become 
a ``one size fits all'' solution, which does not suit this environment, 
where systems vary greatly in architecture, technology, and risk 
profile. However, if Reliability Standards lack sufficient detail, they 
will provide little useful direction, thereby making compliance and 
enforcement difficult, allow flawed implementation of security 
mechanisms, and result in inadequate protection. The Commission will 
evaluate the proposed CIP Reliability Standards in the context of the 
above over-arching considerations.
2. Applicability
    21. The Applicability section of each proposed CIP Reliability 
Standard identifies the following 11 categories of responsible entities 
that must comply

[[Page 43973]]

with the Reliability Standard: reliability coordinators, balancing 
authorities, interchange authorities, transmission service providers, 
transmission owners, transmission operators, generator owners, 
generator operators, load serving entities, NERC, and Regional 
Reliability Organizations.
    22. The CIP Assessment raised two issues regarding applicability of 
the CIP Reliability Standards. First, it stated that, although it is 
likely that NERC and the Regional Entities \15\ are not directly 
subject to mandatory Reliability Standards, their compliance with the 
CIP Reliability Standards is important to the extent that they have 
cyber communications with users, owners or operators of the Bulk-Power 
System.\16\ The CIP Assessment suggested that NERC and Regional Entity 
compliance could be required pursuant to NERC's Rules of Procedure. 
Some commenters pointed out that NERC out-sources critical application 
systems that are relied upon by many responsible entities, such as the 
Interchange Distribution Calculator, and suggest that the out-source 
provider should be contractually compelled to comply with the CIP 
Reliability Standards, with NERC ultimately responsible for non-
compliance.\17\
---------------------------------------------------------------------------

    \15\ In Order No. 693, at P 157, the Commission directed NERC to 
remove all references to the Regional Reliability Organization and 
replace them with a reference to the Regional Entity where 
appropriate. This directive should apply to the CIP Reliability 
Standards as well.
    \16\ See CIP Assessment at 12-14.
    \17\ E.g., ISO-NE, ISO/RTO Council, and SPP.
---------------------------------------------------------------------------

    23. Second, the CIP Assessment raised concerns about the 
appropriateness of a size threshold, below which small entities would 
be exempt from compliance. It explained that, while the assets and 
operations of a smaller entity may not have a major day-to-day 
operational impact on the Bulk-Power System, such an entity can provide 
a cyber gateway to compromise larger users, owners, or operators of the 
Bulk-Power System. When attacked simultaneously with the facilities of 
other small entities, the aggregate result could have an adverse impact 
on the reliability of the Bulk-Power System. Thus, the CIP Assessment 
suggested that a key to any determination of whether an entity should 
be subject to the CIP Reliability Standards is whether or not it is a 
user, owner, or operator of the Bulk-Power System and whether it has a 
cyber connection to other users, owners or operators of the Bulk-Power 
System. The CIP Assessment concluded that the CIP Reliability Standards 
should apply to all users, owners, or operators regardless of size, 
because a relatively small entity could have critical importance from a 
cyber security perspective.
    24. A number of commenters stated that the focus should be on those 
entities that own or operate critical assets, rather than being 
addressed in terms of ``large'' or ``small'' size of entities.\18\ 
These commenters warn that a blanket waiver that uniformly exempts 
small entities from compliance with certain provisions of the proposed 
CIP Reliability Standards therefore would not be appropriate. NERC and 
other commenters maintain that applicability should not be determined 
based on cyber connections but, rather by identifying those users, 
owners and operators of the Bulk-Power System that own or operate 
critical assets and associated critical cyber assets. Another group of 
commenters urge that the Commission not impose the same compliance 
obligations on smaller entities as on larger entities when a violation 
by the smaller entity would not have a critical impact on the Bulk-
Power System. They maintain that adverse impacts on the grid from small 
entities would be an uncommon occurrence and urge a case-by-case 
approach to granting waivers from compliance with the CIP Reliability 
Standards.\19\
---------------------------------------------------------------------------

    \18\ E.g., Allegheny, California PUC, EEI, Georgia System, ISO-
NE, MidAmerican, NERC, ReliabilityFirst, Northeast Utilities, NRECA, 
Ontario IESO, Tampa Electric, and Xcel.
    \19\ E.g., APPA/LPPC and Santa Clara.
---------------------------------------------------------------------------

