Commission Information Collection Activities (FERC-725B); Comment Request; Submitted for OMB Review, 31320-31322 [2011-13475]

Download as PDF 31320 Federal Register / Vol. 76, No. 104 / Tuesday, May 31, 2011 / Notices Kristen G. Ellis no later than 5 p.m. on Thursday, June 16, 2011, at kristen.ellis@em.doe.gov. An early confirmation of attendance will help facilitate access to the building more quickly. Please provide your name, organization, citizenship and contact information. Space is limited. Entry to the DOE Forrestal building will be restricted to those who have confirmed their attendance in advance. Anyone attending the meeting will be required to present government issued photo identification, such as a passport, driver’s license, or government identification. EMAB welcomes the attendance of the public at its advisory committee meetings and will make every effort to accommodate persons with physical disabilities or special needs. If you require special accommodations due to a disability, please contact Kristen G. Ellis at least seven days in advance of the meeting at the phone number or e-mail address listed above. Written statements may be filed with the Board either before or after the meeting. Individuals who wish to make oral statements pertaining to the agenda should contact Kristen G. Ellis at the address or telephone number listed above. Requests must be received five days prior to the meeting and reasonable provision will be made to include the presentation in the agenda. The Designated Federal Officer is empowered to conduct the meeting in a fashion that will facilitate the orderly conduct of business. Time allotted for individuals wishing to make public comments will depend on the number of individuals who wish to speak, but will not exceed five minutes. Minutes: Minutes will be available by writing or calling Kristen G. Ellis at the address or phone number listed above. Minutes will also be available at the following Web site: https:// www.em.doe.gov/stakepages/ emabmeetings.aspx. Issued at Washington, DC, on May 25, 2011. LaTanya R. Butler, Acting Deputy Committee Management Officer. [FR Doc. 2011–13511 Filed 5–27–11; 8:45 am] mstockstill on DSK4VPTVN1PROD with NOTICES BILLING CODE 6450–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission [Docket No. IC11–725B–001] Commission Information Collection Activities (FERC–725B); Comment Request; Submitted for OMB Review Federal Energy Regulatory Commission, DOE. ACTION: Notice. AGENCY: In compliance with the requirements of section 3507 of the Paperwork Reduction Act of 1995, 44 U.S.C. 3507, the Federal Energy Regulatory Commission (Commission or FERC) has submitted the information collection described below to the Office of Management and Budget (OMB) for review of the information collection requirements. Any interested person may file comments directly with OMB and should address a copy of those comments to the Commission as explained below. The Commission published a Notice in the Federal Register (75 FR 65618, 10/26/2010) requesting public comments. In addition, FERC published a notice in the Federal Register (76 FR 19333, 4/7/ 2011) indicating submission to OMB of the information collection described below and that it had not received any comments regarding the collection of information thus far. Subsequently, FERC staff became aware of a comment from the Transmission Agency of Northern California (TANC) that had been submitted in a timely manner but internally was indexed incorrectly. On May 3, 2011 the Commission issued a notice extending the comment period 1 (on the notice published April 7, 2011) to June 23, 2011. The Commission is revising its submission to OMB to reflect receipt of the comment. DATES: Comments on the collection of information are due by June 30, 2011. ADDRESSES: Address comments on the collection of information to the Office of Management and Budget, Office of Information and Regulatory Affairs, Attention: Federal Energy Regulatory Commission Desk Officer. Comments to OMB should be filed electronically, c/o oira_submission@omb.eop.gov and include OMB Control Number 1902– 0248 for reference. The Desk Officer may be reached by telephone at 202– 395–4638. SUMMARY: 1 The previous comment period ending on June 23rd will be extended to the date 30 days after publication of this revised notice in the Federal Register as stated in the DATES section of this notice. VerDate Mar<15>2010 17:27 May 27, 2011 Jkt 223001 PO 00000 Frm 00026 Fmt 4703 Sfmt 4703 A copy of the comments should also be sent to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street, NE., Washington, DC 20426. Comments may be filed either on paper or on CD/DVD, and should refer to Docket No. IC11– 725B–001. Documents must be prepared in an acceptable filing format and in compliance with Commission submission guidelines at https:// www.ferc.gov/help/submissionguide.asp. eFiling and eSubscription are not available for Docket No. IC11–725B– 001, due to a system issue. All comments may be viewed, printed or downloaded remotely via the Internet through FERC’s homepage using the ‘‘eLibrary’’ link. For user assistance, contact ferconlinesupport@ferc.gov or toll-free at (866) 208–3676, or for TTY, contact (202) 502–8659. FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by e-mail at DataClearance@FERC.gov, by telephone at (202) 502–8663, and by fax at (202) 273–0873. SUPPLEMENTARY INFORMATION: The information collected by the FERC– 725B, Reliability Standards for Critical Infrastructure Protection (OMB Control No. 1902–0248), is required to implement the statutory provisions of section 215 of the Federal Power Act (FPA) (16 U.S.C. 824o). On January 18, 2008, the Commission issued Order No. 706, approving eight Critical Infrastructure Protection Reliability Standards (CIP Standards) submitted by the North American Electric Reliability Corporation (NERC) for Commission approval.2 The CIP Standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets.3 These standards help protect the nation’s Bulk-Power System against potential disruptions from cyber attacks.4 The CIP Standards include one actual reporting requirement and several recordkeeping requirements. Specifically, CIP–008–1 requires responsible entities to report cyber security incidents to the Electricity Sector-Information Sharing and Analysis Center (ES–ISAC). In addition, the eight CIP Standards 2 CIP–002–1, CIP–003–1, CIP–004–1, CIP–005–1, CIP–006–1, CIP–007–1, CIP–008–1, and CIP–009–1. 