Mandatory Reliability Standards for Critical Infrastructure Protection, 12544-12551 [E9-6503]

Download as PDF 12544 Federal Register / Vol. 74, No. 56 / Wednesday, March 25, 2009 / Rules and Regulations and in FERC’s Public Reference Room during normal business hours (8:30 a.m. to 5 p.m. Eastern time) at 888 First Street, NE., Room 2A, Washington, DC 20426. 27. From FERC’s Home Page on the Internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number excluding the last three digits of this document in the docket number field. 28. User assistance is available for eLibrary and the FERC’s Web site during normal business hours from FERC Online Support at 202–502–6652 (toll free at 1–866–208–3676) or e-mail at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502– 8371, TTY (202) 502–8659. E-mail the Public Reference Room at public.referenceroom@ferc.gov. IV. Effective Date and Congressional Notification 29. This order does not substantively alter the requirements of Order Nos. 890, 890–A or 890–B and, therefore, will become effective as of the date of publication in the Federal Register. By the Commission. Kimberly D. Bose, Secretary. [FR Doc. E9–6502 Filed 3–24–09; 8:45 am] Jonathan First (Legal Information), Office of General Counsel, 888 First Street, NE., Washington, DC 20426, (202) 502–8529. Regis Binder (Technical Information), Office of Electric Reliability, 888 First Street, NE., Washington, DC 20426, (301) 665–1601. SUPPLEMENTARY INFORMATION: Before Commissioners: Jon Wellinghoff, Acting Chairman; Suedeen G. Kelly, Marc Spiter, and Philip D. Moeller. 1. In this order, the Commission clarifies the scope of the Critical Infrastructure Protection (CIP) Reliability Standards approved in Order No. 706 1 to assure that no ‘‘gap’’ occurs in the applicability of these Standards.2 In particular, each of the CIP Reliability Standards provides that facilities regulated by the U.S. Nuclear Regulatory Commission (NRC) are exempt from the Standard. It has come to the attention of the Commission that NRC regulations do not extend to all equipment within a nuclear power plant. Thus, to assure that there is no ‘‘gap’’ in the regulatory process, the Commission clarifies that the ‘‘balance of plant’’ equipment within a nuclear power plant in the United States that is not regulated by the NRC is subject to compliance with the CIP Reliability Standards approved in Order No. 706. AGENCY: Federal Energy Regulatory Commission. ACTION: Order on Clarification. I. Background 2. The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), developed the CIP Reliability Standards that require certain users, owners and operators of the Bulk-Power System, including generator owners and operators, to comply with specific requirements to safeguard critical cyber assets. In January 2008, pursuant to section 215 of the Federal Power Act (FPA),3 the Commission approved the CIP Reliability Standards. In addition, pursuant to section 215(d)(5) of the FPA,4 the Commission directed the ERO to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission. 3. Each CIP Reliability Standard includes an exemption for facilities SUMMARY: The Commission clarifies that the facilities within a nuclear generation plant in the United States that are not regulated by the U.S. Nuclear Regulatory Commission are subject to compliance with the eight mandatory ‘‘CIP’’ Reliability Standards approved in Commission Order No. 706. DATES: Effective Date: This rule will become effective March 25, 2009. FOR FURTHER INFORMATION CONTACT: 1 Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ¶ 61,040, order on reh’g, Order No. 706–A, 123 FERC ¶ 61,174 (2008). 2 CIP Reliability Standards CIP–002–1 through CIP–009–1 (CIP Reliability Standards) were approved by Order No. 706. Reliability Standard CIP–001–1, which pertains to sabotage reporting, was not a subject of Order No. 706 and does not include the exemption statement that is the subject of this order. 3 16 U.S.C. 824o (2006). 4 16 U.S.C. 824o(d)(5)(2006). BILLING CODE 6717–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM06–22–000; Order No. 706– B] Mandatory Reliability Standards for Critical Infrastructure Protection sroberts on PROD1PC70 with RULES Issued March 19, 2009. VerDate Nov<24>2008 00:39 Mar 25, 2009 Jkt 217001 PO 00000 Frm 00010 Fmt 4700 Sfmt 4700 regulated by the NRC. For example, Reliability Standard CIP–002–1 provides: The following are exempt from Standard CIP–002: Facilities regulated by the U.S. Nuclear Regulatory Commission * * *.5 4. In an April 8, 2008 public joint meeting of the Commission and the NRC, staff of both Commissions discussed cyber security at nuclear power plants. While indicating that the NRC has proposed regulations to address cyber security at nuclear power plants, NRC staff raised a concern regarding a potential gap in regulatory coverage.6 In particular, NRC staff indicated that the NRC’s proposed regulations on cyber security would not apply to all systems within a nuclear power plant. NRC staff explained: The NRC’s cyber requirements are not going to extend to power continuity systems. They do not extend directly to what is not directly associated with reactor safety security or emergency response. * * * As a result, and when you look at the CIP standards that were issued, there is a discrete statement in each of the seven or eight standards where it specifically exempts facilities regulated by the United States Nuclear Regulatory Commission from compliance with those CIP Standards. So there is an issue there in the sense that our regulations for cyber security go up to a certain point, and end.7 5. On September 18, 2008, the Commission issued an Order on Proposed Clarification,8 explaining its concern that a gap may exist in the regulatory process due to the provision in each of the CIP Reliability Standards exempting ‘‘facilities regulated by the U.S. Nuclear Regulatory Commission.’’ On the understanding that some facilities within a nuclear power plant would not be subject to compliance with cyber security regulations developed by the NRC, the Commission proposed to clarify that the facilities 5 Reliability Standard CIP–002–1, section 4.2 (Applicability). 6 In December 2008, the NRC approved a final rule that included cyber security-related regulations applicable to nuclear power plant licensees. The regulations, referred to herein as the ‘‘NRC cyber security regulations,’’ have not been published in the Federal Register at this time and are not currently in effect. They will be codified at 10 CFR 73.54. See Final Rulemaking—Power Reactor Security Requirements, SECY–08–0099 (Jul. 9, 2008); Press Release: NRC Approves Final Rule Expanding Security Requirements for Nuclear Power Plants, (Dec. 17, 2008), available at https:// www.nrc.gov/reading-rm/doc-collections/news/ 2008/08–227.html. 7 April 8, 2008, Joint Meeting of the Nuclear Regulatory Commission and Federal Energy Regulatory Commission, Tr. at 77–78. 8 Mandatory Reliability Standards for Critical Infrastructure Protection, Order on Proposed Clarification, 124 FERC ¶ 61,247 (2008) (Proposed Clarification). E:\FR\FM\25MRR1.SGM 25MRR1 Federal Register / Vol. 74, No. 56 / Wednesday, March 25, 2009 / Rules and Regulations sroberts on PROD1PC70 with RULES within a nuclear power plant in the United States that are not regulated by the NRC are subject to compliance with the CIP Reliability Standards approved in Order No. 706. The Commission explained its proposal and sought comment on not only the Proposed Clarification, but also two additional questions: (1) Whether a clear delineation exists between those facilities in a nuclear power plant which relate to safety and security, and the non-safety related ‘‘balance of plant,’’ and if a clear delineation does not exist, whether there is a need for owners and/ or operators of nuclear power plants to identify the specific facilities that pertain to reactor safety, security or emergency response and are subject to NRC jurisdiction, and the balance of plant that is subject to the eight CIP Reliability Standards; and (2) if nuclear power plants were to be required to implement the CIP Reliability Standards, whether Table 3 of the implementation plan approved in Order No. 706 should control the implementation schedule.9 6. The Proposed Clarification was published in the Federal Register, 73 FR 55,459 (Sept. 25, 2008). In response, comments were filed by 23 interested persons, 17 of which own and/or operate nuclear power plants. A list of the commenters appears in the Appendix to this Order. These comments have assisted the Commission and are addressed in the discussion, below. II. Discussion 7. For the reasons discussed below, the Commission finds that the CIP Reliability Standards are applicable to all equipment within a nuclear power plant located in the United States that will not be subject to NRC’s cyber security regulations. The thrust of many comments is that the NRC regulates the entire nuclear power plant including power continuity systems and, therefore, the Commission’s Proposed Clarification is unnecessary. The Commission is not persuaded by these arguments, which either reference back to voluntary industry standards developed by the nuclear industry, or mischaracterize the nature and extent of NRC’s regulations with regard to the entire nuclear power plant. Indeed, NRC Staff comments reiterate that many portions of a nuclear power plant are not regulated by NRC. 8. Nuclear power plants can have a significant effect on the reliability of the Bulk-Power System. Prior to the 9 Proposed Clarification, 124 FERC ¶ 61,247 at P 9. VerDate Nov<24>2008 00:39 Mar 25, 2009 Jkt 217001 enactment of section 215 of the FPA, the electric industry had voluntary cyber security provisions and a system of selfcertifications. However, Congress imposed a framework for mandatory and enforceable Reliability Standards, explicitly including cyber security, applicable to all users, owners and operators of the Bulk-Power System. That framework charges the Commission with the oversight of the development and enforcement of the Reliability Standards. 9. In previous orders, the Commission has emphasized that the application of the Reliability Standards must remain uniform and consistent.10 This is necessary both to protect the reliability of the Bulk-Power System and to ensure equity in the application of Reliability Standards. The Commission has found that ‘‘section 215 seeks to prevent an instability, an uncontrolled separation or a cascading failure, whether resulting from either a sudden disturbance, including a cybersecurity incident, or an unanticipated failure of the system elements.’’ 11 Therefore, compliance monitoring must occur on an ongoing and proactive basis. Due to the preventive aspect of section 215 and the requirements of the Reliability Standards, compliance monitoring and enforcement of the Reliability Standards are not triggered only by a past event or a cyber security incident. The ERO and Regional Entities have several proactive monitoring processes, including, but not limited to, spot checks and audits, to verify that users, owners and operators are in compliance with the Reliability Standards and to maintain the reliable operation of the Bulk-Power System. This order balances the concerns expressed by commenters with the Commission’s responsibility for consistency, as well as rigor and uniformity in the compliance monitoring and enforcement of the Reliability Standards. 10. In response to comments, we have refined certain aspects of the Proposed Clarification. However, we continue to believe that a gap in the application of appropriate cyber security standards 10 See Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, 71 FR 8662 (Feb. 17, 2006), FERC Stats. & Regs., Regulations Preambles 2006–2007 ¶ 31,204, at P 41 and P 290 (2006), order on reh’g, Order No. 672– A, FERC Stats. & Regs., Regulations Preambles 2006–2007 ¶ 31,212 (2006); Mandatory Reliability Standards for the Bulk-Power System, Order No. 693, 72 FR 16416 (Apr. 4, 2007), FERC Stats. & Regs. ¶ 31,242 at P 298 (2007). 11 Order No. 693, FERC Stats. & Regs. ¶ 31,242 at P 24, order on reh’g, Order No. 693–A, 120 FERC ¶ 61,053 (2007); see also 16 U.S.C. 824o(a)(4) (2006) (defining Reliable Operation). PO 00000 Frm 00011 Fmt 4700 Sfmt 4700 12545 would exist absent our clarification in this Order. A. Meaning of the Term ‘‘Facility’’ 11. Before addressing our determination on the Proposed Clarification, we discuss a terminology issue raised by NRC Staff, NEI and other commenters. As mentioned above, the CIP Reliability Standards exempt ‘‘facilities regulated by the U.S. Nuclear Regulatory Commission.’’ The Proposed Clarification indicated that a nuclear power plant consists of multiple ‘‘facilities’’ within its boundaries, some but not all of which are regulated by the NRC. For example, we stated that ‘‘NRC’s regulation of a nuclear power plant is limited to the facilities that are associated with reactor safety or emergency response.’’ 12 Comments 12. Commenters state that the term ‘‘facility,’’ as used in the nuclear industry, refers to the entire nuclear power plant. For example, NRC Staff comments that the term ‘‘facility’’ is defined by the Atomic Energy Act of 1954 as a ‘‘production or utilization facility,’’ and the term is commonly synonymous with the entire nuclear power plant, ‘‘that comprises the entire set of buildings, cooling towers, assets, switchyards, systems, and equipment within the owner-controlled area * * *.’’ 13 The NRC Staff asserts that the use of the term ‘‘facilities’’ in the Proposed Clarification might effectively exempt all portions of nuclear power plants from the CIP Reliability Standards and thus not close the regulatory gap that the Commission intended to address. Rather, the NRC Staff explains that, when referring to discrete elements within a nuclear power plant, the NRC generally uses the term, ‘‘structures, systems and components.’’ 13. NEI, supported by a number of commenters, similarly states that the Commission used the term ‘‘facilities’’ in a manner that is not consistent with the use of the term in the nuclear industry. NEI states that the nuclear industry typically uses the term ‘‘facility’’ to mean the entire nuclear power plant, and that the equivalent in nuclear parlance of ‘‘facilities,’’ as used by the Commission, are the ‘‘structures, systems, components and networks (‘‘SSC’’) which provide the various functions for plant operation and shut down.’’ 14 12 Proposed Clarification, 124 FERC ¶ 61,247 at P 6. 13 NRC 14 NEI E:\FR\FM\25MRR1.SGM Staff Comments at 1. Comments at 2. 