Commission Proposal
    25. With regard to the applicability of the CIP Reliability 
Standards to the ERO, NERC has modified its Rules of Procedure to 
provide that the ERO will comply with each Reliability Standard that 
identifies the ERO as an applicable entity.\20\ Similarly, the 
delegation agreements between NERC and each of the eight Regional 
Entities expressly state that the Regional Entity is committed to 
comply with approved Reliability Standards.\21\ The Commission believes 
that this approach is sufficient and, accordingly, does not propose any 
additional measures or revisions on this issue.
---------------------------------------------------------------------------

    \20\ See NERC Rules of Procedure, section 100.
    \21\ See North American Electric Reliability Corp., 119 FERC ] 
61,060 at P 4-5 (2007) (approving the delegation agreements and 
directing certain modifications).
---------------------------------------------------------------------------

    26. The Commission's determinations in Order No. 693 are relevant 
to deciding the applicability of the CIP Reliability Standards to small 
entities. In Order No. 693, the Commission approved NERC's compliance 
registry process as a reasonable means ``to ensure that the proper 
entities are registered and that each knows which Commission-approved 
Reliability Standard(s) are applicable to it.'' \22\ Further, the 
Commission approved NERC registry criteria that identify specific 
categories of users, owners and operators of the Bulk-Power System and 
criteria for registering entities within each of the categories.\23\
---------------------------------------------------------------------------

    \22\ Order No. 693 at P 92, quoting ERO Certification Order, 116 
FERC ] 61,062 at P 689.
    \23\ Order No. 693 at P 93-95. NERC's Statement of Compliance 
Registry Criteria (Revision 3), approved by the Commission in Order 
No. 693, is available on NERC's Web site at: ftp://www.nerc.com/pub/
sys/all_updl/ero/Statement_of_Compliance_Registry_Criteria_
Rev3.pdf.
---------------------------------------------------------------------------

    27. The Commission will also rely on the NERC registration process 
to determine applicability with the CIP Reliability Standards. In other 
words, an entity would be responsible to comply with the CIP 
Reliability Standards if the entity is (1) registered by NERC under one 
or more functional categories and (2) within a functional category for 
which the entity is registered as identified in the Applicability 
section of the CIP Reliability Standards. However, even though it is 
the Commission's present intention to rely on the NERC registration 
process to identify appropriate entities, we remain concerned about the 
possibility of entities not identified by the registration process 
becoming a weakness in the security of the Bulk-Power System. In this 
regard, we note that, in Order No. 693, the Commission explained that, 
``if there is an entity that is not registered and NERC later discovers 
that the entity should have been subject to the Reliability Standards, 
NERC has the ability to add the entity, and possibly other entities of 
a similar class, to the registration list * * *.'' \24\ In addition, in 
Order No. 693, the Commission indicated that it would further examine 
applicability issues under section 215 of the FPA in a future 
proceeding, and notes the same intention here.\25\
---------------------------------------------------------------------------

    \24\ Order No. 693 at P 97.
    \25\ Id. at P 77.
---------------------------------------------------------------------------

    28. Regarding our concern about small entities becoming a gateway 
for cyber attacks, some commenters argue that the Commission should not 
focus on cyber connections to determine applicability of the CIP 
Reliability Standards. Others state that it would be uncommon for a 
small entity to cause an adverse impact upon the grid. The Commission's 
reliance upon the NERC registration process to determine the 
applicability of the CIP Reliability Standards is in part based upon 
our expectation that industry will use the ``mutual distrust'' posture 
discussed below regarding CIP-

[[Page 43974]]