3 In addition, in accordance with section 215(d)(5) of the FPA, the Commission proposed to direct NERC to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission. 4 For a description of the CIP Standards, see the Critical Infrastructure Protection Section on NERC’s Web site at https://www.nerc.com/ page.php?cid=2\20. E:\FR\FM\31MYN1.SGM 31MYN1 Federal Register / Vol. 76, No. 104 / Tuesday, May 31, 2011 / Notices require responsible entities to develop various policies, plans, programs, and procedures.5 The CIP Standards do not require a responsible entity to report to the Commission, ERO or Regional Entities, the various policies, plans, programs and procedures. However, a showing of the documented policies, plans, programs and procedures is required to demonstrate compliance with the CIP Standards. Public Comment and FERC Response: TANC stated that they believed that the Commission did not adequately address or articulate the burden that falls on companies in complying with the CIP Standards and in particular, the hourly and cost burdens to comply with the documentation required by the CIP Standards. In looking at the commenter’s submittal, FERC has decided to examine more carefully the burden calculations. Relying on OMB guidance in interpreting the requirements of the Paperwork Reduction Act of 1995, FERC has determined that its initial estimate of cost burden was indeed lower than is reasonable for the average respondent. FERC maintains that the universe of respondents breaks down into three main categories: (1) Entities that have identified Critical Cyber Assets and have undergone a previous audit; (2) Entities that have not identified Critical Cyber Assets but must show compliance with CIP–003 R1 and CIP–002 R1 through R3; and (3) New entities that have come into compliance with the CIP Standards and undergoing their first compliance audit. FERC’s revised burden analysis is based on the average amount of time expended annually to obtain or maintain the information necessary in the event of a compliance audit. The fact that the average company may experience a spike in the burden hours immediately proceeding and during a compliance audit is accounted for in the revised estimate. The differences between the first and third categories of respondents is that, as an entity goes through multiple compliance audits, their processes become streamlined and more automated, which then becomes reflected in a lessening of their burden. Other areas that cause the burden numbers to fluctuate deal with the size of the company, the number of overall electric assets they have, the number of critical assets and critical cyber assets that they identify, etc. Therefore, the total numbers currently used by FERC to calculate cost burden are considered the case for an average-sized company with an average number of Critical Assets and Critical Cyber Assets. It is expected that the actual burden experienced by respondents may be higher or lower than the Commission estimate, based on factors listed above. Based on observations over several audit cycles, FERC now thinks that the preparation of the audit paperwork for an entity undergoing their first compliance audit (respondent category 3) is approximately 3,840 hours. This represents 20 technical personnel working 50% of their time over 8 weeks gathering and compiling all of the required paperwork to show compliance. In addition, a secondary period that is 20% of the primary effort is estimated to be needed to respond and gather information generated from questions arising from the initial submission. Based on observations over several audit cycles, FERC now thinks that the burden associated with ongoing compliance and preparation for future audits (respondent category 1) is less than entities coming into compliance for the first time (respondent category 3) as they are familiar with the audit compliance process and presumably 31321 will have streamlined their processes to handle the data collection effort. FERC estimates this should result in a reduction of 50% of their effort. This would result in a burden of approximately 1,920 hours. Finally, for those entities that have not identified Critical Cyber Assets but must still show compliance with CIP– 003 R1 and CIP–002 R1 through R3 (respondent category 2), FERC agrees with TANC and now estimates that these entities must expend approximately 120 hours or the equivalent of 3 employees working 50% of their time for 2 weeks. FERC believes this is a reasonable estimate as the majority of these entities are small and therefore have fewer electrical assets to examine in order to determine if they have any Critical Assets, which is the first stage of the CIP–002 process. FERC has also reconsidered dividing the burden hours by three to reflect the NERC audit schedule of 3–5 years and is instead not dividing the burden hours at all. This is due to the fact that a company will have to be obtaining and maintaining the information necessary for an audit on a consistent basis, and not only during an audit that occurs every 3–5 years. Therefore, the revised burden hours presented here represent the average annual burden hours per respondent, including the spikes that may result during an audit. Action: The Commission is requesting a three-year extension of the existing collection with no changes to the requirements. Burden Statement: The revised estimated annual burden is shown below in accordance with the discussion above. The Commission has developed estimates using data from NERC’s compliance registry as well as a 2009 survey that was conducted by NERC to assess the number of entities reporting Critical Cyber Assets. Number of respondents 6 mstockstill on DSK4VPTVN1PROD with NOTICES FERC–725B: Category 1—Estimate of U.S. Entities that have identified Critical Cyber Assets. Category 2—Estimate of U.S. Entities that have not identified Critical Cyber Assets. Category 3—New U.S. Entities that have to come into compliance with the CIP Standards 8. 5 The October notice issued in this docket contains more information on the reporting requirements and can be found at https:// VerDate Mar<15>2010 17:27 May 27, 2011 Jkt 223001 Average number of responses per respondent Average number of burden hours per response 7 Total annual hours (1) Data collection (2) (3) (1) × (2) × (3) 345 ................................ 1 1,920 ................................ 662,400 1,156 ............................. 1 120 ................................... 138,720 6 .................................... 