25MRR1 12546 Federal Register / Vol. 74, No. 56 / Wednesday, March 25, 2009 / Rules and Regulations Commission Determination 14. It appears that the use of the term ‘‘facility’’ in the Proposed Clarification differs from the common use of that term in the nuclear regulatory environment. For purposes of this order, we use the term ‘‘nuclear power plant’’ to describe the entire nuclear generating plant, including the entire set of buildings, cooling towers, assets, switchyards, systems, and equipment within the owner-controlled area. This term is consistent with NRC Staff’s explanation. 15. NRC Staff states that it generally uses the term ‘‘structures, systems and components’’ to refer to discrete elements of the nuclear power plant regulated by the NRC, and suggests that the Commission uses ‘‘facilities’’ in an analogous way. We will use the term ‘‘structures, systems and components’’ to reference any element of equipment, systems or networks of equipment, or portions within a nuclear power plant within an entity’s ownership or control. NRC Staff follows its description of what structures comprise a nuclear power plant with the note, ‘‘many of which are not directly regulated by the NRC.’’ For purposes of this order, we will use the term ‘‘balance of plant’’ to reference those portions of the nuclear power plant to which NRC Staff refers, as that term is defined by the NRC’s regulations.15 B. Regulatory Gap—Need for the Clarification 16. In the Proposed Clarification, the Commission explained that: sroberts on PROD1PC70 with RULES The plain meaning of the exemption language in the eight CIP Reliability Standards at issue is that only those facilities within a nuclear generation plant that are regulated by the NRC are exempt from those Standards. The exemption language in the eight CIP Reliability Standards neither states, nor implies, that all facilities within a nuclear generation plant are exempt from the Standards, regardless of whether they are subject to NRC regulation. However, the Commission believes there is a need to assure that there is no potential gap in the regulation of critical cyber assets at nuclear generation plants.16 15 The NRC’s regulations define the Balance of Plant as: ‘‘the remaining systems, components, and structures that comprise a complete nuclear power plant and are not included in the nuclear steam supply system.’’ The Nuclear Steam Supply System is defined as consisting of ‘‘the reactor core, reactor coolant system, and related auxiliary systems including the emergency core cooling system; decay heat removal system; and chemical volume and control system.’’ 10 CFR 170.3 (2008). 16 Proposed Clarification, 124 FERC ¶ 61,247 at P 7 (emphasis in original). As discussed above, the term facilities as used in the Proposed Clarification was intended to apply to structures, systems and components within a nuclear power plant. VerDate Nov<24>2008 00:39 Mar 25, 2009 Jkt 217001 The Commission, thus, proposed to clarify that Reliability Standards CIP– 002–1 through CIP–009–1 apply to the facilities, i.e., structures, systems and components, within a nuclear power plant that are not regulated by the NRC. security rules. In addition, NEI and others contend that application of CIP Reliability Standards to nuclear power plants would result in dual regulation of equipment, which would be complicated and inefficient. Comments 17. NRC Staff and NERC agree with the Commission that clarification of the CIP Reliability Standards is needed. NEI and other stakeholders in the nuclear industry oppose the clarification, arguing that it is unnecessary because no regulatory gap exists since the NRC’s jurisdiction can reach all equipment at nuclear power plants that might need cyber security protection. 18. NRC Staff comments that much of the equipment within the ownercontrolled area of the nuclear power plant is not directly regulated by the NRC. Thus, NRC Staff supports the Commission’s proposal and suggests certain refinements to the proposal to provide additional clarity to distinguish ‘‘the scope of plant functions that are subject to NRC requirements from those functions that are subject to applicable FERC-regulated grid reliability requirements.’’ 17 19. NERC states that it agrees with the Commission’s understanding of the delineation between those ‘‘facilities’’ within a nuclear power plant whose functions are necessary and sufficient for reactor safety, security or emergency response versus the portion of the rest of the plant whose functions are necessary for Bulk-Power System reliability. NERC agrees with the Commission that there is a need for more clarity with regard to the applicability of CIP Reliability Standards to nuclear power plants, and recommends an expedited modification to the Standards. 20. NEI, and other commenters,18 many of which support NEI’s comments, assert that the Commission’s Proposed Clarification is unnecessary, as there is no regulatory gap in the oversight of critical cyber assets at nuclear power plants. According to NEI and others, the NRC regulates the entire nuclear power plant, including cyber security for balance of plant systems that may be critical to Bulk-Power System reliability. Commenters identify three sources of NRC’s authority: the nuclear industry’s comprehensive security program developed by NEI (NEI 04–04), NRC’s ‘‘Maintenance Rule,’’ and NRC’s recently-promulgated cyber Nuclear Industry Cyber Security Guideline, NEI 04–04 21. NEI and other commenters 19 argue that the application of CIP Reliability Standards is not warranted because the nuclear industry has made a binding commitment to implement a comprehensive cyber security program developed by NEI and endorsed by NRC.20 NEI explains that, pursuant to this program, existing digital assets at nuclear power plants are analyzed for cyber vulnerabilities and necessary mitigation plans are established and implemented. According to NEI, all nuclear power plants implemented NEI 04–04 on or before May 1, 2008. 22. NEI explains that, in February 2002, the NRC issued Order EA–02–026, ‘‘Interim Safeguards and Security Compensation Measures for Nuclear Power Plants,’’ 21 which included required actions to address cyber security concerns. According to NEI, as a ‘‘supplement’’ to implementation of this NRC order, the nuclear industry committed to implement NEI 04–04, which was designed to protect plant systems, including all those pertinent to balance of plant. NEI states that implementation of the NEI 04–04 cyber security program extends to plant generation equipment up to and including the first breaker out from the main transformer to the switchyard breaker. According to NEI, in response to a system vulnerability identified in 2007, both industry and NRC relied on NEI 04–04 in determining that the first breaker out from the transformer to the switchyard is within the boundary of the nuclear power plant.22 23. NEI states that, in 2005, NRC staff endorsed NEI 04–04 as an acceptable method for establishing and maintaining a cyber security program at nuclear power plants. It cites to the NRC Inspection Manual, which states that a performance deficiency can exist if a licensee fails to meet a self-imposed standard. Thus, NEI contends that, because licensees have self-imposed NEI 04–04 through a binding initiative, NRC 17 NRC Comments at 1. AEP, Ameren, Arizona Public Service, Dominion, Duke, Entergy, Exelon, FirstEnergy, Luminant, PG&E, PPL Companies, PSEG, and Wolf Creek. 18 E.g., PO 00000 Frm 00012 Fmt 4700 Sfmt 4700 19 E.g., AEP, Arizona Public Service, Duke, Exelon, Luminant, PG&E, PSEG, Southern and Wolf Creek. 20 NEI Comments at 5–8, citing to NEI 04–04 Revision 1, ‘‘Power Security Program for Nuclear Reactors’’ (April 2006) (NEI 04–04). 21 All Operating Power Licensees; Order Modifying Licenses, 67 FR 9792 (Mar. 4, 2002). 22 NEI Comments at 6. E:\FR\FM\25MRR1.SGM 25MRR1 Federal Register / Vol. 74, No. 56 / Wednesday, March 25, 2009 / Rules and Regulations has the regulatory authority to inspect and enforce the program’s requirements.23 24. NEI and other commenters, including Duke, Entergy and Exelon, contend that NRC’s current oversight is adequate and the existing cyber security program is ‘‘functionally equivalent’’ to the CIP Reliability Standards. NRC’s Maintenance Rule 25. NEI, Exelon and Southern argue that NRC regulates the ‘‘balance of plant,’’ and focus on NRC’s ‘‘Maintenance Rule’’ in particular to support their argument.24 The Maintenance Rule requires a licensee to implement a monitoring program that includes both safety related and nonsafety related structures, systems and components.25 The Maintenance Rule identifies as within the scope of the monitoring program, structures, systems and components: (b)(2)(i) That are relied upon to mitigate accidents or transients or are used in plant emergency operating procedures; or (b)(2)(ii) Whose failure could prevent safety-related structures, systems, and components from fulfilling their safety-related function; or (b)(2)(iii) Whose failure could cause a reactor scram or actuation of a safety-related system.26 NEI states that NRC may take enforcement action for violations of the Maintenance Rule, and includes examples of citations for failures of nonsafety systems. According to NEI, implementing guidance for the Maintenance Rule, developed by industry and endorsed by NRC, provides further evidence that structures, systems and components pertaining to the balance of plant must be monitored.27 26. NEI thus argues that: sroberts on PROD1PC70 with RULES The NRC regulates any [structure, system or component] in a nuclear power plant that 23 Exelon, Luminant and Progress Energy also claim that NEI 04–04 is mandatory and enforceable by NRC. Likewise, APS contends that compliance with NEI 04–04 is not voluntary because, through NEI membership, all nuclear power plants are contractually bound to follow the program. 24 In addition, numerous commenters state that they support NEI’s comments. E.g., EEI, AEP, Arizona Public Service, Dominion, Kansas City and PG&E. 25 Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, 56 FR 31306 (Jul. 10, 1991) (Maintenance Rule). See also 10 CFR 50.65. 26 10 CFR 50.65(b)(2)(i)–(iii). NRC’s Glossary defines a ‘‘scram’’ as ‘‘[t]he sudden shutting down of a nuclear reactor, usually by rapid insertion of control rods, either automatically or manually by the reactor operator. May also be called a reactor trip.’’ NERC Glossary, available at https:// www.nrc.gov/reading-rm/basic-ref/glossary. 27 NEI Comments at 4, citing NUMARC 93–01, ‘‘Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants,’’ and NRC Regulatory Guide 1.160. VerDate Nov<24>2008 00:39 Mar 25, 2009 Jkt 217001 has both a direct or indirect impact on safety, security, or emergency response systems. The NRC’s regulations extend to all systems that could cause a reactor scram, diminish the ability to mitigate the consequences of a reactor scram, or cause the actuation of a safety system. These are the same systems that constitute the balance of the plant for Continuity of Operations purposes.28 According to NEI, the failure of a structure, system or component as the result of a cyber security breach affects the reliability of equipment operation and is consequently within the scope of the Maintenance Rule. Ameren, which owns and operates a nuclear power plant, comments that it is unable to identify any structures, systems or components that are not currently subject to cyber security regulation by the NRC that could impact electric reliability. NRC Cyber Security Regulations 27. NEI explains that NRC has proposed regulations that would specifically address cyber security at nuclear power plants.29 According to NEI, Exelon, Progress Energy and Southern, NRC’s cyber security regulations would apply to both safety functions and ‘‘support systems and equipment which if compromised would adversely impact safety, security or emergency preparedness functions.’’ 30 Further, the NRC regulations would require licensees to identify the cyber security assets they will protect under the program, and the list of identified assets becomes the basis for inspection by NRC Staff. NEI states that most balance of plant systems support both nuclear safety and continuity of operations. 28. NEI contends that there are ‘‘few, if any,’’ systems within the boundary of a typical nuclear power plant that support only continuity of operations. Thus, according to NEI, since the failure of such systems could cause a reactor scram or actuation of a safety system, the proposed NRC regulation would apply and there would be no regulatory gap. NEI also claims that, as with all NRC regulation, the requirements of 10 CFR 73.54 would be assessed, inspected and enforced. Dual Regulation 29. NEI, EEI and other commenters 31 express concern that if the Commission issues its Proposed Clarification, dual regulation will result and cause overlapping requirements, contradictory 28 NEI Comments at 5. supra n. 6. 30 To be codified at 10 CFR 73.54(a)(1)(iv). 31 E.g., Ameren, Exelon, Progress Energy, PPL and PSEG. 12547 requirements, duplicate inspections and recordkeeping, and duplicate worker training and qualifications. They assert that confusion and conflicts will result with respect to applicability of regulations if the Commission’s clarification separates digital assets within a nuclear power plant into some that are subject to NRC regulations and others that are subject to CIP Reliability Standards. AEP states that the proposed application of the CIP Reliability Standards could result in increased costs and complexity without a commensurate increase in reliability or protection. 30. NEI, EEI and other commenters 32 argue the most effective way to eliminate any potential gap in regulatory oversight is to maintain a single set of regulations for the entire nuclear power plant under the jurisdiction of the NRC. IESO/Hydro One assert that nuclear power plants should only be regulated by one entity, and cyber security at nuclear power plants must be under the jurisdiction of the NRC or the Canadian nuclear authority. Commission Determination 31. As discussed below, the Commission is not persuaded by the nuclear industry commenters’ arguments that the NRC regulates all balance of plant equipment within a nuclear power plant. Voluntary Industry Standard NEI 04–04 32. The nuclear industry’s development of a cyber security program under NEI 04–04 is commendable. However, compliance with NEI 04–04 is voluntary. As mandated by the Energy Policy Act of 2005, the Commission must ensure that the Commission-certified ERO develops Reliability Standards and provides for consistent monitoring and enforcement of such standards. The nuclear industry’s voluntary commitment to NEI 04–04 does not satisfy the Energy Policy Act’s mandate and is not adequate assurance that the reliability of the Bulk-Power System is protected. Therefore, the Commission cannot rely upon NEI 04–04 to meet its obligations under the Energy Policy Act of 2005. 