003-1. The term ``mutual distrust'' is used to denote how these 
``outside world'' systems are treated by those inside the control 
system. A mutual distrust posture requires each responsible entity that 
has identified critical cyber assets to protect itself and not trust 
any communication crossing an electronic security perimeter, regardless 
of where that communication originates.
    29. Similarly, the Commission is relying on the NERC registration 
process to include all critical assets and associated critical cyber 
assets. For example, if assets are important to the reliability of the 
Bulk-Power System, such as black start units, we would expect that the 
NERC registration process would identify the owners or operators of 
those units as critical, and require them to register, even though the 
facilities may be ``smaller'' or at low voltages. Demand side 
aggregators might also need to be included in the NERC registration 
process if their load shedding capacity would affect the reliability or 
operability of the Bulk-Power System.
    30. As discussed later, as an initial compliance step, each entity 
that is responsible for compliance with the CIP Reliability Standards 
must identify critical assets through the application of a risk-based 
assessment as required by CIP-002-1. Whether that entity must comply 
with the remainder of the requirements in the CIP Reliability Standards 
would depend on the outcome of that assessment and the subsequent 
identification of critical cyber assets, also required by CIP-002-1. 
Thus, CIP-002-1 acts as a filter, determining which entities must 
comply with the remaining CIP requirements (i.e., CIP-003-1 through 
CIP-009-1).
    31. The Commission agrees with the commenters that access to 
information essential to the operation of critical cyber assets by out-
sourced entities that are not otherwise subject to the CIP Reliability 
Standards presents a potential vulnerability to the Bulk-Power System. 
We understand that, on occasion, NERC negotiates contracts with such 
third party vendors, and the products developed by the vendors are then 
used by responsible entities that, as owners of the critical cyber 
assets, are ultimately responsible for their cyber security protection 
under the CIP Reliability Standards. The Commission invites comment on 
whether and how such out-sourced entities should be contractually 
obligated to comply with the CIP Reliability Standards while satisfying 
their other contractual obligations.
3. Compliance Measured by Outcome
a. Performance-Based Standards
    32. The CIP Assessment expressed concern that the lack of 
specificity within the proposed CIP Reliability Standards could result 
in inadequate implementation efforts and inconsistent results.\26\ 
NERC, along with a number of other commenters, states that the CIP 
Reliability Standards are not prescriptive, positing that the level of 
specificity they embody is appropriate. NERC explains that the use of a 
performance-based structure frames the CIP Reliability Standards in 
terms of required results or outcomes with criteria for verifying 
compliance, but without prescribing the methods for achieving the 
required results. In other words, the specific means to achieve that 
outcome are left to the discretion of the responsible entity. Such an 
approach contrasts with a prescribed or design-based standard. NERC 
concludes that, when taken together, the proposed Reliability Standards 
constitute a comprehensive set of cyber security activities, stating 
that it is more important that a pre-defined, desirable outcome is 
achieved than prescribing the means to that end.
---------------------------------------------------------------------------

    \26\ CIP Assessment at 3.
---------------------------------------------------------------------------

    33. The Commission generally agrees that use of performance-based 
standards is a part of the design of cyber security safeguards for the 
Bulk-Power System's critical assets. However, as we indicated in Order 
No. 672, performance-based standards may not always be appropriate, for 
example, in situations where ``the `how' may be inextricably linked to 
the Reliability Standard and may need to be specified to ensure the 
enforceability of the standard.'' \27\ Accordingly, where necessary, 
the Commission proposes to direct NERC to modify the CIP Reliability 
Standards to address the ``how.'' Moreover, the Commission is concerned 
that, while NERC explains that the CIP Reliability Standards are 
performance-based, the CIP Reliability Standards do not provide a 
mechanism to measure performance or otherwise determine whether a 
responsible entity has met the goals of a particular requirement set 
forth in the standards.
---------------------------------------------------------------------------

    \27\ Order No. 672 at P 260. The Commission also explained that, 
for some Reliability Standards, ``leaving out implementation 
features could [inter alia] sacrifice necessary uniformity in 
implementation * * *''.
---------------------------------------------------------------------------

    34. The Commission believes that monitoring the performance of 
responsible entities identified in the CIP Reliability Standards 
involves three strategies. First, it is important that there be both 
internal and external oversight of the responsible entity's activities. 
While the proposed Reliability Standards embody internal management 
oversight strategies, there should also be oversight that embodies a 
wide-area view. Second, when flexibility is exercised in a way that 
excepts an entity from a Requirement, such action should be monitored, 
documented, and periodically revisited to determine consistency and 
effectiveness of the implementation. Third, reporting certain wide-area 
information and analysis to the Commission is vital to its role in 
ensuring that approved CIP Reliability Standards achieve on an ongoing 
basis an adequate level of cyber security protection to the Bulk-Power 
System. These three strategies are applied in our discussion below of 
various provisions of the CIP Reliability Standards.
b. Adequacy of Outcomes
    35. The CIP Assessment explained that many of the Requirements in 
the proposed CIP Reliability Standards consist of broad directives, and 
that the Measures and Compliance provisions focus largely on proper 
documentation. The Reliability Standards themselves do not explain the 
interplay between the Requirements, on one hand, and the Measures and 
Levels of Non-Compliance, on the other.
    36. The CIP Assessment expressed the view that the focus of the 
Measures and Compliance provisions on documentation could be 
interpreted to suggest that possession of documentation can demonstrate 
compliance, regardless of the quality of its contents. It suggested 
that compliance with the CIP Reliability Standards must be understood 
in terms of compliance with the Requirements, which, according to NERC, 
define what an entity must do to be compliant and establishes an 
enforceable obligation.
Comments
    37. NERC and others do not share the CIP Assessment concern 
regarding the focus on documentation.\28\ NERC and ReliabilityFirst 
acknowledge the extensive use of documentation throughout the CIP 
Reliability Standards, but note that the majority of this documentation 
is used to demonstrate that the Requirements have been met. NERC 
indicates that, while the ``mere possession of documentation'' does not 
guarantee compliance, appropriate documentation is essential to 
demonstrate that steps to comply with the Requirements have been taken 
and will streamline after-the-

