Commission Information Collection Activities (FERC-725B); Comment Request; Extension, 65618-65620 [2010-26988]
Download as PDF
65618
Federal Register / Vol. 75, No. 206 / Tuesday, October 26, 2010 / Notices
emcdonald on DSK2BSOYB1PROD with NOTICES
monitoring and consulting activities
would be adequate treatment.
An Endangered Species Act (ESA) (16
U.S.C. 1536) Section 7 consultation was
completed by BLM during the DOE FEIS
NEPA process. The Service has issued
four Biological Opinions for the
proposed project: (1) May 1993; (2)
March 1994, which included an analysis
of potential effects to the desert tortoise
and its designated critical habitat; (3)
December 2007, which incorporated
project realignments and the use of Hframes with perching deterrents within
desert tortoise critical habitat; and (4)
June and July 2010, which respectively
amended the 2007 Biological Opinion to
incorporate an additional tower design
(tubular guyed-V tower) with perching
deterrents, and modifications to include
additional disturbance of desert tortoise
habitat due to a minor calculation error.
Mitigation
DOE will require Great Basin to
employ all practicable means to avoid or
minimize environmental harm as a
result of the proposed action. The loan
guarantee agreement between DOE and
Great Basin would require that Great
Basin implement all project-specific
environmental protection measures
specified in the ‘‘Construction,
Operation, and Maintenance Plan for
the Southwest Intertie Project 500-kV
Transmission Line; SWIP—Southern
Portion; SWIP Central Portion (COM
Plan),’’ and in the BLM Notice to
Proceed, issued in August 2010. After
the DOE loan guarantee is retired,
enforcement of environmental
protection will continue through the
BLM ROW grant provisions for the life
of the project.
The NEPA analysis completed in the
DOE FEIS indicates that SWIP South
would result in low environmental
impacts after mitigation measures
required for BLM’s ROW are
implemented. The mitigation measures
are a condition of BLM issuance of the
ROW that provides Great Basin access to
construct, operate, and maintain SWIP
South on BLM land. The BLM
documents the conditions under which
Great Basin must operate in the COM
Plan approved by BLM in 2010. The
COM Plan incorporates the mitigation
measures required by the DOE FEIS, the
2010 Historic Properties Treatment
Plan, and the 2010 Biological Opinion.
Decision
DOE has decided to offer Great Basin
a conditional commitment for a Federal
loan guarantee for partial financing of
SWIP South. This decision is contingent
on Great Basin satisfying all precedent
funding obligations, and all other
VerDate Mar<15>2010
18:09 Oct 25, 2010
Jkt 223001
contractual, statutory, regulatory,
environmental compliance, and other
requirements specified by DOE.
In reaching this decision, DOE
reviewed the SWIP NEPA
documentation and considered the
potential impacts of the selected
alternative with implementation of the
stipulated mitigation measures.
DOE has prepared this ROD in
accordance with the Council on
Environmental Quality regulations (40
CFR Parts 1500–1508) for implementing
NEPA and DOE’s NEPA Implementing
Procedures (10 CFR Part 1021).
Basis for Decision
DOE has determined that the potential
environmental impacts analyzed in the
DOE FEIS will be minor after
implementation of the mitigation
provisions for the SWIP South BLM
ROW. The mitigation measures will be
reflected in the DOE Loan Guarantee
Common Agreement, and will remain in
the BLM COM Plan for the duration of
the granted ROW.
DOE has also determined that
potential environmental impacts
associated with the Falcon Substation
Upgrades and the Backup
Communications System would not be
adverse or can be characterized as
minor. DOE has determined that no
further analysis is required, and
incorporates by reference the
environmental analyses conducted on
these project elements. Further, DOE
has also considered the Congressional
direction specified in Section 2003 of
H.R. 4899, the 2010 Supplemental
Appropriations Act, Public Law 111–
212, effective on July 29, 2010 (the 2010
Supplemental Appropriations Act) in its
decision to issue this ROD. The 2010
Supplemental Appropriations Act
allows DOE to provide or facilitate
Federal financing for SWIP under the
American Recovery and Reinvestment
Act of 2009 (Pub. L. 111–5; 123 Stat.