1 3,840 ................................ 23,040 elibrary.ferc.gov/idmws/ File_list.asp?document_id=13857625. The full text PO 00000 Frm 00027 Fmt 4703 Sfmt 4703 of the standards can be found on NERC’s Web site at https://www.nerc.com/page.php?cid=2\20. E:\FR\FM\31MYN1.SGM 31MYN1 31322 Federal Register / Vol. 76, No. 104 / Tuesday, May 31, 2011 / Notices Number of respondents 6 Average number of responses per respondent Average number of burden hours per response 7 Total annual hours (1) Data collection (2) (3) (1) × (2) × (3) Totals ....................................................... mstockstill on DSK4VPTVN1PROD with NOTICES The total estimated annual cost burden to respondents is: • Category 1, Entities that have identified Critical Assets = 658,560 (662,400¥3,840) hours @ $96 = $63,221,760 • Category 2, Entities that have not identified Critical Assets = 138,240 (138,720¥480) hours @ $96 = $13,271,040 • Category 3, New U.S. Entities that have to comply with CIP Standards = 23,040 hours @ $96 = $2,211,840 • Storage Costs for Entities that have identified Critical Assets 9 = 345 Entities @ $15.25 = $5,261 • Total Cost for the FERC–725B = $78,709,901 The hourly rate of $96 is the average cost of legal services ($230 per hour), technical employees ($40 per hour) and administrative support ($18 per hour), 6 The NERC Compliance Registry as of 9/28/2010 indicated that 2079 entities were registered for NERC’s compliance program. Of these, 2057 were identified as being U.S. entities. Staff concluded that of the 2057 U.S. entities, only 1501 were registered for at least one CIP-related function. According to an April 7, 2009, memo to industry, NERC’s VP and Chief Security Officer noted that only 31% of entities responded to an earlier survey and reported that they had at least one Critical Asset, and only 23% reported having a Critical Cyber Asset. Staff applied the 23% reporting to the 1501 figure to obtain an estimate. The 6 new entities listed here are assumed to match a similar set of 6 entities that would drop out in an existing year. Thus, the net estimate of respondents remains at 1501 per year. 7 Calculations: Respondent category 3: 20 employees × (working 50%) × (40 hrs/week) × (8 weeks) = 3200 hours 20 employees × (working 20%) × (3200 hrs) = 640 hours Total = 3840 Respondent category 2: 3 employees × (working 50%) × (40 hrs/week) × (2 weeks) = 120 hours Respondent category 1: 50% of 3840 hours = 1920 8 These respondents and those in the subsequent column of the table (with the corresponding burden and cost figures) were not included in the 60-day public notice due to an oversight by Commission staff. 9 This cost category was not included in the 60day public notice due to an oversight by Commission staff. VerDate Mar<15>2010 17:27 May 27, 2011 Jkt 223001 Category 1: ¥2 ............. 1 Category 1 (2 respondents): 1,920. ¥3,840 Category 2: ¥4 ............. Entities no longer required to comply with CIP Standards (Two category 1 respondents and four category 2 respondents). ............................ Category 2 (4 respondents): 120. ¥480 1,501 ............................. ............................ .......................................... based on hourly rates from the Bureau of Labor Statistics (BLS) and the 2009 Billing Rates and Practices Survey Report.10 The $15.25 rate for storage costs for each entity is an estimate based on the average costs to service and store 1 GB of data to demonstrate compliance with the CIP Standards.11 The reporting burden includes the total time, effort, or financial resources expended to generate, maintain, retain, disclose, or provide the information including: (1) Reviewing instructions; (2) developing, acquiring, installing, and utilizing technology and systems for the purposes of collecting, validating, verifying, processing, maintaining, disclosing and providing information; (3) adjusting the existing ways to comply with any previously applicable instructions and requirements; (4) training personnel to respond to a collection of information; (5) searching data sources; (6) completing and reviewing the collection of information; and (7) transmitting, or otherwise disclosing the information. Comments are invited on: (1) Whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency’s estimates of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information to be collected; and (4) ways to minimize the burden of the collections of information on those who are to respond, including the use of appropriate automated, 10 Bureau of Labor Statistics figures were obtained from https://www.bls.gov/oes/current/naics2_ 22.htm, and 2009 Billing Rates figures were obtained from https://www.marylandlawyerblog. com/2009/07/average_hourly_rate_for_lawyer.html. Legal services were based on the national average billing rate (contracting out) from the above report and BLS hourly earnings (in-house personnel). It is assumed that 25% of respondents have in-house legal personnel. 11 Based on the aggregate cost of an IBM advanced data protection server. PO 00000 Frm 00028 Fmt 4703 Sfmt 4703 819,840 electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g. permitting electronic submission of responses. Dated: May 25, 2011. Kimberly D. Bose, Secretary. [FR Doc. 2011–13475 Filed 5–27–11; 8:45 am] BILLING CODE 6717–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission [Project No. 2277–023] Union Electric Company (dba Ameren Missouri); Notice of Scoping Meetings and Environmental Site Review and Soliciting Scoping Comments Take notice that the following hydroelectric application has been filed with Commission and is available for public inspection: a. Type of Application: New Major License. b. Project No.: 2277–023. c. Date filed: June 24, 2008. d. Applicant: Union Electric Company (dba Ameren Missouri). e. Name of Project: Taum Sauk Pumped Storage Project. f. Location: On the East Fork of the Black River, in Reynolds County, Missouri. The project occupies no Federal lands. g. Filed Pursuant to: Federal Power Act, 16 U.S.C. 791(a)–825(r). h. Applicant Contact: Michael O. Lobbig, P.E., Managing Supervisor, Hydro Licensing, Ameren Missouri, 3700 S. Lindbergh Blvd., St. Louis, MO 63127; telephone 314–957–3427; e-mail at mlobbig@ameren.com. i. FERC Contact: Janet Hutzel, telephone (202) 502–8675, or by e-mail at janet.hutzel@ferc.gov. j. Deadline for filing scoping comments: July 23, 2011. All documents may be filed electronically via the Internet. See 18 E:\FR\FM\31MYN1.SGM 31MYN1