[[Page 43975]]

fact compliance audits. Similarly, EEI believes that the quality of the 
documentation is an important factor for assessing compliance and 
should be the subject of an audit. FirstEnergy and Santa Clara state 
that it would be helpful for NERC to provide guidance on what 
constitutes reasonable documentation.
---------------------------------------------------------------------------

    \28\ E.g., ReliabilityFirst, APPA/LPPC, and SPP.
---------------------------------------------------------------------------

    38. Others raise concerns regarding the emphasis on documentation. 
For example, Duke Energy agrees with the CIP Assessment that the CIP 
Reliability Standards rely heavily on documentation to verify 
compliance. Duke Energy believes that the accumulation of documentation 
to facilitate audits may prove to be less than optimum for the CIP 
Reliability Standards and suggests that efforts to improve the CIP 
Requirements should gradually focus less on documentation, and more on 
the actual level of cyber security to be implemented by the responsible 
entity. ISA Group states that the CIP Reliability Standards do not 
specify clear Requirements and do not provide sufficient guidance. ISA 
Group believes that the clarity and detail of the Levels of Non-
Compliance in terms of documentation give the impression that the 
documentation is the focus of the CIP Reliability Standards.
Commission Proposal
    39. The Commission agrees with NERC that, while documentation is 
necessary, the documentation by itself does not satisfy the 
Requirements of a Reliability Standard. Rather, implementation of the 
substance of the Requirements is most important in determining 
compliance. As we explained in Order No. 693, ``while Measures and 
Levels of Non-Compliance provide useful guidance to the industry, 
compliance will in all cases be measured by determining whether a party 
met or failed to meet the Requirement given the specific facts and 
circumstances of its use, ownership or operation of the Bulk-Power 
System.'' \29\ Moreover, the Commission recognized that:
---------------------------------------------------------------------------

    \29\ Order No. 693 at P 253.

    The most critical element of a Reliability Standard is the 
Requirements. As NERC explains, ``the Requirements within a standard 
define what an entity must do to be compliant * * * [and] binds an 
entity to certain obligations of performance under section 215 of 
the FPA.'' If properly drafted, a Reliability Standard may be 
enforced in the absence of specified Measures or Levels of Non-
Compliance.\30\
---------------------------------------------------------------------------

    \30\ Id., quoting NOPR at P 105 (footnote omitted).

    40. To reiterate, while documentation set forth in the Measures and 
Levels of Non-Compliance plays an important role in assuring that a 
responsible entity is able to demonstrate to an auditor or others that 
it has complied with the substantive Requirement of a Reliability 
Standard, adequate documentation does not substitute for substantive 
compliance with the obligations and responsibilities set forth in the 
Requirement.
    41. Related, certain Requirements of the CIP Reliability Standards 
obligate a responsible entity to develop and maintain a plan, policy or 
procedure. However, such Requirements do not always explicitly require 
implementation of the plan, policy or procedure.\31\ The Commission 
interprets such provisions to include an implicit requirement to 
implement the plan, policy or procedure; and to make a responsible 
entity subject to a non-compliance action for failing to implement the 
policy. Such an interpretation is reasonable to prevent the scenario in 
which the ERO, Regional Entity or the Commission could assess a penalty 
against a responsible entity for failure to develop a plan, policy or 
procedure that satisfies the Requirements of the Reliability Standard, 
but unable to assess a penalty against a responsible entity that has 
developed an adequate plan but fails to implement it. Further, the 
Commission proposes that the ERO, in developing modifications to the 
CIP Reliability Standards, include explicitly in such Requirements that 
a responsible entity must implement a plan, policy or procedure that it 
is required to develop.
---------------------------------------------------------------------------