115), or the Energy Policy Act of 2005
(42 U.S.C. 15801 et seq.), based on the
comprehensive reviews and
consultations performed by BLM under
the Secretary of the Interior.
Issued in Washington, DC, on October 18,
2010.
Jonathan M. Silver,
Executive Director, Loan Programs Office.
[FR Doc. 2010–27046 Filed 10–25–10; 8:45 am]
BILLING CODE 6450–01–P
PO 00000
Frm 00013
Fmt 4703
Sfmt 4703
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
[Docket No. IC11–725B–000]
Commission Information Collection
Activities (FERC–725B); Comment
Request; Extension
October 19, 2010.
Federal Energy Regulatory
Commission, Energy.
ACTION: Notice of proposed information
collection and request for comments.
AGENCY:
In compliance with the
requirements of section 3506(c)(2)(A) of
the Paperwork Reduction Act of 1995,
44 U.S.C. 3506(c)(2)(A) (2006), (Pub. L.
104–13), the Federal Energy Regulatory
Commission (Commission or FERC) is
soliciting public comment on the
proposed information collection
described below.
DATES: Comments in consideration of
the collection of information are due
December 27, 2010.
ADDRESSES: Commenters must send an
original of their comments to: Federal
Energy Regulatory Commission,
Secretary of the Commission, 888 First
Street, NE., Washington, DC 20426.
Comments may be filed either on paper
or on CD/DVD, and should refer to
Docket No. IC11–725B–000. Documents
must be prepared in an acceptable filing
format and in compliance with
Commission submission guidelines at
https://www.ferc.gov/help/submissionguide.asp. eFiling and eSubscription are
not available for Docket No. IC11–725B–
000, due to a system issue.
All comments and FERC issuances
may be viewed, printed or downloaded
remotely through FERC’s eLibrary at
https://www.ferc.gov/docs-filing/
elibrary.asp, by searching on Docket No.
IC11–725B. For user assistance, contact
FERC Online Support by e-mail at
ferconlinesupport@ferc.gov, or by phone
at: (866) 208–3676 (toll-free), or (202)
502–8659 for TTY.
FOR FURTHER INFORMATION CONTACT:
Ellen Brown may be reached by e-mail
at DataClearance@FERC.gov, telephone
at (202) 502–8663, and fax at (202) 273–
0873.
SUPPLEMENTARY INFORMATION: The
information collected by the FERC–
725B, Reliability Standards for Critical
Infrastructure Protection (OMB Control
No. 1902–0248), is required to
implement the statutory provisions of
section 215 of the Federal Power Act
(FPA) (16 U.S.C. 824o). On August 8,
2005, the Electricity Modernization Act
of 2005, which is Title XII, Subtitle A,
SUMMARY:
E:\FR\FM\26OCN1.SGM
26OCN1
Federal Register / Vol. 75, No. 206 / Tuesday, October 26, 2010 / Notices
of the Energy Policy Act of 2005 (EPAct
2005), was enacted into law.1 EPAct
2005 added a new section 215 to the
FPA, requiring a Commission-certified
Electric Reliability Organization (ERO)
to develop mandatory and enforceable
Reliability Standards, which are subject
to Commission review and approval.
Once approved, the Reliability
Standards may be enforced in the
United States by the ERO subject to
Commission oversight, or the
Commission can independently enforce
Reliability Standards.2
On February 3, 2006, the Commission
issued Order No. 672, implementing
section 215 of the FPA. Pursuant to
Order No. 672, the Commission certified
one organization, North American
Electric Reliability Corporation (NERC),
as the ERO. The Reliability Standards
developed by the ERO and approved by
the Commission apply to users, owners
and operators of the Bulk-Power
System, as set forth in each Reliability
Standard.