33. While NEI maintains that NEI 04– 04 is subject to NRC regulatory and enforcement authority, NRC Staff has disavowed this position with regard to non-safety security and emergency preparedness related cyber security 29 See PO 00000 Frm 00013 Fmt 4700 Sfmt 4700 32 E.g., Arizona Public Service, Entergy, PSEG, Dominion, Exelon, Luminant, Ontario Power, Southern, Wolf Creek, and PG&E. E:\FR\FM\25MRR1.SGM 25MRR1 12548 Federal Register / Vol. 74, No. 56 / Wednesday, March 25, 2009 / Rules and Regulations assets within a nuclear power plant.33 While NEI characterizes NEI 04–04 as a ‘‘supplement’’ to NRC Order EA–02– 026, the NRC order did not mandate the development and implementation of the industry-developed program. We understand that, on occasion, NRC Staff will endorse an industry-developed program or guidance document as one acceptable manner to comply with NRC regulations. The industry-developed cyber security program, however, was not developed as a means to comply with an NRC regulation. Thus, while the NRC Staff simply endorsed NEI 04–04 as ‘‘an acceptable method for establishing and maintaining a cyber security program at nuclear power plants,’’ 34 the scope of this endorsement falls short of documenting that NEI 04– 04 is mandatory and enforceable by the NRC. 34. Further, we do not agree with commenters’ claims that NEI 04–04 is mandatory because entities have made a contractually binding commitment to NEI to implement the program. Again, while such proactive commitments by industry are laudable, they do not and cannot substitute for a government regulation subject to compliance and enforcement, including civil penalties for non-compliance. NRC Regulations 35. The Commission also rejects the claim of NEI and other commenters that there is no regulatory gap and the Commission’s clarification is unnecessary because relevant NRC regulations apply to all structures, systems and components within a nuclear power plant, both safety and non-safety related, including the equipment in the balance of plant. 36. Commenters point to NRC’s Maintenance Rule, which requires nuclear power plant licensees to monitor the effectiveness of maintenance activities for safetysignificant plant equipment. In promulgating the Maintenance Rule, NRC explained that, while it considered having the rule apply to all structures, systems and components in a nuclear power plant, including the balance of plant, the final rule was more limited.35 While the Maintenance Rule expressly includes both safety related and non33 NRC Staff Comments at 1. Comments, Appendix E (December 23, 2005 letter from NRC, Director, Office of Nuclear Security and Incident Response to NEI, Vice President, Nuclear Operations). 35 Maintenance Rule, 56 FR 31306 at 31314–15. NRC indicated that this limitation of the scope was in part a reaction to commenter concerns that ‘‘many [structures, systems or components] in the [balance of plant] have no nexus to public health and safety * * *.’’ Id. at 31315. sroberts on PROD1PC70 with RULES 34 NEI VerDate Nov<24>2008 00:39 Mar 25, 2009 Jkt 217001 safety related (i.e., balance of plant) structures, systems and components, NRC limited the scope of the rule to include only those balance of plant structures, systems and components ‘‘whose failure could most directly threaten public health and safety.’’ 36 This limitation is set forth in subsection (b) of the Maintenance Rule, which describes the scope of the maintenance monitoring program required pursuant to subsection (a) of the rule. In sum, the Maintenance Rule contemplates that there will be balance of plant structures, systems and components that are not subject to the rule. 37. NEI and other commenters also claim that the NRC’s then-proposed, and now recently approved, cyber security regulations demonstrate that there is, in fact, no regulatory gap. However, as indicated by the NRC Staff’s comments, the NRC cyber security regulations have limited application to balance of plant. The NRC cyber security regulations will apply to safety-related functions, security functions, emergency preparedness and ‘‘support systems and equipment which, if compromised, would adversely impact safety security and emergency preparedness functions.’’ 37 38. We disagree with nuclear industry commenters that contend that this latter provision is so broad as to include the entire balance of plant. Rather, similar to the Maintenance Rule, this provision identifies a subset of non-safety structures, systems and components that are subject to the NRC cyber security regulations. The remainder of the balance of plant equipment will not be subject to the NRC cyber security regulations. NRC Staff apprised the Commission of this limitation and the potential for a regulatory gap at a public meeting of the two commissions, when stating ‘‘The NRC’s cyber requirements are not going to extend to power continuity systems. They do not extend directly to what is not directly 36 Id. at 31315. NRC explained that this scope is consistent with NRC’s authority pursuant to sections 161 and 182 of the Atomic Energy Act to protect the public health and safety related to nuclear power plant safety. Id. at 31314–15. See also Pacific Gas & Electric Corp. v. State Energy Resources & Conservation and Development Commission, 461 U.S. 190, 210 n.22 (1983) (concluding that the Atomic Energy Act did not displace other agencies’—Federal, state and local— jurisdiction over the generation, sale and transmission of electric energy, as the NRC’s jurisdiction was limited to the protection of the public’s health and safety from the particular risks posed by nuclear material); English v. General Electric Co., 496 U.S. 76, 82 (1990) (finding ‘‘NRC * * * is concerned primarily with public health and safety’’). 37 See supra n. 6, to be codified at 10 CFR 73.54(a)(1)(iv). PO 00000 Frm 00014 Fmt 4700 Sfmt 4700 associated with reactor safety, security or emergency response.’’ 38 Dual Regulation 39. Numerous nuclear industry commenters raise concerns that the Commission’s proposal would result in nuclear power plant licensees having to comply with two sets of regulations, both NRC regulations and CIP Reliability Standards. According to commenters, this would likely cause overlapping requirements, contradictory requirements, duplicate inspections and other burdens. 40. The Commission is not persuaded by these comments. First, the Commission believes that the possible burden, confusion and inefficiency is speculative, and may well be overstated by commenters. We note that no commenter states that any of the CIP Reliability Standards conflict with the NRC’s cyber security regulations. While transition issues will invariably occur, it is possible that, for example, nuclear power plant licensees can minimize any possible burden by developing a single operating manual that integrates both NRC regulations and CIP Reliability Standards. In any case, commenters have not set forth an adequate justification for the Commission and the ERO to forego their authority so that certain critical cyber assets are not subject to any mandatory oversight. In addition, we believe that concerns over possible contradictory requirements or duplicative inspections may be addressed through further regulatory coordination, discussed below. C. Delineation of Equipment Within a Nuclear Power Plant and Modification of the Exemption Text 41. In the Proposed Clarification, the Commission requested comments on whether there is a clear delineation between equipment within a nuclear power plant that pertains to reactor safety, security or emergency response and the non-safety portion of the balance of plant. The Commission asked whether there is a need for owners and/ or operators of nuclear power plants to identify the specific facilities that pertain to reactor safety, security or emergency response and subject to NRC regulation, and the balance of plant that 38 Proposed Clarification Order, 124 FERC ¶ 61,247 at P 5, quoting April 8, 2008, Joint Meeting of the NRC and the Commission, Tr. at 77–78. Likewise, in its written comments, NRC staff explains that ‘‘[t]he NRC regards ‘facility’ as referring to the entire power generating plant, that comprises the entire set of buildings, cooling towers, assets, switchyards, systems and equipment within the owner-controlled area, many of which are not directly regulated by the NRC.’’ NRC Staff Comments at 1 (emphasis added). E:\FR\FM\25MRR1.SGM 25MRR1 Federal Register / Vol. 74, No. 56 / Wednesday, March 25, 2009 / Rules and Regulations sroberts on PROD1PC70 with RULES is subject to the CIP Reliability Standards. Comments 42. NEI, Exelon and others 39 assert that there is a clear delineation between equipment within a nuclear power plant related to safety and security and equipment that constitutes balance of plant. NEI comments that under the existing nuclear cyber security programs, all digital assets have been identified and evaluated, and cyber security risk parameters have been established for assets which are nuclearsignificant and those needed to maintain continuity of operation. Similarly, Exelon and Southern explain that, due to various designs of nuclear power plants, the delineation may vary from plant to plant. Therefore, each licensee identifies the structures, systems, and components that are ‘‘nuclear significant’’ and those that impact continuity of power, i.e., BulkPower System reliability. NEI, Exelon, Southern and other commenters maintain that this delineation is not relevant since NRC cyber security regulations apply to the balance of plant. 43. IESO/Hydro One assert that it is not possible, from either a procedural or technical standpoint, to establish a clear demarcation between facilities that relate to reactor safety or emergency response, and those that relate to reliability of the electric grid since the nuclear plant system is an interconnected and complex model. Breaking up this model would be confusing and technically difficult, according to IESO/Hydro One. Ontario Power notes that there are no ‘‘balance of plant’’ concerns in Canada since the Canadian Nuclear Safety Commission has jurisdiction over the entire nuclear power plant. 44. FirstEnergy asserts that, notwithstanding the ability to delineate between equipment, the Commission’s inquiry is premised on the incorrect assumption that a line can be drawn between safety-related facilities regulated by the NRC and non-safetyrelated facilities that are not directly regulated by the NRC. FirstEnergy comments that, in fact, much equipment within a nuclear power plant that is categorized as balance of plant may have an indirect impact on safety or emergency response. It maintains that any attempt to separate equipment into two groupings for the purpose of creating two cyber security regulatory schemes would be technically challenging, potentially unsafe, and beyond the Commission’s general expertise. PSEG and Ameren provide similar comments, and Ameren suggests that the delineation of the specific structures, systems and components regulated by NRC and the Commission should occur on a plant-by-plant basis with an opportunity for the owner or operator to obtain guidance as to whether its categorization is acceptable. 45. On a related matter, several commenters recommend changes to the exemption provision of the CIP Reliability Standards to better delineate the scope of NRC’s regulations. NERC states that the delineation provided by its proposed revised exemption language for the Applicability sections of the CIP Reliability Standards is clear and adequately addresses the delineation issues raised by the Commission. For example, NERC proposes to expedite a modification to the exemption provision of the CIP Reliability Standards to reflect that ‘‘digital computer and communications systems and networks within a U.S. nuclear power plant * * * that are regulated and enforced by the U.S. Nuclear Regulatory Commission are exempt from the requirements of this standard.’’ 40 Other commenters also recommend changes to the exemption provision of the CIP Reliability Standards to clarify which equipment would be subject to NRC’s cyber security regulations, as opposed to the CIP Reliability Standards. NRC Staff proposes to clarify the exemption as follows: ‘‘[a]ll portions of a nuclear power plant * * * that fall within the regulatory jurisdiction and authority pertaining to cyber security of the NRC are exempt from the CIP Reliability Standards. * * *’’ 41 46. NEI recommends that the Commission direct NERC to modify the exemption language in the CIP Reliability Standards to state: Nuclear safety-related and important-tosafety systems and networks, security systems and networks, emergency preparedness systems and networks including offsite communications, and support systems and equipment which if compromised would adversely impact safety, security or emergency preparedness functions regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety Commission.42 47. APS, Luminant, PG&E and Wolf Creek offer variations on the NEI proposal. For example, APS supports NEI’s suggested change to existing CIP 40 NERC 39 E.g., Dominion, Duke, Luminant, PG&E, Southern and Wolf Creek. VerDate Nov<24>2008 00:39 Mar 25, 2009 Jkt 217001 Comments at 3. 41 NRC Staff Comments at 1. 42 NEI Comments at 14. PO 00000 Frm 00015 Fmt 4700 Sfmt 4700 12549 exemption language but would follow the ‘‘adversely impact safety,’’ phrase with the additional phrase ‘‘plant reliability (continuity of power).’’ Commission Determination 48. Based on the comments of NEI and other commenters, we understand that nuclear power plant licensees maintain a clear delineation between equipment within a nuclear power plant that pertains to reactor safety, security or emergency response, and equipment that pertains to balance of plant. Further, as discussed above, the NRC’s cyber security regulations may apply to certain equipment within the balance of plant in some respects. However, it appears that the delineation of which balance of plant equipment may be subject to the NRC cyber security regulations is not yet fully accomplished and will likely be articulated separately for each nuclear power plant, with the line of regulatory demarcation differing from plant to plant. Moreover, while NRC Staff indicates that there are ‘‘many’’ components of balance of plant that will not be subject to the NRC cyber security regulations, NEI and other industry commenters assert that there are few, if any. 49. To resolve this matter in a manner that assures that no regulatory gap occurs, and also provides certainty to nuclear power plant licensees, the Commission requires that all balance of equipment within a nuclear power plant is subject to the CIP Reliability Standards. This approach provides clarity and certainty because, as indicated above, nuclear power plant licensees understand a clear delineation between equipment within a nuclear power plant that pertains to reactor safety, security or emergency response, and equipment that pertains to balance of plant. This is certainly with the scope of the Commission’s and ERO’s authority pursuant to section 215(b) of the FPA.43 50. Further, a nuclear power plant licensee may seek an exception from the ERO to the extent that the licensee believes that specific equipment within the balance of plant is subject to NRC cyber security regulations. If the ERO grants the exception, that equipment within the balance of plant would not be subject to compliance with the CIP Reliability Standards. We would expect that the ERO would make such determinations with the consultation of 43 16 U.S.C. 824o(b). Section 215(b) of the FPA sets forth the Commission’s jurisdiction over all ‘‘users, owners and operators of the bulk-power system.’’ E:\FR\FM\25MRR1.SGM 25MRR1 12550 Federal Register / Vol. 74, No. 56 / Wednesday, March 25, 2009 / Rules and Regulations NRC and oversight of Commission staff. Thus, to further the development of this ERO process, the ERO should consider the appropriateness of developing a memorandum of understanding with the NRC, or revising existing agreements, to address such matters as NRC staff consultation in the exception application process and sharing of Safeguard Information. The Commission believes that with the above two-part approach, i.e., subjecting all balance of plant equipment within a nuclear power plant to the CIP Reliability Standards, with exceptions allowed via a process implemented by the ERO, nuclear power plant licensees will have a brightline rule that eliminates the potential regulatory gap and provides certainty; and a plant-specific equipment exception process to avoid dual regulation where appropriate. 51. While balance of plant equipment will be subject to the CIP Reliability Standards, this does not mean that every such asset must meet all of the requirements of the CIP Reliability Standards. For example, such equipment should be considered pursuant to Reliability Standard CIP– 002–1 to identify critical cyber assets. 52. With regard to the recommended changes to the exemption language of the CIP Reliability Standards, we believe that the above discussion adequately addresses our concerns. We leave to the discretion of the ERO whether a modification to further refine the exemption language, to reflect the findings of this order, is needed. sroberts on PROD1PC70 with RULES D. Regulatory Coordination 53. NRC Staff recommends the development of a memorandum of understanding to outline scope, clarify agency roles and responsibilities, and provide specific technical requirements related to the application and administration of regulations pertaining to the protection of critical digital assets at nuclear power plants. Similarly, NEI, EEI and other commenters urge a coordinated approach to cyber security oversight at nuclear power plants to avoid redundancies and avoid unnecessary burdens on licensees. 54. Further, EEI, Exelon and the PSEG Companies request that the Commission consider the roles of the ERO and the NRC in the application, enforcement and administration of the CIP Reliability Standards as applied to nuclear power plants, including considering the implications of the Safeguards Information requirements set forth in 10 CFR 73.22. VerDate Nov<24>2008 00:39 Mar 25, 2009 Jkt 217001 Commission Determination 55. We agree that it is advisable for the two commissions to coordinate their respective cyber security-related activities with regard to nuclear power plants. However, for purposes of this proceeding, we need not resolve this question regarding the need for a memorandum of understanding between the two commissions. E. Implementation Schedule 56. The Proposed Clarification requested comment on an appropriate implementation schedule timetable for owners and operators of nuclear power plants to comply with the CIP Reliability Standards. In Order No. 706, the Commission approved NERC’s staggered implementation schedule for the CIP Reliability Standards. Table 3 of NERC’s Implementation Plan for Cyber Security Standards CIP–002–1 through CIP–009–1 defines the implementation schedule for Responsible Entities that were required to register during 2006. Under Table 3, Responsible Entities must be Auditably Compliant with CIP– 002–1 through CIP–009–1 by December 31, 2010.44 57. NERC supports the application of Table 3 of the CIP Reliability Standards implementation plan to determine an appropriate compliance schedule.45 In contrast, numerous nuclear industry commenters 46 argue that the Table 3 implementation schedule should not apply to nuclear power plants. Rather, many of the nuclear industry commenters suggest that the Commission should direct NERC to work with stakeholders to develop an appropriate timeframe for owners and operators of nuclear power plants to achieve full compliance with the CIP Reliability Standards. 58. NEI recommends a schedule similar to Table 4 of NERC’s Implementation Plan for Cyber Security Standards, which pertains to compliance deadlines for newly registered entities. Exelon proposes a ‘‘begin work’’ date of December 31, 2008, with an auditable compliance deadline of December 31, 2011. Commission Determination 59. The Commission finds that it is not appropriate to dictate the schedule contained in Table 3 of NERC’s Implementation Plan, i.e., a December 44 Proposed Clarification, 124 FERC ¶ 61,247 at P 9. 45 Order No. 706, Mandatory Reliability Standards for Critical Infrastructure Protection, 122 FERC ¶ 61,040, at P 77–90 (2008). 46 E.g., Ameren, Dominion, Duke, EEI, Exelon, FirstEnergy, IESO/Hydro One, Ontario Power, PG&E, PPL, PSEG, Southern and Wolf Creek. PO 00000 Frm 00016 Fmt 4700 Sfmt 4700 2010 deadline for auditable compliance, for nuclear power plants to comply with the CIP Reliability Standards. Instead of requiring nuclear power plants to implement the CIP Reliability Standards on a fixed schedule at this time, we agree to allow more flexibility. 60. Rather than the Commission setting an implementation schedule, we agree with commenters that the ERO should develop an appropriate schedule after providing for stakeholder input. Accordingly, we direct the ERO to engage in a stakeholder process to develop a more appropriate timeframe for nuclear power plants’ full compliance with CIP Reliability Standards. Further, we direct NERC to submit, within 180 days of the date of issuance of this order, a compliance filing that sets forth a proposed implementation schedule. The Commission orders: (A) The CIP Reliability Standards are clarified, as discussed in the body of this order. (B) The ERO is hereby directed to establish a stakeholder process to determine the appropriate implementation timetable for nuclear power plants, and submit a compliance filing to the Commission within 180 days of the date of issuance of this order, as discussed in the body of this order. By the Commission. Kimberly D. Bose, Secretary. Appendix—Commenters AEP—American Electric Power Service Corporation. Arizona Public Service—Arizona Public Service Company. Detroit Edison—Detroit Edison Company. Dominion—Dominion Resources, Inc. Duke—Duke Energy Corporation. EEI—Edison Electric Institute. Entergy—Entergy Services, Inc. Exelon—Exelon Corporation. FirstEnergy—FirstEnergy Service Company. IESO/Hydro One—Independent Electricity System Operator of Ontario (IESO) and Hydro One Networks, Inc. Kansas City—Kansas City Power & Light Company. Luminant—Luminant Generation Company LLC. NERC—North American Electric Reliability Corporation. NEI—Nuclear Energy Institute. Ontario Power—Ontario Power Generation, Inc. PG&E—Pacific Gas & Electric. PPL Companies—PPL Companies (PPL Electric Utilities Corporation, PPL Susquehanna, LLC, and PPL EnergyPlus, LLC). Progress Energy—Progress Energy, Inc. PSEG Companies—PSEG Companies (Public Service Electric and Gas Company, PSEG E:\FR\FM\25MRR1.SGM 25MRR1 Federal Register / Vol. 74, No. 56 / Wednesday, March 25, 2009 / Rules and Regulations Energy Resources and Trade LLC, and PSEG Power LLC). Southern—Southern Nuclear Operating Company. Union Electric/Ameren—Union Electric Company and Ameren Services Company. NRC Staff—U.S. Nuclear Regulatory Commission Staff. Wolf Creek—Wolf Creek Nuclear Operating Corporation. [FR Doc. E9–6503 Filed 3–24–09; 8:45 am] BILLING CODE 6717–01–P DEPARTMENT OF THE TREASURY Internal Revenue Service 26 CFR Part 1 [TD 9447] RIN 1545–BG80 Automatic Contribution Arrangements Correction In rule document E9–3716 beginning on page 8200 in the issue of Tuesday, February 24, 2009, make the following correction: §1.401(m)–2 [Corrected] On page 8211, in §1.401(m)–2, in the first column, in paragraph (b)(2)(iv)(D), in the sixth line, ‘‘April 1, 2007 edition’’ should read ‘‘April 1, 2007, edition’’. [FR Doc. Z9–3716 Filed 3–24–09; 8:45 am] BILLING CODE 1505–01–D Regulatory Information On November 26, 2008, we published a notice of proposed rulemaking (NPRM) entitled Drawbridge Operation Regulation; Chehalis, Hoquiam, and Wishkah Rivers, Aberdeen and Hoquiam, WA, Schedule Change in the Federal Register (73 FR 229). Two responses were received from the public. No public hearing was requested, and none was held. DEPARTMENT OF HOMELAND SECURITY Coast Guard 33 CFR Part 117 [Docket No. USCG–2008–1095] RIN 1625–AA09 Drawbridge Operation Regulation; Chehalis, Hoquiam, and Wishkah Rivers, Aberdeen and Hoquiam, WA, Schedule Change Coast Guard, DHS. Final rule. AGENCY: sroberts on PROD1PC70 with RULES ACTION: SUMMARY: The Coast Guard is changing the drawbridge operation regulation for the Washington State drawbridges across the Chehalis, Hoquiam, and Wishkah Rivers at Grays Harbor, Washington. The change reduces staffing requirements during the night when openings are infrequent. The rule does this by modifying the number of hours of advance notice required for draw openings and establishing the VerDate Nov<24>2008 00:39 Mar 25, 2009 Jkt 217001 telephone as the only means of initial contact for openings at night. DATES: This rule is effective April 24, 2009. ADDRESSES: Comments and related materials received from the public, as well as documents mentioned in this preamble as being available in the docket, are part of docket USCG–2008– 1095 and are available online at https://www.regulations.gov. This material is also available for inspection or copying at two locations: The Docket Management Facility (M–30), U.S. Department of Transportation, West Building Ground Floor, Room W12–140, 1200 New Jersey Avenue, SE., Washington, DC 20590, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays and Commander (dpw), Thirteenth Coast Guard District, 915 Second Avenue, Room 3510, Seattle, WA 98174–1067, between 8 a.m. and 4 p.m., Monday through Friday, except Federal holidays. FOR FURTHER INFORMATION CONTACT: If you have questions on this rule, call Austin Pratt, Chief, Bridge Section, Waterways Management Branch, Thirteenth Coast Guard District, telephone 206–220–7282. If you have questions on viewing the docket, call Renee V. Wright, Program Manager, Docket Operations, telephone 202–366– 9826. SUPPLEMENTARY INFORMATION: Background and Purpose This rule enables the Washington State Department of Transportation, the owner of the drawbridges across the Chehalis, Hoquiam, and Wishkah Rivers at Grays Harbor, Washington, to reduce the staffing of the Chehalis Bridge, which currently maintains a radio watch during the night hours when advance notice is required for openings of the draws of all of those bridges. One-hour notice is currently required for openings of the Chehalis River Bridge from one hour after sunset to one hour before sunrise and for all openings of the Simpson Avenue Bridge, Hoquiam River mile 0.5, the Riverside Avenue Bridge, Hoquiam River mile 0.9, the Heron Street Bridge, Wishkah River PO 00000 Frm 00017 Fmt 4700 Sfmt 4700 12551 mile 0.2, and the Wishkah Street Bridge, Wishkah River, mile 0.4. The reduction in staffing is appropriate because the draws of those bridges rarely have to been opened during the period affected. In fact, during the entire year of 2007 only 50 openings were requested for the bridges between 9 p.m. and 5 a.m., which equates to an average of less than one opening per week during those hours. Furthermore, most of the requests were made by telephone. Whenever operators are at the Chehalis River Bridge a normal radio watch will be maintained. Discussion of Comments and Changes Two comments were received from parties affected by this rule. Both comments appeared to misunderstand some of the provisions of the rule. Specifically, the rule requires notice of one hour rather than four hours as one commenter believed. Another commenter appeared to believe that a radio watch would never be maintained under the rule, but the rule provides for a normal radio watch to be maintained whenever operators are present. The commenters’ objections were resolved as noted and no changes were made to the rule based on the comments received. Regulatory Analyses We developed this rule after considering numerous statutes and executive orders related to rulemaking. Below we summarize our analyses based on 13 of these statutes or executive orders. Regulatory Planning and Review This rule is not a ‘‘significant regulatory action’’ under section 3(f) of Executive Order 12866, Regulatory Planning and Review, and does not require an assessment of potential costs and benefits under section 6(a)(3) of that Order. The Office of Management and Budget has not reviewed it under that Order. We expect the economic impact of this rule to be so minimal that a full Regulatory Evaluation is unnecessary. We reached this conclusion because the draws of the bridges rarely have to been opened during the period affected, the draws will still be opened in a reasonable amount of time, and most vessel operators already use the telephone to request openings of the draws. Small Entities Under the Regulatory Flexibility Act (5 U.S.C. 601–612), we have considered whether this rule would have a significant economic impact on a E:\FR\FM\25MRR1.SGM 25MRR1