    \31\ See, e.g., CIP-006-1, Requirement R1 (requiring a 
responsible entity to ``create and maintain a `physical security 
plan'' '); cf. CIP-003-1, Requirement R1 (requiring a responsible 
entity to ``document and implement a cyber security policy'').
---------------------------------------------------------------------------

 4. Implementation Plan
    42. Unlike the Reliability Standards approved in Order No. 693, 
which NERC formulated based on existing voluntary standards, the CIP 
Reliability Standards are new and require applicable entities in many 
cases to develop new cyber security systems and procedures, which will 
take time to develop and implement. To address this task, NERC 
developed an implementation plan that includes a proposed four-stage 
schedule for implementing the proposed CIP Reliability Standards over a 
three-year period.\32\
---------------------------------------------------------------------------

    \32\ NERC August 28, 2006 Filing, Exhibit B ``Implementation 
Plan for Cyber Security Standards'' (Implementation Plan).
---------------------------------------------------------------------------

    43. The Implementation Plan sets out a proposed schedule for 
accomplishing the various tasks associated with compliance with the CIP 
Reliability Standards. The schedule gives a timeline by calendar 
quarters for completing various tasks and prescribes milestones for 
when a responsible entity must: (1) ``Begin work;'' (2) ``be 
substantially compliant'' with a requirement; (3) ``be compliant'' with 
a requirement; and (4) ``be auditably compliant'' with a requirement.
    44. According to the implementation plan, ``auditably compliant'' 
must be achieved in 2009 for certain Requirements by certain 
responsible entities, and in 2010 for the remainder.
CIP Assessment
    45. The CIP Assessment suggested that it may be possible to assess 
a responsible entity's level of compliance prior to the time when it 
achieves its ``auditably compliant'' status. It noted that, if a 
responsible entity is in the ``begin work'' phase, it has: (1) 
Developed and approved a plan to address the Requirements of a 
Reliability Standard; (2) identified and planned for necessary 
resources; and (3) begun implementing the Requirements. These are 
specific steps that an audit can examine. The CIP Assessment observed 
that the difference between the ``compliant'' and ``auditably 
compliant'' status for many of the Requirements is the accumulation of 
12 months of compliance records. It sought comment on whether it would 
be beneficial to audit a responsible entity at the ``begin work'' and 
``compliant'' stages, even though the responsible entity may not have 
the full 12 month accumulation of compliance records.
Comments
    46. A number of commenters agree that some type of assessment, 
although not necessarily in the form of an audit, is both possible and 
potentially beneficial prior to the time an entity achieves ``auditably 
compliant'' status.\33\ NERC agrees that there is a benefit to ensuring 
that responsible entities are moving timely toward ``auditably 
compliant'' status. While NERC believes that audits at an interim stage 
are not possible, it states that it plans to monitor progress through 
self-certification without assessing penalties. Other commenters oppose 
interim audits, stating that they could interfere with implementation 
plans and lead to penalties for non-compliance.\34\
---------------------------------------------------------------------------

    \33\ E.g., Santa Clara, SPP, APPA/LPPC, NERC, Allegheny, Georgia 
Operators, ISO RTO Council, MidAmerican, SoCal Edison, and NRECA.
    \34\ E.g., ATC, EEI, National Grid, Tampa Electric, and 
FirstEnergy.

---------------------------------------------------------------------------

[[Page 43976]]