On January 18, 2008, the Commission
issued order 706, approving eight
Critical Infrastructure Protection (CIP)
Reliability Standards submitted by the
NERC for Commission approval.3 The
CIP Reliability Standards require certain
users, owners, and operators of the
Bulk-Power System to comply with
specific requirements to safeguard
critical cyber assets.4 These standards
help protect the nation’s Bulk-Power
System against potential disruptions
from cyber attacks.5
The eight CIP Reliability Standards
address the following topics:
• Critical Cyber Asset Identification.
• Security Management Controls.
• Personnel and Training.
• Electronic Security Perimeters.
• Physical Security of Critical Cyber
Assets.
• Systems Security Management.
• Incident Reporting and Response
Planning.
• Recovery Plans for Critical Cyber
Assets.
The CIP Reliability Standards include
one actual reporting requirement and
several recordkeeping requirements.
Specifically, CIP–008–1 requires
responsible entities to report cyber
security incidents to the Electricity
Sector–Information Sharing and
Analysis Center (ES–ISAC). In addition,
the eight CIP Reliability Standards
require responsible entities to develop
various policies, plans, programs, and
procedures. For example, each
responsible entity must develop and
document a risk-based assessment
methodology to identify critical assets,
which is then used to develop a list of
critical cyber assets (CIP–002–1). A
responsible entity that identifies any
critical cyber assets must also
document: A cyber security policy (CIP–
003–1); a security awareness program
(CIP–004–1, Requirement R1); a
personnel risk assessment program
(CIP–004–1, Requirement R3); an
electronic security perimeter and
processes for control of electronic access
to all electronic access points to the
perimeter (CIP–005–1, Requirements R1
and R2); a physical security plan (CIP–
006–1); procedures for securing certain
65619
cyber assets (CIP–007–1); and recovery
plans for critical cyber assets (CIP–008–
1). To demonstrate compliance with the
CIP Reliability Standards, responsible
entities are required to maintain various
lists and access logs. All responsible
entities are required to be auditably
compliant with the CIP Reliability
Standards by the end of 2010, including
all required documentation.
The CIP Reliability Standards do not
require a responsible entity to report to
the Commission, ERO or Regional
Entities, the various policies, plans,
programs and procedures. However, a
showing of the documented policies,
plans, programs and procedures is
required to demonstrate compliance
with the CIP Reliability Standards.
Action: The Commission is requesting
a three-year extension of the FERC–
725B reporting requirements, with no
changes.
Burden Statement: The extent of the
reporting burden is influenced by the
number of identified critical assets and
related critical cyber assets pursuant to
CIP–002. An entity identifying one or
more critical cyber assets, including
assets located at remote locations, will
likely require more resources to
demonstrate compliance with the CIP
Reliability Standards compared to an
entity that identifies no critical assets.
The Commission has developed
estimates using data from NERC’s
compliance registry as well as a 2009
survey that was conducted by NERC to
asses the number of entities reporting
Critical Cyber Assets.
No. of
respondents 6
Average No.
of responses
per
respondent
Average No.
of Burden
hours per
response 7
Total
annual
hours
(1)
(2)
(3)
(1) × (2) × (3)
FERC–725B.
Estimate of U.S. Entities that have identified Critical Cyber Assets ...............
Estimate of U.S. Entities that have not identified Critical Cyber Assets .........
345
1,156
1
1
320
8
110,400
9,248
Totals ........................................................................................................
1,501
........................
........................
119,648
emcdonald on DSK2BSOYB1PROD with NOTICES
Data collection
6 The NERC Compliance Registry as of 9/28/2010 indicated that 2,079 entities were registered for NERC’s compliance program. Of these,
2,057 were identified as being U.S. entities. Staff concluded that of the 2,057 U.S. entities, only 1,501 were registered for at least one CIP related function. According to an April 7, 2009 memo to industry, NERC’s VP and Chief Security officer noted that only 31% of entities responded
to an earlier survey and reported that they had at least one Critical Asset, and only 23% reported having a Critical Cyber Asset. Staff applied the
23% reporting to the 1,501 figure to obtain an estimate.