Agencies

[Federal Register Volume 74, Number 56 (Wednesday, March 25, 2009)]
[Rules and Regulations]
[Pages 12544-12551]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-6503]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM06-22-000; Order No. 706-B]


Mandatory Reliability Standards for Critical Infrastructure 
Protection

Issued March 19, 2009.
AGENCY: Federal Energy Regulatory Commission.

ACTION: Order on Clarification.

-----------------------------------------------------------------------

SUMMARY: The Commission clarifies that the facilities within a nuclear 
generation plant in the United States that are not regulated by the 
U.S. Nuclear Regulatory Commission are subject to compliance with the 
eight mandatory ``CIP'' Reliability Standards approved in Commission 
Order No. 706.

DATES: Effective Date: This rule will become effective March 25, 2009.

FOR FURTHER INFORMATION CONTACT:
Jonathan First (Legal Information), Office of General Counsel, 888 
First Street, NE., Washington, DC 20426, (202) 502-8529.
Regis Binder (Technical Information), Office of Electric Reliability, 
888 First Street, NE., Washington, DC 20426, (301) 665-1601.

SUPPLEMENTARY INFORMATION: Before Commissioners: Jon Wellinghoff, 
Acting Chairman; Suedeen G. Kelly, Marc Spiter, and Philip D. Moeller. 
1. In this order, the Commission clarifies the scope of the Critical 
Infrastructure Protection (CIP) Reliability Standards approved in Order 
No. 706 \1\ to assure that no ``gap'' occurs in the applicability of 
these Standards.\2\ In particular, each of the CIP Reliability 
Standards provides that facilities regulated by the U.S. Nuclear 
Regulatory Commission (NRC) are exempt from the Standard. It has come 
to the attention of the Commission that NRC regulations do not extend 
to all equipment within a nuclear power plant. Thus, to assure that 
there is no ``gap'' in the regulatory process, the Commission clarifies 
that the ``balance of plant'' equipment within a nuclear power plant in 
the United States that is not regulated by the NRC is subject to 
compliance with the CIP Reliability Standards approved in Order No. 
706.
---------------------------------------------------------------------------

    \1\ Mandatory Reliability Standards for Critical Infrastructure 
Protection, Order No. 706, 122 FERC ] 61,040, order on reh'g, Order 
No. 706-A, 123 FERC ] 61,174 (2008).
    \2\ CIP Reliability Standards CIP-002-1 through CIP-009-1 (CIP 
Reliability Standards) were approved by Order No. 706. Reliability 
Standard CIP-001-1, which pertains to sabotage reporting, was not a 
subject of Order No. 706 and does not include the exemption 
statement that is the subject of this order.
---------------------------------------------------------------------------

I. Background

    2. The North American Electric Reliability Corporation (NERC), the 
Commission-certified Electric Reliability Organization (ERO), developed 
the CIP Reliability Standards that require certain users, owners and 
operators of the Bulk-Power System, including generator owners and 
operators, to comply with specific requirements to safeguard critical 
cyber assets. In January 2008, pursuant to section 215 of the Federal 
Power Act (FPA),\3\ the Commission approved the CIP Reliability 
Standards. In addition, pursuant to section 215(d)(5) of the FPA,\4\ 
the Commission directed the ERO to develop modifications to the CIP 
Reliability Standards to address specific concerns identified by the 
Commission.
---------------------------------------------------------------------------

    \3\ 16 U.S.C. 824o (2006).
    \4\ 16 U.S.C. 824o(d)(5)(2006).
---------------------------------------------------------------------------

    3. Each CIP Reliability Standard includes an exemption for 
facilities regulated by the NRC. For example, Reliability Standard CIP-
002-1 provides:

    The following are exempt from Standard CIP-002: Facilities 
regulated by the U.S. Nuclear Regulatory Commission * * *.\5\

    4. In an April 8, 2008 public joint meeting of the Commission and 
the NRC, staff of both Commissions discussed cyber security at nuclear 
power plants. While indicating that the NRC has proposed regulations to 
address cyber security at nuclear power plants, NRC staff raised a 
concern regarding a potential gap in regulatory coverage.\6\ In 
particular, NRC staff indicated that the NRC's proposed regulations on 
cyber security would not apply to all systems within a nuclear power 
plant. NRC staff explained:
---------------------------------------------------------------------------

    \5\ Reliability Standard CIP-002-1, section 4.2 (Applicability).
    \6\ In December 2008, the NRC approved a final rule that 
included cyber security-related regulations applicable to nuclear 
power plant licensees. The regulations, referred to herein as the 
``NRC cyber security regulations,'' have not been published in the 
Federal Register at this time and are not currently in effect. They 
will be codified at 10 CFR 73.54. See Final Rulemaking--Power 
Reactor Security Requirements, SECY-08-0099 (Jul. 9, 2008); Press 
Release: NRC Approves Final Rule Expanding Security Requirements for 
Nuclear Power Plants, (Dec. 17, 2008), available at https://www.nrc.gov/reading-rm/doc-collections/news/2008/08-227.html.

    The NRC's cyber requirements are not going to extend to power 
continuity systems. They do not extend directly to what is not 
directly associated with reactor safety security or emergency 
response. * * *
    As a result, and when you look at the CIP standards that were 
issued, there is a discrete statement in each of the seven or eight 
standards where it specifically exempts facilities regulated by the 
United States Nuclear Regulatory Commission from compliance with 
those CIP Standards. So there is an issue there in the sense that 
our regulations for cyber security go up to a certain point, and 
end.\7\
---------------------------------------------------------------------------

    \7\ April 8, 2008, Joint Meeting of the Nuclear Regulatory 
Commission and Federal Energy Regulatory Commission, Tr. at 77-78.

    5. On September 18, 2008, the Commission issued an Order on 
Proposed Clarification,\8\ explaining its concern that a gap may exist 
in the regulatory process due to the provision in each of the CIP 
Reliability Standards exempting ``facilities regulated by the U.S. 
Nuclear Regulatory Commission.'' On the understanding that some 
facilities within a nuclear power plant would not be subject to 
compliance with cyber security regulations developed by the NRC, the 
Commission proposed to clarify that the facilities

[[Page 12545]]

within a nuclear power plant in the United States that are not 
regulated by the NRC are subject to compliance with the CIP Reliability 
Standards approved in Order No. 706. The Commission explained its 
proposal and sought comment on not only the Proposed Clarification, but 
also two additional questions: (1) Whether a clear delineation exists 
between those facilities in a nuclear power plant which relate to 
safety and security, and the non-safety related ``balance of plant,'' 
and if a clear delineation does not exist, whether there is a need for 
owners and/or operators of nuclear power plants to identify the 
specific facilities that pertain to reactor safety, security or 
emergency response and are subject to NRC jurisdiction, and the balance 
of plant that is subject to the eight CIP Reliability Standards; and 
(2) if nuclear power plants were to be required to implement the CIP 
Reliability Standards, whether Table 3 of the implementation plan 
approved in Order No. 706 should control the implementation 
schedule.\9\
---------------------------------------------------------------------------

    \8\ Mandatory Reliability Standards for Critical Infrastructure 
Protection, Order on Proposed Clarification, 124 FERC ] 61,247 
(2008) (Proposed Clarification).
    \9\ Proposed Clarification, 124 FERC ] 61,247 at P 9.
---------------------------------------------------------------------------

    6. The Proposed Clarification was published in the Federal 
Register, 73 FR 55,459 (Sept. 25, 2008). In response, comments were 
filed by 23 interested persons, 17 of which own and/or operate nuclear 
power plants. A list of the commenters appears in the Appendix to this 
Order. These comments have assisted the Commission and are addressed in 
the discussion, below.

II. Discussion

    7. For the reasons discussed below, the Commission finds that the 
CIP Reliability Standards are applicable to all equipment within a 
nuclear power plant located in the United States that will not be 
subject to NRC's cyber security regulations. The thrust of many 
comments is that the NRC regulates the entire nuclear power plant 
including power continuity systems and, therefore, the Commission's 
Proposed Clarification is unnecessary. The Commission is not persuaded 
by these arguments, which either reference back to voluntary industry 
standards developed by the nuclear industry, or mischaracterize the 
nature and extent of NRC's regulations with regard to the entire 
nuclear power plant. Indeed, NRC Staff comments reiterate that many 
portions of a nuclear power plant are not regulated by NRC.
    8. Nuclear power plants can have a significant effect on the 
reliability of the Bulk-Power System. Prior to the enactment of section 
215 of the FPA, the electric industry had voluntary cyber security 
provisions and a system of self-certifications. However, Congress 
imposed a framework for mandatory and enforceable Reliability 
Standards, explicitly including cyber security, applicable to all 
users, owners and operators of the Bulk-Power System. That framework 
charges the Commission with the oversight of the development and 
enforcement of the Reliability Standards.
    9. In previous orders, the Commission has emphasized that the 
application of the Reliability Standards must remain uniform and 
consistent.\10\ This is necessary both to protect the reliability of 
the Bulk-Power System and to ensure equity in the application of 
Reliability Standards. The Commission has found that ``section 215 
seeks to prevent an instability, an uncontrolled separation or a 
cascading failure, whether resulting from either a sudden disturbance, 
including a cybersecurity incident, or an unanticipated failure of the 
system elements.'' \11\ Therefore, compliance monitoring must occur on 
an ongoing and proactive basis. Due to the preventive aspect of section 
215 and the requirements of the Reliability Standards, compliance 
monitoring and enforcement of the Reliability Standards are not 
triggered only by a past event or a cyber security incident. The ERO 
and Regional Entities have several proactive monitoring processes, 
including, but not limited to, spot checks and audits, to verify that 
users, owners and operators are in compliance with the Reliability 
Standards and to maintain the reliable operation of the Bulk-Power 
System. This order balances the concerns expressed by commenters with 
the Commission's responsibility for consistency, as well as rigor and 
uniformity in the compliance monitoring and enforcement of the 
Reliability Standards.
---------------------------------------------------------------------------

    \10\ See Rules Concerning Certification of the Electric 
Reliability Organization; and Procedures for the Establishment, 
Approval, and Enforcement of Electric Reliability Standards, Order 
No. 672, 71 FR 8662 (Feb. 17, 2006), FERC Stats. & Regs., 
Regulations Preambles 2006-2007 ] 31,204, at P 41 and P 290 (2006), 
order on reh'g, Order No. 672-A, FERC Stats. & Regs., Regulations 
Preambles 2006-2007 ] 31,212 (2006); Mandatory Reliability Standards 
for the Bulk-Power System, Order No. 693, 72 FR 16416 (Apr. 4, 
2007), FERC Stats. & Regs. ] 31,242 at P 298 (2007).
    \11\ Order No. 693, FERC Stats. & Regs. ] 31,242 at P 24, order 
on reh'g, Order No. 693-A, 120 FERC ] 61,053 (2007); see also 16 
U.S.C. 824o(a)(4) (2006) (defining Reliable Operation).
---------------------------------------------------------------------------

    10. In response to comments, we have refined certain aspects of the 
Proposed Clarification. However, we continue to believe that a gap in 
the application of appropriate cyber security standards would exist 
absent our clarification in this Order.