Commission Proposal
    47. The Commission proposes to approve NERC's Implementation Plan, 
including the proposed timelines for achieving compliance. NERC 
indicates that the proposed timelines were developed with input from 
all sectors of the electric industry. Further, while some responsible 
entities have already installed the necessary equipment and software to 
address cyber security, the Commission recognizes that many responsible 
entities must purchase and install new equipment and software to 
achieve compliance. Based on these considerations, the Commission 
believes that the timetable proposed by NERC sets reasonable deadlines 
for industry compliance.
    48. However, the Commission is concerned whether the industry will 
be fully prepared for compliance upon reaching the implementation 
deadline and will take reasonable action to protect the Bulk-Power 
System during this interim period. The Commission believes that NERC's 
plans to require self-certification during the interim period are 
helpful. NERC, however, does not indicate the interval for self-
certification. We believe that an annual certification would not allow 
adequate monitoring of progress and propose to direct that the ERO 
develop a self-certification process with more frequent certifications, 
either tied to target dates in the schedule or perhaps quarterly or 
semi-annual certifications. While we agree with NERC that an entity 
should not be subject to a monetary penalty if it is unable to certify 
that it is on schedule, such an entity should explain to the ERO the 
reason it is unable to self-certify. The ERO and the Regional Entities 
should then work with such an entity either informally or, if 
appropriate, by requiring a remedial plan to assist such an entity in 
achieving full compliance in a timely manner. Further, the ERO and the 
Regional Entities should provide informational guidance, upon request, 
to assist a responsible entity in assessing its progress in reaching 
``auditably compliant'' status.
    49. To further address our concerns about the period prior to when 
responsible entities achieve full compliance with the CIP Reliability 
Standards, the Commission also proposes to direct the ERO to add a 
cyber security assessment to NERC's existing readiness reviews. In this 
readiness assessment process, the ERO should assist in the 
identification of best practices and deficiencies of the reviewed 
entities, both to help them prepare for implementation of the CIP 
Reliability Standards and to assess the status of their compliance 
efforts. The readiness reviews will also help the Commission to 
evaluate the potential effectiveness of the cyber security Reliability 
Standards before they are implemented by disclosing the progress made 
by reviewed entities in their CIP Reliability Standards implementation 
efforts.
5. Issues Presented by Terminology
a. Business Judgment
NERC Proposal
    50. Each of the proposed CIP Reliability Standards incorporates the 
concept of ``reasonable business judgment'' as a guide for determining 
what constitutes appropriate compliance with those Reliability 
Standards. The Purpose statement of Reliability Standard CIP-002-1 
provides that:

    These standards recognize the differing roles of each entity in 
the operation of the Bulk Electric System, the criticality and 
vulnerability of the assets needed to manage Bulk Electric System 
reliability, and the risks to which they are exposed. Responsible 
entities should interpret and apply Standards CIP-002 through CIP-
009 using reasonable business judgment.

    Each of the subsequent CIP Reliability Standards includes a 
statement that ``Responsible Entities should interpret and apply the 
Reliability Standard using reasonable business judgment.''
    51. NERC's Glossary of Terms Used in Reliability Standards (NERC 
glossary) does not define the term ``reasonable business judgment,'' 
and the CIP Reliability Standards do not otherwise suggest how the term 
is to be interpreted. NERC's Frequently Asked Questions (FAQ) document 
that accompanies the CIP Reliability Standards provides the only 
available guidance on the issue.\35\ It states that the phrase is meant 
``to reflect--and to inform--any regulatory body or ultimate judicial 
arbiter of disputes regarding interpretation of these Standards--that 
responsible entities have a significant degree of flexibility in 
implementing these Standards.'' The FAQ document notes that there is a 
long history of judicial interpretation of the business judgment rule 
and suggests that this history is relevant to the use of this rule in 
the context of the CIP Reliability Standards. The document goes on to 
say:
---------------------------------------------------------------------------

    \35\ NERC included the FAQ document in its August 28, 2006 
filing. The FAQ document is also available at ftp://www.nerc.com/
pub/sys/all_updl/standards/sar/Revised_CIP-002-009_FAQs_
06Mar06.pdf.

    Courts generally hold that the phrase indicates reviewing 
tribunals should not substitute their own judgment for that of the 
entity under review other than in extreme circumstances. A common 
formulation indicates the business judgment of an entity--even if 
incorrect in hindsight--should not be overturned as long as it was 
made (1) in good faith (not an abuse or indiscretion), (2) without 
improper favor or bias, (3) using reasonably complete (if imperfect) 
information as available at the time of the decision, (4) based on a 
rational belief that the decision is in the entity's business 
interest. This principle, however, does not protect an entity from 
---------------------------------------------------------------------------
simply failing to make a decision.