7 This figure relates to NERC’s audit schedule which requires NERC to engage in a compliance Audit once every 3 to 5 years. For simplicity,
staff has divided the total number of hours by 3 to reflect the amount of time annually spent preparing documents. Staff assumed that each CIP
audit or spot check would require four individuals 6 weeks to prepare and demonstrate compliance with CIP standards for entities that have identified Critical Cyber Assets. Staff estimated that entities that do not have Critical Cyber Assets would still be required to demonstrate compliance
with CIP–002, which would require one individual approximately three days to execute.
1 Energy Policy Act of 2005, Public Law No.
109–58, Title XII, Subtitle A, 119 Stat. 594, 941
(2005), 16 U.S.C. 824o.
2 16 U.S.C. 824o(e)(3).
3 CIP–002–1, CIP–003–1, CIP–004–1, CIP–005–1,
CIP–006–1, CIP–007–1, CIP–008–1, and CIP–009–1.
VerDate Mar<15>2010
18:09 Oct 25, 2010
Jkt 223001
4 In addition, in accordance with section
215(d)(5) of the FPA, the Commission proposed to
direct NERC to develop modifications to the CIP
Reliability Standards to address specific concerns
identified by the Commission.
PO 00000
Frm 00014
Fmt 4703
Sfmt 4703
5 For a description of the CIP Reliability
Standards, see the Critical Infrastructure Protection
Section at NERC’s Web site at https://www.nerc.com/
page.php?cid=2/20.
E:\FR\FM\26OCN1.SGM
26OCN1
65620
Federal Register / Vol. 75, No. 206 / Tuesday, October 26, 2010 / Notices
emcdonald on DSK2BSOYB1PROD with NOTICES
The total estimated annual cost
burden to respondents is:
• Entities that have identified Critical
Assets = 110,400 hours@$96 =
$10,598,400.
• Entities that have not identified
Critical Assets = 9,248 hours@$96 =
$887,808.
The hourly rate of $96 is the average
cost of legal services ($230 per hour),
technical employees ($40 per hour) and
administrative support ($18 per hour),
based on hourly rates from the Bureau
of Labor Statistics (BLS) and the 2009
Billing Rates and Practices Survey
Report.8
The reporting burden includes the
total time, effort, or financial resources
expended to generate, maintain, retain,
disclose, or provide the information
including: (1) Reviewing instructions;
(2) developing, acquiring, installing, and
utilizing technology and systems for the
purposes of collecting, validating,
verifying, processing, maintaining,
disclosing and providing information;
(3) adjusting the existing ways to
comply with any previously applicable
instructions and requirements; (4)
training personnel to respond to a
collection of information; (5) searching
data sources; (6) completing and
reviewing the collection of information;
and (7) transmitting or otherwise
disclosing the information.
The estimate of cost for respondents
is based upon salaries for professional
and clerical support, as well as direct
and indirect overhead costs. Direct costs
include all costs directly attributable to
providing this information, such as
administrative costs and the cost for
information technology. Indirect or
overhead costs are costs incurred by an
organization in support of its mission.
These costs apply to activities which
benefit the whole organization rather
than any one particular function or
activity.
Comments are invited on: (1) Whether
the proposed collection of information
is necessary for the proper performance
of the functions of the Commission,
including whether the information will
have practical utility; (2) the accuracy of
the agency’s estimate of the burden of
the proposed collection of information,
including the validity of the
methodology and assumptions used; (3)
8 Bureau of Labor Statistics figures were obtained
from https://www.bls.gov/oes/current/
naics2_22.htm, and 2009 Billing Rates figure were
obtained from https://
www.marylandlawyerblog.com/2009/07/
average_hourly_rate_for_lawyer.html. Legal services
were based on the national average billing rate
(contracting out) from the above report and BLS
hourly earnings (in-house personnel). It is assumed
that 25% of respondents have in-house legal
personnel.