Agencies

[Federal Register Volume 76, Number 104 (Tuesday, May 31, 2011)]
[Notices]
[Pages 31320-31322]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-13475]

-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. IC11-725B-001]

Commission Information Collection Activities (FERC-725B); Comment
Request; Submitted for OMB Review

AGENCY: Federal Energy Regulatory Commission, DOE.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: In compliance with the requirements of section 3507 of the
Paperwork Reduction Act of 1995, 44 U.S.C. 3507, the Federal Energy
Regulatory Commission (Commission or FERC) has submitted the
information collection described below to the Office of Management and
Budget (OMB) for review of the information collection requirements. Any
interested person may file comments directly with OMB and should
address a copy of those comments to the Commission as explained below.
The Commission published a Notice in the Federal Register (75 FR 65618,
10/26/2010) requesting public comments. In addition, FERC published a
notice in the Federal Register (76 FR 19333, 4/7/2011) indicating
submission to OMB of the information collection described below and
that it had not received any comments regarding the collection of
information thus far. Subsequently, FERC staff became aware of a
comment from the Transmission Agency of Northern California (TANC) that
had been submitted in a timely manner but internally was indexed
incorrectly. On May 3, 2011 the Commission issued a notice extending
the comment period \1\ (on the notice published April 7, 2011) to June
23, 2011. The Commission is revising its submission to OMB to reflect
receipt of the comment.
---------------------------------------------------------------------------

\1\ The previous comment period ending on June 23rd will be
extended to the date 30 days after publication of this revised
notice in the Federal Register as stated in the DATES section of
this notice.