CIP Assessment
    52. The CIP Assessment acknowledged the importance of flexibility 
and discretion in implementing cyber security strategies. However, it 
expressed skepticism about the appropriateness of the business judgment 
rule in this context, given the unusually broad discretion it permits. 
The CIP Assessment thus expressed concern that such an approach to 
flexibility and discretion would unduly compromise the effectiveness of 
the CIP Reliability Standards and the ability to enforce compliance 
with them.
    53. The CIP Assessment sought comment on: (1) Specific examples of 
the differing roles of entities in relationship to their potential 
impact on cyber security risks to Bulk-Power System reliability; (2) 
alternatives to reliance on the reasonable business judgment rule that 
would allow for recognition of differing roles of entities, 
vulnerability of assets, and exposure to risk but also permit effective 
enforcement of the CIP Reliability Standards; and (3) the ramifications 
of removing the ``reasonable business judgment'' language from the 
proposed CIP Reliability Standards while an alternative approach is 
developed using the ERO's Reliability Standards development process.
Comments
    54. A number of commenters stress the importance of flexibility and 
discretion in implementing the CIP Reliability Standards, but agree 
that it would not be reasonable to give the term ``business judgment'' 
the meaning it has in the context of corporate fiduciary 
responsibility.\36\ Other commenters state that the use of reasonable 
business judgment was not meant to allow entities to evade application 
of the CIP Reliability Standards, but they acknowledge that legal 
precedent

[[Page 43977]]

suggests that inclusion of the term could increase the potential for 
disputes.\37\ These commenters support the use of alternative terms to 
acknowledge the need for flexibility and discretion, such as 
``reasonableness,'' ``good utility practice,'' or ``good engineering 
practices.''
---------------------------------------------------------------------------

    \36\ E.g., California PUC, APPA/LPPC, EPSA, and Progress Energy.
    \37\ E.g., Duke, Progress Energy, Xcel, and National Grid.
---------------------------------------------------------------------------

    55. Other commenters argue that the ``reasonable business 
judgment'' language is essential to provide balance in the 
implementation of the CIP Reliability Standards and should not be 
removed. Some indicate that use of the term was intended to allow 
consideration of cost or business implications of an action.\38\ For 
instance, NERC states that, if business considerations are left out of 
account, the CIP Reliability Standards would describe an impossibly 
high level of technical content, and the cost of implementing such a 
solution would approach an infinite amount of time, money, and 
resources. Commenters also state that use of reasonable business 
judgment allows every entity the flexibility to make the best choice 
for its unique situation.\39\ Finally, some commenters believe that the 
term reasonable business judgment will ensure that the CIP Reliability 
Standards are enforceable by permitting development of a record of 
industry practices over time that provides a body of reasonable, 
industry cyber security practices.\40\
---------------------------------------------------------------------------

    \38\ E.g., NERC, Southern, and PG&E.
    \39\ E.g., NERC, NU, PJM, Santa Clara, and Cleveland Public 
Power.
    \40\ E.g., IRC and Tampa Electric.
---------------------------------------------------------------------------

    56. Some commenters argue that use of the term ``reasonable 
business judgment'' was not intended to trigger the exculpatory 
``business judgment rule'' as used in connection with the actions of 
corporate directors.\41\ They contend the term was intended as a 
``reasonableness'' standard that was meant to add a defined and 
objective measure for assessing an entity's actions in implementing the 
CIP Reliability Standards based on the entity's particular system and 
assets. EEI argues that while the NERC FAQ accurately describes 
traditional use of the reasonable business judgment rule in the context 
of corporate law, it does not articulate how this language is being 
used in the context of cyber security standards. EEI also states that 
it is unlikely that the FAQ document would control interpretation of 
the CIP Reliability Standards.
---------------------------------------------------------------------------

    \41\ E.g., Arizona Public Service, EEI, Progress Energy, SoCal, 
TEC, Duke, ReliabilityFirst and National Grid.
---------------------------------------------------------------------------

    57. Finally, some commenters acknowledge that the traditional 
corporate business judgment rule does grant officers and directors 
broad discretion, but also contains elements that temper this 
discretion.\42\ To receive the benefit of the rule, a business decision 
must be made on an informed basis, in good faith and in honest belief 
that the action taken was in the best interests of the company. In 
addition, the person making the decision must act with the care that an 
ordinarily prudent person would reasonably be expected to exercise in a 
like position with similar circumstances. The commenters argue that 
these requirements permit the term reasonable business judgment to be 
adapted to the cyber security context.
---------------------------------------------------------------------------

    \42\ E.g., EEI and Progress Energy.
---------------------------------------------------------------------------