A. Meaning of the Term ``Facility''

    11. Before addressing our determination on the Proposed 
Clarification, we discuss a terminology issue raised by NRC Staff, NEI 
and other commenters. As mentioned above, the CIP Reliability Standards 
exempt ``facilities regulated by the U.S. Nuclear Regulatory 
Commission.'' The Proposed Clarification indicated that a nuclear power 
plant consists of multiple ``facilities'' within its boundaries, some 
but not all of which are regulated by the NRC. For example, we stated 
that ``NRC's regulation of a nuclear power plant is limited to the 
facilities that are associated with reactor safety or emergency 
response.'' \12\
---------------------------------------------------------------------------

    \12\ Proposed Clarification, 124 FERC ] 61,247 at P 6.
---------------------------------------------------------------------------

Comments
    12. Commenters state that the term ``facility,'' as used in the 
nuclear industry, refers to the entire nuclear power plant. For 
example, NRC Staff comments that the term ``facility'' is defined by 
the Atomic Energy Act of 1954 as a ``production or utilization 
facility,'' and the term is commonly synonymous with the entire nuclear 
power plant, ``that comprises the entire set of buildings, cooling 
towers, assets, switchyards, systems, and equipment within the owner-
controlled area * * *.'' \13\ The NRC Staff asserts that the use of the 
term ``facilities'' in the Proposed Clarification might effectively 
exempt all portions of nuclear power plants from the CIP Reliability 
Standards and thus not close the regulatory gap that the Commission 
intended to address. Rather, the NRC Staff explains that, when 
referring to discrete elements within a nuclear power plant, the NRC 
generally uses the term, ``structures, systems and components.''
---------------------------------------------------------------------------

    \13\ NRC Staff Comments at 1.
---------------------------------------------------------------------------

    13. NEI, supported by a number of commenters, similarly states that 
the Commission used the term ``facilities'' in a manner that is not 
consistent with the use of the term in the nuclear industry. NEI states 
that the nuclear industry typically uses the term ``facility'' to mean 
the entire nuclear power plant, and that the equivalent in nuclear 
parlance of ``facilities,'' as used by the Commission, are the 
``structures, systems, components and networks (``SSC'') which provide 
the various functions for plant operation and shut down.'' \14\
---------------------------------------------------------------------------

    \14\ NEI Comments at 2.

---------------------------------------------------------------------------

[[Page 12546]]

Commission Determination
    14. It appears that the use of the term ``facility'' in the 
Proposed Clarification differs from the common use of that term in the 
nuclear regulatory environment. For purposes of this order, we use the 
term ``nuclear power plant'' to describe the entire nuclear generating 
plant, including the entire set of buildings, cooling towers, assets, 
switchyards, systems, and equipment within the owner-controlled area. 
This term is consistent with NRC Staff's explanation.
    15. NRC Staff states that it generally uses the term ``structures, 
systems and components'' to refer to discrete elements of the nuclear 
power plant regulated by the NRC, and suggests that the Commission uses 
``facilities'' in an analogous way. We will use the term ``structures, 
systems and components'' to reference any element of equipment, systems 
or networks of equipment, or portions within a nuclear power plant 
within an entity's ownership or control. NRC Staff follows its 
description of what structures comprise a nuclear power plant with the 
note, ``many of which are not directly regulated by the NRC.'' For 
purposes of this order, we will use the term ``balance of plant'' to 
reference those portions of the nuclear power plant to which NRC Staff 
refers, as that term is defined by the NRC's regulations.\15\
---------------------------------------------------------------------------

    \15\ The NRC's regulations define the Balance of Plant as: ``the 
remaining systems, components, and structures that comprise a 
complete nuclear power plant and are not included in the nuclear 
steam supply system.'' The Nuclear Steam Supply System is defined as 
consisting of ``the reactor core, reactor coolant system, and 
related auxiliary systems including the emergency core cooling 
system; decay heat removal system; and chemical volume and control 
system.'' 10 CFR 170.3 (2008).
---------------------------------------------------------------------------

B. Regulatory Gap--Need for the Clarification

    16. In the Proposed Clarification, the Commission explained that:

    The plain meaning of the exemption language in the eight CIP 
Reliability Standards at issue is that only those facilities within 
a nuclear generation plant that are regulated by the NRC are exempt 
from those Standards. The exemption language in the eight CIP 
Reliability Standards neither states, nor implies, that all 
facilities within a nuclear generation plant are exempt from the 
Standards, regardless of whether they are subject to NRC regulation. 
However, the Commission believes there is a need to assure that 
there is no potential gap in the regulation of critical cyber assets 
at nuclear generation plants.\16\
---------------------------------------------------------------------------

    \16\ Proposed Clarification, 124 FERC ] 61,247 at P 7 (emphasis 
in original). As discussed above, the term facilities as used in the 
Proposed Clarification was intended to apply to structures, systems 
and components within a nuclear power plant.

    The Commission, thus, proposed to clarify that Reliability 
Standards CIP-002-1 through CIP-009-1 apply to the facilities, i.e., 
structures, systems and components, within a nuclear power plant that 
are not regulated by the NRC.
Comments
    17. NRC Staff and NERC agree with the Commission that clarification 
of the CIP Reliability Standards is needed. NEI and other stakeholders 
in the nuclear industry oppose the clarification, arguing that it is 
unnecessary because no regulatory gap exists since the NRC's 
jurisdiction can reach all equipment at nuclear power plants that might 
need cyber security protection.
    18. NRC Staff comments that much of the equipment within the owner-
controlled area of the nuclear power plant is not directly regulated by 
the NRC. Thus, NRC Staff supports the Commission's proposal and 
suggests certain refinements to the proposal to provide additional 
clarity to distinguish ``the scope of plant functions that are subject 
to NRC requirements from those functions that are subject to applicable 
FERC-regulated grid reliability requirements.'' \17\
---------------------------------------------------------------------------

    \17\ NRC Comments at 1.
---------------------------------------------------------------------------

    19. NERC states that it agrees with the Commission's understanding 
of the delineation between those ``facilities'' within a nuclear power 
plant whose functions are necessary and sufficient for reactor safety, 
security or emergency response versus the portion of the rest of the 
plant whose functions are necessary for Bulk-Power System reliability. 
NERC agrees with the Commission that there is a need for more clarity 
with regard to the applicability of CIP Reliability Standards to 
nuclear power plants, and recommends an expedited modification to the 
Standards.
    20. NEI, and other commenters,\18\ many of which support NEI's 
comments, assert that the Commission's Proposed Clarification is 
unnecessary, as there is no regulatory gap in the oversight of critical 
cyber assets at nuclear power plants. According to NEI and others, the 
NRC regulates the entire nuclear power plant, including cyber security 
for balance of plant systems that may be critical to Bulk-Power System 
reliability. Commenters identify three sources of NRC's authority: the 
nuclear industry's comprehensive security program developed by NEI (NEI 
04-04), NRC's ``Maintenance Rule,'' and NRC's recently-promulgated 
cyber security rules. In addition, NEI and others contend that 
application of CIP Reliability Standards to nuclear power plants would 
result in dual regulation of equipment, which would be complicated and 
inefficient.
---------------------------------------------------------------------------

    \18\ E.g., AEP, Ameren, Arizona Public Service, Dominion, Duke, 
Entergy, Exelon, FirstEnergy, Luminant, PG&E, PPL Companies, PSEG, 
and Wolf Creek.
---------------------------------------------------------------------------

Nuclear Industry Cyber Security Guideline, NEI 04-04
    21. NEI and other commenters \19\ argue that the application of CIP 
Reliability Standards is not warranted because the nuclear industry has 
made a binding commitment to implement a comprehensive cyber security 
program developed by NEI and endorsed by NRC.\20\ NEI explains that, 
pursuant to this program, existing digital assets at nuclear power 
plants are analyzed for cyber vulnerabilities and necessary mitigation 
plans are established and implemented. According to NEI, all nuclear 
power plants implemented NEI 04-04 on or before May 1, 2008.
---------------------------------------------------------------------------

    \19\ E.g., AEP, Arizona Public Service, Duke, Exelon, Luminant, 
PG&E, PSEG, Southern and Wolf Creek.
    \20\ NEI Comments at 5-8, citing to NEI 04-04 Revision 1, 
``Power Security Program for Nuclear Reactors'' (April 2006) (NEI 
04-04).
---------------------------------------------------------------------------

    22. NEI explains that, in February 2002, the NRC issued Order EA-
02-026, ``Interim Safeguards and Security Compensation Measures for 
Nuclear Power Plants,'' \21\ which included required actions to address 
cyber security concerns. According to NEI, as a ``supplement'' to 
implementation of this NRC order, the nuclear industry committed to 
implement NEI 04-04, which was designed to protect plant systems, 
including all those pertinent to balance of plant. NEI states that 
implementation of the NEI 04-04 cyber security program extends to plant 
generation equipment up to and including the first breaker out from the 
main transformer to the switchyard breaker. According to NEI, in 
response to a system vulnerability identified in 2007, both industry 
and NRC relied on NEI 04-04 in determining that the first breaker out 
from the transformer to the switchyard is within the boundary of the 
nuclear power plant.\22\
---------------------------------------------------------------------------

    \21\ All Operating Power Licensees; Order Modifying Licenses, 67 
FR 9792 (Mar. 4, 2002).
    \22\ NEI Comments at 6.
---------------------------------------------------------------------------

    23. NEI states that, in 2005, NRC staff endorsed NEI 04-04 as an 
acceptable method for establishing and maintaining a cyber security 
program at nuclear power plants. It cites to the NRC Inspection Manual, 
which states that a performance deficiency can exist if a licensee 
fails to meet a self-imposed standard. Thus, NEI contends that, because 
licensees have self-imposed NEI 04-04 through a binding initiative, NRC

[[Page 12547]]

has the regulatory authority to inspect and enforce the program's 
requirements.\23\
---------------------------------------------------------------------------

    \23\ Exelon, Luminant and Progress Energy also claim that NEI 
04-04 is mandatory and enforceable by NRC. Likewise, APS contends 
that compliance with NEI 04-04 is not voluntary because, through NEI 
membership, all nuclear power plants are contractually bound to 
follow the program.
---------------------------------------------------------------------------

    24. NEI and other commenters, including Duke, Entergy and Exelon, 
contend that NRC's current oversight is adequate and the existing cyber 
security program is ``functionally equivalent'' to the CIP Reliability 
Standards.
NRC's Maintenance Rule
    25. NEI, Exelon and Southern argue that NRC regulates the ``balance 
of plant,'' and focus on NRC's ``Maintenance Rule'' in particular to 
support their argument.\24\ The Maintenance Rule requires a licensee to 
implement a monitoring program that includes both safety related and 
non-safety related structures, systems and components.\25\ The 
Maintenance Rule identifies as within the scope of the monitoring 
program, structures, systems and components:
---------------------------------------------------------------------------

    \24\ In addition, numerous commenters state that they support 
NEI's comments. E.g., EEI, AEP, Arizona Public Service, Dominion, 
Kansas City and PG&E.
    \25\ Requirements for Monitoring the Effectiveness of 
Maintenance at Nuclear Power Plants, 56 FR 31306 (Jul. 10, 1991) 
(Maintenance Rule). See also 10 CFR 50.65.

    (b)(2)(i) That are relied upon to mitigate accidents or 
transients or are used in plant emergency operating procedures; or 
(b)(2)(ii) Whose failure could prevent safety-related structures, 
systems, and components from fulfilling their safety-related 
function; or (b)(2)(iii) Whose failure could cause a reactor scram 
or actuation of a safety-related system.\26\
---------------------------------------------------------------------------

    \26\ 10 CFR 50.65(b)(2)(i)-(iii). NRC's Glossary defines a 
``scram'' as ``[t]he sudden shutting down of a nuclear reactor, 
usually by rapid insertion of control rods, either automatically or 
manually by the reactor operator. May also be called a reactor 
trip.'' NERC Glossary, available at https://www.nrc.gov/reading-rm/basic-ref/glossary.

    NEI states that NRC may take enforcement action for violations of 
the Maintenance Rule, and includes examples of citations for failures 
of non-safety systems. According to NEI, implementing guidance for the 
Maintenance Rule, developed by industry and endorsed by NRC, provides 
further evidence that structures, systems and components pertaining to 
the balance of plant must be monitored.\27\
---------------------------------------------------------------------------

    \27\ NEI Comments at 4, citing NUMARC 93-01, ``Industry 
Guideline for Monitoring the Effectiveness of Maintenance at Nuclear 
Power Plants,'' and NRC Regulatory Guide 1.160.
---------------------------------------------------------------------------

    26. NEI thus argues that:

    The NRC regulates any [structure, system or component] in a 
nuclear power plant that has both a direct or indirect impact on 
safety, security, or emergency response systems. The NRC's 
regulations extend to all systems that could cause a reactor scram, 
diminish the ability to mitigate the consequences of a reactor 
scram, or cause the actuation of a safety system. These are the same 
systems that constitute the balance of the plant for Continuity of 
Operations purposes.\28\
---------------------------------------------------------------------------

    \28\ NEI Comments at 5.