VerDate Mar<15>2010
18:09 Oct 25, 2010
Jkt 223001
ways to enhance the quality, utility and
clarity of the information to be
collected; and (4) ways to minimize the
burden of the collection of information
on those who are to respond, including
the use of appropriate automated,
electronic, mechanical, or other
technological collection techniques or
other forms of information technology
e.g. permitting electronic submission of
responses.
Kimberly D. Bose,
Secretary.
[FR Doc. 2010–26988 Filed 10–25–10; 8:45 am]
BILLING CODE 6717–01–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
[Project No. P–12783–003]
Inglis Hydropower, LLC; Notice of
Application Ready for Environmental
Analysis and Soliciting Comments,
Recommendations, Terms and
Conditions, and Prescriptions
October 19, 2010.
Take notice that the following
hydroelectric application has been filed
with the Commission and is available
for public inspection.
a. Type of Application: Original Major
License.
b. Project No.: P–12783–003.
c. Date filed: July 22, 2009.
d. Applicant: Inglis Hydropower, LLC.
e. Name of Project: Inglis Hydropower
Project.
f. Location: The project would be
located at the existing Inglis bypass
channel and spillway on the
Withlacoochee River, west of Lake
Rousseau and Inglis Dam, within the
town of Inglis and Levy, Citrus, and
Marion counties, Florida. No federal
lands would be occupied by the
proposed project.
g. Filed Pursuant to: Federal Power
Act 16 U.S.C. 791(a)—825(r).
h. Applicant Contact: Mr. Dean
Edwards, P.O. Box 1565, Dover, FL
33527; Mr. Kevin Edwards, P.O. Box
143, Mayodan, NC 27027.
i. FERC Contact: Jennifer Adams at
(202) 502–8087, or
jennifer.adams@ferc.gov.
j. The deadline for filing comments,
recommendations, terms and
conditions, and prescriptions is 60 days
from the issuance of this notice and
reply comments are due 105 days from
the issuance date of this notice.
All documents may be filed
electronically via the Internet. See 18
CFR 385.2001(a)(1)(iii) and the
PO 00000
Frm 00015
Fmt 4703
Sfmt 4703
instructions on the Commission’s Web
site https://www.ferc.gov/docs-filing/
efiling.asp. Commenters can submit
brief comments up to 6,000 characters,
without prior registration, using the
eComment system at https://
www.ferc.gov/docs-filing/
ecomment.asp. You must include your
name and contact information at the end
of your comments. For assistance,
please contact FERC Online Support at
FERCOnlineSupport@ferc.gov, or tollfree at 1–866–208–3676, or for TTY,
(202) 502–8659. Although the
Commission strongly encourages
electronic filing, documents may also be
paper-filed. To paper-file, mail an
original and seven copies to: Kimberly
D. Bose, Secretary, Federal Energy
Regulatory Commission, 888 First
Street, NE., Washington, DC 20426.
The Commission’s Rules of Practice
require all intervenors filing documents
with the Commission to serve a copy of
that document on each person on the
official service list for the project.
Further, if an intervenor files comments
or documents with the Commission
relating to the merits of an issue that
may affect the responsibilities of a
particular resource agency, they must
also serve a copy of the document on
that resource agency.
k. This application has been accepted
and is ready for environmental analysis
at this time.
l. The proposed 2.0-megawatt Inglis
Hydropower Project would operate
using flows released by the Southwest
Water Management District from Lake
Rousseau which is typically operated to
maintain the water surface elevation of
Lake Rousseau at 27.5 feet mean sea
level. The proposed project would
consist of: (1) A 45-foot-long, 100-footwide intake conveying water from the
bypass channel located downstream of
Lake Rousseau; (2) a 130-foot-long
penstock consisting of two 14-foot by
14-foot reinforced concrete conduits; (3)
a 60-foot-long, 80-foot-wide, 30-foothigh concrete powerhouse containing
three vertical shaft turbines, two 0.8
megawatt (MW) turbines and one 0.4
MW turbine for a total installed capacity
of 2.0 MW; (4) a 100-foot-long concrete
discharge channel; (5) a new substation
adjacent to the powerhouse; (6) a 120foot-long, 24.5-kilovolt transmission
line connecting the project substation to
the local utility; and (7) appurtenant
facilities. The Inglis Project would
annually generate approximately 12,300
megawatt-hours.