Commission Proposal
    58. For the reasons discussed below, the Commission proposes to 
direct the ERO to modify the CIP Reliability Standards to remove 
references to the ``reasonable business judgment'' language before 
compliance audits start in 2009.
    59. The Commission agrees with commenters that flexibility and 
discretion are essential in implementing the CIP Reliability Standards 
and that implementing those Reliability Standards must be done on the 
basis of the specific facts and circumstances applicable in the 
individual case at hand. Cyber security problems do not lend themselves 
to one-size-fits-all solutions. In addition, the Commission 
acknowledges that cost can be a valid consideration in implementing the 
CIP Reliability Standards. However, the Commission believes that the 
traditional concept of reasonable business judgment is ill suited to 
the task of implementing an appropriate program of cyber security 
pursuant to FPA section 215. The concept of reasonable business 
judgment addresses the issue of whether a decision-making process 
conforms to certain standards. It was developed specifically to address 
the issue of how courts should approach business decisions made by a 
company's officers or directors, and the answer it provides is based on 
certain assumptions about how our economic system operates and who is 
most likely to have the knowledge and expertise needed to make 
appropriate business decisions. However, the concept of reasonable 
business judgment takes on a very different meaning when removed from 
its original context and applied to a different factual situation where 
very different assumptions apply. As explained below, when transferred 
to the realm of cyber security or Bulk-Power System reliability 
generally, recourse to reasonable business judgment is inconsistent 
with the purpose of FPA section 215.
    60. Cyber standards are essential to protecting the Bulk-Power 
System against attacks by terrorists and others seeking to damage the 
grid. Because of the interconnected nature of the grid, an attack on 
one system can affect the entire grid. It is therefore unreasonable to 
allow each user, owner or operator to determine compliance with the CIP 
Reliability Standards based on its own ``business interests.'' Business 
convenience cannot excuse compliance with mandatory Reliability 
Standards.
    61. While some commenters argue that references to reasonable 
business judgment in the CIP Reliability Standards were not intended to 
trigger the traditional corporate business judgment rule, the FAQ 
document can be read to suggest the contrary. In fact, the FAQ document 
states explicitly that ``reasonable business judgment'' means what the 
courts have said it means in the corporate context. It states that the 
phrase has an almost 200 year history in the common law nations and 
notes that ``[c]ourts generally hold that the phrase indicates 
reviewing tribunals should not substitute their own judgment for that 
of the entity under review other than in extreme circumstances.'' The 
FAQ document then goes on to list the elements of reasonable business 
judgment as the courts generally define it. The FAQ document nowhere 
states or suggests that the meaning and significance of reasonable 
business judgment is subject to some modification or qualification in 
the context of implementing and complying with the CIP Reliability 
Standards.
    62. Moreover, as the FAQ document makes clear, compliance turns on 
whether a decision was ``based on a rational belief that the decision 
is in the entity's business interest.'' That test is fundamentally 
incompatible with Congress' decision to adopt a regime of mandatory 
Reliability Standards. As we stated above, the vulnerability of one 
entity can pose risks to the entire grid. We therefore cannot allow 
each user, owner or operator to determine compliance based on its own 
parochial business interests. The purpose of section 215 is to protect 
the national interest in grid reliability.
    63. The business judgment rule was adopted in a context that is 
simply not appropriate for mandatory Reliability Standards. The 
business judgment rule recognizes that officers and directors

[[Page 43978]]

must have wide latitude if a company is to be managed properly and 
efficiently and that it is not in the interest of shareholders to 
create incentives for officers and directors to be overly cautious.\43\ 
Courts have noted that shareholders voluntarily undertake the risk of 
bad business judgments and investors who are adverse to such risk have 
alternative investment opportunities available to them.\44\ In the 
context of section 215, however, these principles do not apply. The 
issue under section 215 is not whether the management of a business is 
acting in the interest of its own shareholders, but rather whether an 
entity is taking appropriate action to avert risks that could threaten 
the entire grid.
---------------------------------------------------------------------------

    \43\ Cramer v. General Telephone and Electronics Corp., 582 F.2d 
259 (3d Cir. 1978); Joy v. North, 692 F.2d 880 (2d Cir. 1982).
    \44\ Joy v. North, 692 F.2d 880 (2d Cir. 1982).
---------------------------------------------------------------------------

    64. It is also notable that the business judgment rule is invoked, 
in the corporate governance context, only in extreme