    According to NEI, the failure of a structure, system or component 
as the result of a cyber security breach affects the reliability of 
equipment operation and is consequently within the scope of the 
Maintenance Rule. Ameren, which owns and operates a nuclear power 
plant, comments that it is unable to identify any structures, systems 
or components that are not currently subject to cyber security 
regulation by the NRC that could impact electric reliability.
NRC Cyber Security Regulations
    27. NEI explains that NRC has proposed regulations that would 
specifically address cyber security at nuclear power plants.\29\ 
According to NEI, Exelon, Progress Energy and Southern, NRC's cyber 
security regulations would apply to both safety functions and ``support 
systems and equipment which if compromised would adversely impact 
safety, security or emergency preparedness functions.'' \30\ Further, 
the NRC regulations would require licensees to identify the cyber 
security assets they will protect under the program, and the list of 
identified assets becomes the basis for inspection by NRC Staff. NEI 
states that most balance of plant systems support both nuclear safety 
and continuity of operations.
---------------------------------------------------------------------------

    \29\ See supra n. 6.
    \30\ To be codified at 10 CFR 73.54(a)(1)(iv).
---------------------------------------------------------------------------

    28. NEI contends that there are ``few, if any,'' systems within the 
boundary of a typical nuclear power plant that support only continuity 
of operations. Thus, according to NEI, since the failure of such 
systems could cause a reactor scram or actuation of a safety system, 
the proposed NRC regulation would apply and there would be no 
regulatory gap. NEI also claims that, as with all NRC regulation, the 
requirements of 10 CFR 73.54 would be assessed, inspected and enforced.
Dual Regulation
    29. NEI, EEI and other commenters \31\ express concern that if the 
Commission issues its Proposed Clarification, dual regulation will 
result and cause overlapping requirements, contradictory requirements, 
duplicate inspections and recordkeeping, and duplicate worker training 
and qualifications. They assert that confusion and conflicts will 
result with respect to applicability of regulations if the Commission's 
clarification separates digital assets within a nuclear power plant 
into some that are subject to NRC regulations and others that are 
subject to CIP Reliability Standards. AEP states that the proposed 
application of the CIP Reliability Standards could result in increased 
costs and complexity without a commensurate increase in reliability or 
protection.
---------------------------------------------------------------------------

    \31\ E.g., Ameren, Exelon, Progress Energy, PPL and PSEG.
---------------------------------------------------------------------------

    30. NEI, EEI and other commenters \32\ argue the most effective way 
to eliminate any potential gap in regulatory oversight is to maintain a 
single set of regulations for the entire nuclear power plant under the 
jurisdiction of the NRC. IESO/Hydro One assert that nuclear power 
plants should only be regulated by one entity, and cyber security at 
nuclear power plants must be under the jurisdiction of the NRC or the 
Canadian nuclear authority.
---------------------------------------------------------------------------

    \32\ E.g., Arizona Public Service, Entergy, PSEG, Dominion, 
Exelon, Luminant, Ontario Power, Southern, Wolf Creek, and PG&E.
---------------------------------------------------------------------------

Commission Determination
    31. As discussed below, the Commission is not persuaded by the 
nuclear industry commenters' arguments that the NRC regulates all 
balance of plant equipment within a nuclear power plant.
Voluntary Industry Standard NEI 04-04
    32. The nuclear industry's development of a cyber security program 
under NEI 04-04 is commendable. However, compliance with NEI 04-04 is 
voluntary. As mandated by the Energy Policy Act of 2005, the Commission 
must ensure that the Commission-certified ERO develops Reliability 
Standards and provides for consistent monitoring and enforcement of 
such standards. The nuclear industry's voluntary commitment to NEI 04-
04 does not satisfy the Energy Policy Act's mandate and is not adequate 
assurance that the reliability of the Bulk-Power System is protected. 
Therefore, the Commission cannot rely upon NEI 04-04 to meet its 
obligations under the Energy Policy Act of 2005.
    33. While NEI maintains that NEI 04-04 is subject to NRC regulatory 
and enforcement authority, NRC Staff has disavowed this position with 
regard to non-safety security and emergency preparedness related cyber 
security

[[Page 12548]]

assets within a nuclear power plant.\33\ While NEI characterizes NEI 
04-04 as a ``supplement'' to NRC Order EA-02-026, the NRC order did not 
mandate the development and implementation of the industry-developed 
program. We understand that, on occasion, NRC Staff will endorse an 
industry-developed program or guidance document as one acceptable 
manner to comply with NRC regulations. The industry-developed cyber 
security program, however, was not developed as a means to comply with 
an NRC regulation. Thus, while the NRC Staff simply endorsed NEI 04-04 
as ``an acceptable method for establishing and maintaining a cyber 
security program at nuclear power plants,'' \34\ the scope of this 
endorsement falls short of documenting that NEI 04-04 is mandatory and 
enforceable by the NRC.
---------------------------------------------------------------------------

    \33\ NRC Staff Comments at 1.
    \34\ NEI Comments, Appendix E (December 23, 2005 letter from 
NRC, Director, Office of Nuclear Security and Incident Response to 
NEI, Vice President, Nuclear Operations).
---------------------------------------------------------------------------

    34. Further, we do not agree with commenters' claims that NEI 04-04 
is mandatory because entities have made a contractually binding 
commitment to NEI to implement the program. Again, while such proactive 
commitments by industry are laudable, they do not and cannot substitute 
for a government regulation subject to compliance and enforcement, 
including civil penalties for non-compliance.
NRC Regulations
    35. The Commission also rejects the claim of NEI and other 
commenters that there is no regulatory gap and the Commission's 
clarification is unnecessary because relevant NRC regulations apply to 
all structures, systems and components within a nuclear power plant, 
both safety and non-safety related, including the equipment in the 
balance of plant.
    36. Commenters point to NRC's Maintenance Rule, which requires 
nuclear power plant licensees to monitor the effectiveness of 
maintenance activities for safety-significant plant equipment. In 
promulgating the Maintenance Rule, NRC explained that, while it 
considered having the rule apply to all structures, systems and 
components in a nuclear power plant, including the balance of plant, 
the final rule was more limited.\35\ While the Maintenance Rule 
expressly includes both safety related and non-safety related (i.e., 
balance of plant) structures, systems and components, NRC limited the 
scope of the rule to include only those balance of plant structures, 
systems and components ``whose failure could most directly threaten 
public health and safety.'' \36\ This limitation is set forth in 
subsection (b) of the Maintenance Rule, which describes the scope of 
the maintenance monitoring program required pursuant to subsection (a) 
of the rule. In sum, the Maintenance Rule contemplates that there will 
be balance of plant structures, systems and components that are not 
subject to the rule.
---------------------------------------------------------------------------

    \35\ Maintenance Rule, 56 FR 31306 at 31314-15. NRC indicated 
that this limitation of the scope was in part a reaction to 
commenter concerns that ``many [structures, systems or components] 
in the [balance of plant] have no nexus to public health and safety 
* * *.'' Id. at 31315.
    \36\ Id. at 31315. NRC explained that this scope is consistent 
with NRC's authority pursuant to sections 161 and 182 of the Atomic 
Energy Act to protect the public health and safety related to 
nuclear power plant safety. Id. at 31314-15. See also Pacific Gas & 
Electric Corp. v. State Energy Resources & Conservation and 
Development Commission, 461 U.S. 190, 210 n.22 (1983) (concluding 
that the Atomic Energy Act did not displace other agencies'--
Federal, state and local--jurisdiction over the generation, sale and 
transmission of electric energy, as the NRC's jurisdiction was 
limited to the protection of the public's health and safety from the 
particular risks posed by nuclear material); English v. General 
Electric Co., 496 U.S. 76, 82 (1990) (finding ``NRC * * * is 
concerned primarily with public health and safety'').
---------------------------------------------------------------------------

    37. NEI and other commenters also claim that the NRC's then-
proposed, and now recently approved, cyber security regulations 
demonstrate that there is, in fact, no regulatory gap. However, as 
indicated by the NRC Staff's comments, the NRC cyber security 
regulations have limited application to balance of plant. The NRC cyber 
security regulations will apply to safety-related functions, security 
functions, emergency preparedness and ``support systems and equipment 
which, if compromised, would adversely impact safety security and 
emergency preparedness functions.'' \37\
---------------------------------------------------------------------------

    \37\ See supra n. 6, to be codified at 10 CFR 73.54(a)(1)(iv).
---------------------------------------------------------------------------

    38. We disagree with nuclear industry commenters that contend that 
this latter provision is so broad as to include the entire balance of 
plant. Rather, similar to the Maintenance Rule, this provision 
identifies a subset of non-safety structures, systems and components 
that are subject to the NRC cyber security regulations. The remainder 
of the balance of plant equipment will not be subject to the NRC cyber 
security regulations. NRC Staff apprised the Commission of this 
limitation and the potential for a regulatory gap at a public meeting 
of the two commissions, when stating ``The NRC's cyber requirements are 
not going to extend to power continuity systems. They do not extend 
directly to what is not directly associated with reactor safety, 
security or emergency response.'' \38\
---------------------------------------------------------------------------

    \38\ Proposed Clarification Order, 124 FERC ] 61,247 at P 5, 
quoting April 8, 2008, Joint Meeting of the NRC and the Commission, 
Tr. at 77-78. Likewise, in its written comments, NRC staff explains 
that ``[t]he NRC regards `facility' as referring to the entire power 
generating plant, that comprises the entire set of buildings, 
cooling towers, assets, switchyards, systems and equipment within 
the owner-controlled area, many of which are not directly regulated 
by the NRC.'' NRC Staff Comments at 1 (emphasis added).
---------------------------------------------------------------------------

Dual Regulation
    39. Numerous nuclear industry commenters raise concerns that the 
Commission's proposal would result in nuclear power plant licensees 
having to comply with two sets of regulations, both NRC regulations and 
CIP Reliability Standards. According to commenters, this would likely 
cause overlapping requirements, contradictory requirements, duplicate 
inspections and other burdens.
    40. The Commission is not persuaded by these comments. First, the 
Commission believes that the possible burden, confusion and 
inefficiency is speculative, and may well be overstated by commenters. 
We note that no commenter states that any of the CIP Reliability 
Standards conflict with the NRC's cyber security regulations. While 
transition issues will invariably occur, it is possible that, for 
example, nuclear power plant licensees can minimize any possible burden 
by developing a single operating manual that integrates both NRC 
regulations and CIP Reliability Standards. In any case, commenters have 
not set forth an adequate justification for the Commission and the ERO 
to forego their authority so that certain critical cyber assets are not 
subject to any mandatory oversight. In addition, we believe that 
concerns over possible contradictory requirements or duplicative 
inspections may be addressed through further regulatory coordination, 
discussed below.