m. A copy of the application is
available for review at the Commission
in the Public Reference Room or may be
viewed on the Commission’s Web site at
https://www.ferc.gov. using the ‘‘eLibrary
E:\FR\FM\26OCN1.SGM
26OCN1
Agencies
[Federal Register Volume 75, Number 206 (Tuesday, October 26, 2010)]
[Notices]
[Pages 65618-65620]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-26988]
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
[Docket No. IC11-725B-000]
Commission Information Collection Activities (FERC-725B); Comment
Request; Extension
October 19, 2010.
AGENCY: Federal Energy Regulatory Commission, Energy.
ACTION: Notice of proposed information collection and request for
comments.
-----------------------------------------------------------------------
SUMMARY: In compliance with the requirements of section 3506(c)(2)(A)
of the Paperwork Reduction Act of 1995, 44 U.S.C. 3506(c)(2)(A) (2006),
(Pub. L. 104-13), the Federal Energy Regulatory Commission (Commission
or FERC) is soliciting public comment on the proposed information
collection described below.
DATES: Comments in consideration of the collection of information are
due December 27, 2010.
ADDRESSES: Commenters must send an original of their comments to:
Federal Energy Regulatory Commission, Secretary of the Commission, 888
First Street, NE., Washington, DC 20426. Comments may be filed either
on paper or on CD/DVD, and should refer to Docket No. IC11-725B-000.
Documents must be prepared in an acceptable filing format and in
compliance with Commission submission guidelines at https://www.ferc.gov/help/submission-guide.asp. eFiling and eSubscription are
not available for Docket No. IC11-725B-000, due to a system issue.
All comments and FERC issuances may be viewed, printed or
downloaded remotely through FERC's eLibrary at https://www.ferc.gov/docs-filing/elibrary.asp, by searching on Docket No. IC11-725B. For
user assistance, contact FERC Online Support by e-mail at
ferconlinesupport@ferc.gov, or by phone at: (866) 208-3676 (toll-free),
or (202) 502-8659 for TTY.
FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by e-mail
at DataClearance@FERC.gov, telephone at (202) 502-8663, and fax at
(202) 273-0873.
SUPPLEMENTARY INFORMATION: The information collected by the FERC-725B,
Reliability Standards for Critical Infrastructure Protection (OMB
Control No. 1902-0248), is required to implement the statutory
provisions of section 215 of the Federal Power Act (FPA) (16 U.S.C.
824o). On August 8, 2005, the Electricity Modernization Act of 2005,
which is Title XII, Subtitle A,
[[Page 65619]]
of the Energy Policy Act of 2005 (EPAct 2005), was enacted into law.\1\
EPAct 2005 added a new section 215 to the FPA, requiring a Commission-
certified Electric Reliability Organization (ERO) to develop mandatory
and enforceable Reliability Standards, which are subject to Commission
review and approval. Once approved, the Reliability Standards may be
enforced in the United States by the ERO subject to Commission
oversight, or the Commission can independently enforce Reliability
Standards.\2\
---------------------------------------------------------------------------
\1\ Energy Policy Act of 2005, Public Law No. 109-58, Title XII,
Subtitle A, 119 Stat. 594, 941 (2005), 16 U.S.C. 824o.
\2\ 16 U.S.C. 824o(e)(3).
---------------------------------------------------------------------------
On February 3, 2006, the Commission issued Order No. 672,
implementing section 215 of the FPA. Pursuant to Order No. 672, the
Commission certified one organization, North American Electric
Reliability Corporation (NERC), as the ERO. The Reliability Standards
developed by the ERO and approved by the Commission apply to users,
owners and operators of the Bulk-Power System, as set forth in each
Reliability Standard.
On January 18, 2008, the Commission issued order 706, approving
eight Critical Infrastructure Protection (CIP) Reliability Standards
submitted by the NERC for Commission approval.\3\ The CIP Reliability
Standards require certain users, owners, and operators of the Bulk-
Power System to comply with specific requirements to safeguard critical
cyber assets.\4\ These standards help protect the nation's Bulk-Power
System against potential disruptions from cyber attacks.\5\
---------------------------------------------------------------------------
\3\ CIP-002-1, CIP-003-1, CIP-004-1, CIP-005-1, CIP-006-1, CIP-
007-1, CIP-008-1, and CIP-009-1.
\4\ In addition, in accordance with section 215(d)(5) of the
FPA, the Commission proposed to direct NERC to develop modifications
to the CIP Reliability Standards to address specific concerns
identified by the Commission.
\5\ For a description of the CIP Reliability Standards, see the
Critical Infrastructure Protection Section at NERC's Web site at
https://www.nerc.com/page.php?cid=2/20.
---------------------------------------------------------------------------
The eight CIP Reliability Standards address the following topics:
Critical Cyber Asset Identification.
Security Management Controls.
Personnel and Training.
Electronic Security Perimeters.
Physical Security of Critical Cyber Assets.
Systems Security Management.
Incident Reporting and Response Planning.
Recovery Plans for Critical Cyber Assets.
The CIP Reliability Standards include one actual reporting
requirement and several recordkeeping requirements. Specifically, CIP-
008-1 requires responsible entities to report cyber security incidents
to the Electricity Sector-Information Sharing and Analysis Center (ES-
ISAC). In addition, the eight CIP Reliability Standards require
responsible entities to develop various policies, plans, programs, and
procedures. For example, each responsible entity must develop and
document a risk-based assessment methodology to identify critical
assets, which is then used to develop a list of critical cyber assets
(CIP-002-1). A responsible entity that identifies any critical cyber
assets must also document: A cyber security policy (CIP-003-1); a
security awareness program (CIP-004-1, Requirement R1); a personnel
risk assessment program (CIP-004-1, Requirement R3); an electronic
security perimeter and processes for control of electronic access to
all electronic access points to the perimeter (CIP-005-1, Requirements
R1 and R2); a physical security plan (CIP-006-1); procedures for
securing certain cyber assets (CIP-007-1); and recovery plans for
critical cyber assets (CIP-008-1). To demonstrate compliance with the
CIP Reliability Standards, responsible entities are required to
maintain various lists and access logs. All responsible entities are
required to be auditably compliant with the CIP Reliability Standards
by the end of 2010, including all required documentation.
The CIP Reliability Standards do not require a responsible entity
to report to the Commission, ERO or Regional Entities, the various
policies, plans, programs and procedures. However, a showing of the
documented policies, plans, programs and procedures is required to
demonstrate compliance with the CIP Reliability Standards.
Action: The Commission is requesting a three-year extension of the
FERC-725B reporting requirements, with no changes.
Burden Statement: The extent of the reporting burden is influenced
by the number of identified critical assets and related critical cyber
assets pursuant to CIP-002. An entity identifying one or more critical
cyber assets, including assets located at remote locations, will likely
require more resources to demonstrate compliance with the CIP
Reliability Standards compared to an entity that identifies no critical
assets. The Commission has developed estimates using data from NERC's
compliance registry as well as a 2009 survey that was conducted by NERC
to asses the number of entities reporting Critical Cyber Assets.
----------------------------------------------------------------------------------------------------------------
Average No. of
No. of Average No. of Burden hours Total annual
Data collection respondents \6\ responses per per response hours
respondent \7\
(1) (2) (3) (1) x (2) x (3)
----------------------------------------------------------------------------------------------------------------
FERC-725B...................................
Estimate of U.S. Entities that have 345 1 320 110,400
identified Critical Cyber Assets...........