C. Delineation of Equipment Within a Nuclear Power Plant and 
Modification of the Exemption Text

    41. In the Proposed Clarification, the Commission requested 
comments on whether there is a clear delineation between equipment 
within a nuclear power plant that pertains to reactor safety, security 
or emergency response and the non-safety portion of the balance of 
plant. The Commission asked whether there is a need for owners and/or 
operators of nuclear power plants to identify the specific facilities 
that pertain to reactor safety, security or emergency response and 
subject to NRC regulation, and the balance of plant that

[[Page 12549]]

is subject to the CIP Reliability Standards.
Comments
    42. NEI, Exelon and others \39\ assert that there is a clear 
delineation between equipment within a nuclear power plant related to 
safety and security and equipment that constitutes balance of plant. 
NEI comments that under the existing nuclear cyber security programs, 
all digital assets have been identified and evaluated, and cyber 
security risk parameters have been established for assets which are 
nuclear-significant and those needed to maintain continuity of 
operation. Similarly, Exelon and Southern explain that, due to various 
designs of nuclear power plants, the delineation may vary from plant to 
plant. Therefore, each licensee identifies the structures, systems, and 
components that are ``nuclear significant'' and those that impact 
continuity of power, i.e., Bulk-Power System reliability. NEI, Exelon, 
Southern and other commenters maintain that this delineation is not 
relevant since NRC cyber security regulations apply to the balance of 
plant.
---------------------------------------------------------------------------

    \39\ E.g., Dominion, Duke, Luminant, PG&E, Southern and Wolf 
Creek.
---------------------------------------------------------------------------

    43. IESO/Hydro One assert that it is not possible, from either a 
procedural or technical standpoint, to establish a clear demarcation 
between facilities that relate to reactor safety or emergency response, 
and those that relate to reliability of the electric grid since the 
nuclear plant system is an interconnected and complex model. Breaking 
up this model would be confusing and technically difficult, according 
to IESO/Hydro One. Ontario Power notes that there are no ``balance of 
plant'' concerns in Canada since the Canadian Nuclear Safety Commission 
has jurisdiction over the entire nuclear power plant.
    44. FirstEnergy asserts that, notwithstanding the ability to 
delineate between equipment, the Commission's inquiry is premised on 
the incorrect assumption that a line can be drawn between safety-
related facilities regulated by the NRC and non-safety-related 
facilities that are not directly regulated by the NRC. FirstEnergy 
comments that, in fact, much equipment within a nuclear power plant 
that is categorized as balance of plant may have an indirect impact on 
safety or emergency response. It maintains that any attempt to separate 
equipment into two groupings for the purpose of creating two cyber 
security regulatory schemes would be technically challenging, 
potentially unsafe, and beyond the Commission's general expertise. PSEG 
and Ameren provide similar comments, and Ameren suggests that the 
delineation of the specific structures, systems and components 
regulated by NRC and the Commission should occur on a plant-by-plant 
basis with an opportunity for the owner or operator to obtain guidance 
as to whether its categorization is acceptable.
    45. On a related matter, several commenters recommend changes to 
the exemption provision of the CIP Reliability Standards to better 
delineate the scope of NRC's regulations. NERC states that the 
delineation provided by its proposed revised exemption language for the 
Applicability sections of the CIP Reliability Standards is clear and 
adequately addresses the delineation issues raised by the Commission. 
For example, NERC proposes to expedite a modification to the exemption 
provision of the CIP Reliability Standards to reflect that ``digital 
computer and communications systems and networks within a U.S. nuclear 
power plant * * * that are regulated and enforced by the U.S. Nuclear 
Regulatory Commission are exempt from the requirements of this 
standard.'' \40\ Other commenters also recommend changes to the 
exemption provision of the CIP Reliability Standards to clarify which 
equipment would be subject to NRC's cyber security regulations, as 
opposed to the CIP Reliability Standards. NRC Staff proposes to clarify 
the exemption as follows: ``[a]ll portions of a nuclear power plant * * 
* that fall within the regulatory jurisdiction and authority pertaining 
to cyber security of the NRC are exempt from the CIP Reliability 
Standards. * * *'' \41\
---------------------------------------------------------------------------

    \40\ NERC Comments at 3.
    \41\ NRC Staff Comments at 1.
---------------------------------------------------------------------------

    46. NEI recommends that the Commission direct NERC to modify the 
exemption language in the CIP Reliability Standards to state:

    Nuclear safety-related and important-to-safety systems and 
networks, security systems and networks, emergency preparedness 
systems and networks including offsite communications, and support 
systems and equipment which if compromised would adversely impact 
safety, security or emergency preparedness functions regulated by 
the U.S. Nuclear Regulatory Commission or the Canadian Nuclear 
Safety Commission.\42\
---------------------------------------------------------------------------

    \42\ NEI Comments at 14.

    47. APS, Luminant, PG&E and Wolf Creek offer variations on the NEI 
proposal. For example, APS supports NEI's suggested change to existing 
CIP exemption language but would follow the ``adversely impact 
safety,'' phrase with the additional phrase ``plant reliability 
(continuity of power).''
Commission Determination
    48. Based on the comments of NEI and other commenters, we 
understand that nuclear power plant licensees maintain a clear 
delineation between equipment within a nuclear power plant that 
pertains to reactor safety, security or emergency response, and 
equipment that pertains to balance of plant. Further, as discussed 
above, the NRC's cyber security regulations may apply to certain 
equipment within the balance of plant in some respects. However, it 
appears that the delineation of which balance of plant equipment may be 
subject to the NRC cyber security regulations is not yet fully 
accomplished and will likely be articulated separately for each nuclear 
power plant, with the line of regulatory demarcation differing from 
plant to plant. Moreover, while NRC Staff indicates that there are 
``many'' components of balance of plant that will not be subject to the 
NRC cyber security regulations, NEI and other industry commenters 
assert that there are few, if any.
    49. To resolve this matter in a manner that assures that no 
regulatory gap occurs, and also provides certainty to nuclear power 
plant licensees, the Commission requires that all balance of equipment 
within a nuclear power plant is subject to the CIP Reliability 
Standards. This approach provides clarity and certainty because, as 
indicated above, nuclear power plant licensees understand a clear 
delineation between equipment within a nuclear power plant that 
pertains to reactor safety, security or emergency response, and 
equipment that pertains to balance of plant. This is certainly with the 
scope of the Commission's and ERO's authority pursuant to section 
215(b) of the FPA.\43\
---------------------------------------------------------------------------

    \43\ 16 U.S.C. 824o(b). Section 215(b) of the FPA sets forth the 
Commission's jurisdiction over all ``users, owners and operators of 
the bulk-power system.''
---------------------------------------------------------------------------

    50. Further, a nuclear power plant licensee may seek an exception 
from the ERO to the extent that the licensee believes that specific 
equipment within the balance of plant is subject to NRC cyber security 
regulations. If the ERO grants the exception, that equipment within the 
balance of plant would not be subject to compliance with the CIP 
Reliability Standards. We would expect that the ERO would make such 
determinations with the consultation of

[[Page 12550]]

NRC and oversight of Commission staff. Thus, to further the development 
of this ERO process, the ERO should consider the appropriateness of 
developing a memorandum of understanding with the NRC, or revising 
existing agreements, to address such matters as NRC staff consultation 
in the exception application process and sharing of Safeguard 
Information. The Commission believes that with the above two-part 
approach, i.e., subjecting all balance of plant equipment within a 
nuclear power plant to the CIP Reliability Standards, with exceptions 
allowed via a process implemented by the ERO, nuclear power plant 
licensees will have a bright-line rule that eliminates the potential 
regulatory gap and provides certainty; and a plant-specific equipment 
exception process to avoid dual regulation where appropriate.
    51. While balance of plant equipment will be subject to the CIP 
Reliability Standards, this does not mean that every such asset must 
meet all of the requirements of the CIP Reliability Standards. For 
example, such equipment should be considered pursuant to Reliability 
Standard CIP-002-1 to identify critical cyber assets.
    52. With regard to the recommended changes to the exemption 
language of the CIP Reliability Standards, we believe that the above 
discussion adequately addresses our concerns. We leave to the 
discretion of the ERO whether a modification to further refine the 
exemption language, to reflect the findings of this order, is needed.

D. Regulatory Coordination

    53. NRC Staff recommends the development of a memorandum of 
understanding to outline scope, clarify agency roles and 
responsibilities, and provide specific technical requirements related 
to the application and administration of regulations pertaining to the 
protection of critical digital assets at nuclear power plants. 
Similarly, NEI, EEI and other commenters urge a coordinated approach to 
cyber security oversight at nuclear power plants to avoid redundancies 
and avoid unnecessary burdens on licensees.
    54. Further, EEI, Exelon and the PSEG Companies request that the 
Commission consider the roles of the ERO and the NRC in the 
application, enforcement and administration of the CIP Reliability 
Standards as applied to nuclear power plants, including considering the 
implications of the Safeguards Information requirements set forth in 10 
CFR 73.22.
Commission Determination
    55. We agree that it is advisable for the two commissions to 
coordinate their respective cyber security-related activities with 
regard to nuclear power plants. However, for purposes of this 
proceeding, we need not resolve this question regarding the need for a 
memorandum of understanding between the two commissions.

E. Implementation Schedule

    56. The Proposed Clarification requested comment on an appropriate 
implementation schedule timetable for owners and operators of nuclear 
power plants to comply with the CIP Reliability Standards. In Order No. 
706, the Commission approved NERC's staggered implementation schedule 
for the CIP Reliability Standards. Table 3 of NERC's Implementation 
Plan for Cyber Security Standards CIP-002-1 through CIP-009-1 defines 
the implementation schedule for Responsible Entities that were required 
to register during 2006. Under Table 3, Responsible Entities must be 
Auditably Compliant with CIP-002-1 through CIP-009-1 by December 31, 
2010.\44\
---------------------------------------------------------------------------

    \44\ Proposed Clarification, 124 FERC ] 61,247 at P 9.
---------------------------------------------------------------------------

    57. NERC supports the application of Table 3 of the CIP Reliability 
Standards implementation plan to determine an appropriate compliance 
schedule.\45\ In contrast, numerous nuclear industry commenters \46\ 
argue that the Table 3 implementation schedule should not apply to 
nuclear power plants. Rather, many of the nuclear industry commenters 
suggest that the Commission should direct NERC to work with 
stakeholders to develop an appropriate timeframe for owners and 
operators of nuclear power plants to achieve full compliance with the 
CIP Reliability Standards.
---------------------------------------------------------------------------

    \45\ Order No. 706, Mandatory Reliability Standards for Critical 
Infrastructure Protection, 122 FERC ] 61,040, at P 77-90 (2008).
    \46\ E.g., Ameren, Dominion, Duke, EEI, Exelon, FirstEnergy, 
IESO/Hydro One, Ontario Power, PG&E, PPL, PSEG, Southern and Wolf 
Creek.
---------------------------------------------------------------------------

    58. NEI recommends a schedule similar to Table 4 of NERC's 
Implementation Plan for Cyber Security Standards, which pertains to 
compliance deadlines for newly registered entities. Exelon proposes a 
``begin work'' date of December 31, 2008, with an auditable compliance 
deadline of December 31, 2011.
Commission Determination
    59. The Commission finds that it is not appropriate to dictate the 
schedule contained in Table 3 of NERC's Implementation Plan, i.e., a 
December 2010 deadline for auditable compliance, for nuclear power 
plants to comply with the CIP Reliability Standards. Instead of 
requiring nuclear power plants to implement the CIP Reliability 
Standards on a fixed schedule at this time, we agree to allow more 
flexibility.
    60. Rather than the Commission setting an implementation schedule, 
we agree with commenters that the ERO should develop an appropriate 
schedule after providing for stakeholder input. Accordingly, we direct 
the ERO to engage in a stakeholder process to develop a more 
appropriate timeframe for nuclear power plants' full compliance with 
CIP Reliability Standards. Further, we direct NERC to submit, within 
180 days of the date of issuance of this order, a compliance filing 
that sets forth a proposed implementation schedule.
    The Commission orders:
    (A) The CIP Reliability Standards are clarified, as discussed in 
the body of this order.
    (B) The ERO is hereby directed to establish a stakeholder process 
to determine the appropriate implementation timetable for nuclear power 
plants, and submit a compliance filing to the Commission within 180 
days of the date of issuance of this order, as discussed in the body of 
this order.

    By the Commission.
Kimberly D. Bose,
Secretary.

Appendix--Commenters

AEP--American Electric Power Service Corporation.
Arizona Public Service--Arizona Public Service Company.
Detroit Edison--Detroit Edison Company.
Dominion--Dominion Resources, Inc.
Duke--Duke Energy Corporation.
EEI--Edison Electric Institute.
Entergy--Entergy Services, Inc.
Exelon--Exelon Corporation.
FirstEnergy--FirstEnergy Service Company.
IESO/Hydro One--Independent Electricity System Operator of Ontario 
(IESO) and Hydro One Networks, Inc.
Kansas City--Kansas City Power & Light Company.
Luminant--Luminant Generation Company LLC.
NERC--North American Electric Reliability Corporation.
NEI--Nuclear Energy Institute.
Ontario Power--Ontario Power Generation, Inc.
PG&E--Pacific Gas & Electric.
PPL Companies--PPL Companies (PPL Electric Utilities Corporation, 
PPL Susquehanna, LLC, and PPL EnergyPlus, LLC).
Progress Energy--Progress Energy, Inc.
PSEG Companies--PSEG Companies (Public Service Electric and Gas 
Company, PSEG

[[Page 12551]]

Energy Resources and Trade LLC, and PSEG Power LLC).
Southern--Southern Nuclear Operating Company.
Union Electric/Ameren--Union Electric Company and Ameren Services 
Company.
NRC Staff--U.S. Nuclear Regulatory Commission Staff.
Wolf Creek--Wolf Creek Nuclear Operating Corporation.

 [FR Doc. E9-6503 Filed 3-24-09; 8:45 am]
BILLING CODE 6717-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.