Estimate of U.S. Entities that have not 1,156 1 8 9,248
identified Critical Cyber Assets...........
-------------------------------------------------------------------
Totals.................................. 1,501 ............... ............... 119,648
----------------------------------------------------------------------------------------------------------------
\6\ The NERC Compliance Registry as of 9/28/2010 indicated that 2,079 entities were registered for NERC's
compliance program. Of these, 2,057 were identified as being U.S. entities. Staff concluded that of the 2,057
U.S. entities, only 1,501 were registered for at least one CIP related function. According to an April 7, 2009
memo to industry, NERC's VP and Chief Security officer noted that only 31% of entities responded to an earlier
survey and reported that they had at least one Critical Asset, and only 23% reported having a Critical Cyber
Asset. Staff applied the 23% reporting to the 1,501 figure to obtain an estimate.
\7\ This figure relates to NERC's audit schedule which requires NERC to engage in a compliance Audit once every
3 to 5 years. For simplicity, staff has divided the total number of hours by 3 to reflect the amount of time
annually spent preparing documents. Staff assumed that each CIP audit or spot check would require four
individuals 6 weeks to prepare and demonstrate compliance with CIP standards for entities that have identified
Critical Cyber Assets. Staff estimated that entities that do not have Critical Cyber Assets would still be
required to demonstrate compliance with CIP-002, which would require one individual approximately three days
to execute.
[[Page 65620]]
The total estimated annual cost burden to respondents is:
Entities that have identified Critical Assets = 110,400
hours@$96 = $10,598,400.
Entities that have not identified Critical Assets = 9,248
hours@$96 = $887,808.
The hourly rate of $96 is the average cost of legal services ($230
per hour), technical employees ($40 per hour) and administrative
support ($18 per hour), based on hourly rates from the Bureau of Labor
Statistics (BLS) and the 2009 Billing Rates and Practices Survey
Report.\8\
---------------------------------------------------------------------------
\8\ Bureau of Labor Statistics figures were obtained from https://www.bls.gov/oes/current/naics2_22.htm, and 2009 Billing Rates
figure were obtained from https://www.marylandlawyerblog.com/2009/07/average_hourly_rate_for_lawyer.html. Legal services were based
on the national average billing rate (contracting out) from the
above report and BLS hourly earnings (in-house personnel). It is
assumed that 25% of respondents have in-house legal personnel.
---------------------------------------------------------------------------
The reporting burden includes the total time, effort, or financial
resources expended to generate, maintain, retain, disclose, or provide
the information including: (1) Reviewing instructions; (2) developing,
acquiring, installing, and utilizing technology and systems for the
purposes of collecting, validating, verifying, processing, maintaining,
disclosing and providing information; (3) adjusting the existing ways
to comply with any previously applicable instructions and requirements;
(4) training personnel to respond to a collection of information; (5)
searching data sources; (6) completing and reviewing the collection of
information; and (7) transmitting or otherwise disclosing the
information.
The estimate of cost for respondents is based upon salaries for
professional and clerical support, as well as direct and indirect
overhead costs. Direct costs include all costs directly attributable to
providing this information, such as administrative costs and the cost
for information technology. Indirect or overhead costs are costs
incurred by an organization in support of its mission. These costs
apply to activities which benefit the whole organization rather than
any one particular function or activity.
Comments are invited on: (1) Whether the proposed collection of
information is necessary for the proper performance of the functions of
the Commission, including whether the information will have practical
utility; (2) the accuracy of the agency's estimate of the burden of the
proposed collection of information, including the validity of the
methodology and assumptions used; (3) ways to enhance the quality,
utility and clarity of the information to be collected; and (4) ways to
minimize the burden of the collection of information on those who are
to respond, including the use of appropriate automated, electronic,
mechanical, or other technological collection techniques or other forms
of information technology e.g. permitting electronic submission of
responses.
Kimberly D. Bose,
Secretary.
[FR Doc. 2010-26988 Filed 10-25-10; 8:45 am]
BILLING CODE 6717-01-P