DATES: Comments on the collection of information are due by June 30,
---------------------------------------------------------------------------
2011.

ADDRESSES: Address comments on the collection of information to the
Office of Management and Budget, Office of Information and Regulatory
Affairs, Attention: Federal Energy Regulatory Commission Desk Officer.
Comments to OMB should be filed electronically, c/o oira_submission@omb.eop.gov and include OMB Control Number 1902-0248 for
reference. The Desk Officer may be reached by telephone at 202-395-
4638.
A copy of the comments should also be sent to: Federal Energy
Regulatory Commission, Secretary of the Commission, 888 First Street,
NE., Washington, DC 20426. Comments may be filed either on paper or on
CD/DVD, and should refer to Docket No. IC11-725B-001. Documents must be
prepared in an acceptable filing format and in compliance with
Commission submission guidelines at https://www.ferc.gov/help/submission-guide.asp. eFiling and eSubscription are not available for
Docket No. IC11-725B-001, due to a system issue.
All comments may be viewed, printed or downloaded remotely via the
Internet through FERC's homepage using the ``eLibrary'' link. For user
assistance, contact ferconlinesupport@ferc.gov or toll-free at (866)
208-3676, or for TTY, contact (202) 502-8659.

FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by e-mail
at DataClearance@FERC.gov, by telephone at (202) 502-8663, and by fax
at (202) 273-0873.

SUPPLEMENTARY INFORMATION: The information collected by the FERC-725B,
Reliability Standards for Critical Infrastructure Protection (OMB
Control No. 1902-0248), is required to implement the statutory
provisions of section 215 of the Federal Power Act (FPA) (16 U.S.C.
824o). On January 18, 2008, the Commission issued Order No. 706,
approving eight Critical Infrastructure Protection Reliability
Standards (CIP Standards) submitted by the North American Electric
Reliability Corporation (NERC) for Commission approval.\2\
---------------------------------------------------------------------------

\2\ CIP-002-1, CIP-003-1, CIP-004-1, CIP-005-1, CIP-006-1, CIP-
007-1, CIP-008-1, and CIP-009-1.
---------------------------------------------------------------------------

The CIP Standards require certain users, owners, and operators of
the Bulk-Power System to comply with specific requirements to safeguard
critical cyber assets.\3\ These standards help protect the nation's
Bulk-Power System against potential disruptions from cyber attacks.\4\
The CIP Standards include one actual reporting requirement and several
recordkeeping requirements. Specifically, CIP-008-1 requires
responsible entities to report cyber security incidents to the
Electricity Sector-Information Sharing and Analysis Center (ES-ISAC).
In addition, the eight CIP Standards

[[Page 31321]]

require responsible entities to develop various policies, plans,
programs, and procedures.\5\
---------------------------------------------------------------------------

\3\ In addition, in accordance with section 215(d)(5) of the
FPA, the Commission proposed to direct NERC to develop modifications
to the CIP Reliability Standards to address specific concerns
identified by the Commission.
\4\ For a description of the CIP Standards, see the Critical
Infrastructure Protection Section on NERC's Web site at https://
www.nerc.com/page.php?cid=2\20.
\5\ The October notice issued in this docket contains more
information on the reporting requirements and can be found at https://elibrary.ferc.gov/idmws/File_list.asp?document_id=13857625. The
full text of the standards can be found on NERC's Web site at http:/
/www.nerc.com/page.php?cid=2[bs]20.
---------------------------------------------------------------------------

The CIP Standards do not require a responsible entity to report to
the Commission, ERO or Regional Entities, the various policies, plans,
programs and procedures. However, a showing of the documented policies,
plans, programs and procedures is required to demonstrate compliance
with the CIP Standards.
Public Comment and FERC Response: TANC stated that they believed
that the Commission did not adequately address or articulate the burden
that falls on companies in complying with the CIP Standards and in
particular, the hourly and cost burdens to comply with the
documentation required by the CIP Standards. In looking at the
commenter's submittal, FERC has decided to examine more carefully the
burden calculations. Relying on OMB guidance in interpreting the
requirements of the Paperwork Reduction Act of 1995, FERC has
determined that its initial estimate of cost burden was indeed lower
than is reasonable for the average respondent.
FERC maintains that the universe of respondents breaks down into
three main categories: (1) Entities that have identified Critical Cyber
Assets and have undergone a previous audit; (2) Entities that have not
identified Critical Cyber Assets but must show compliance with CIP-003
R1 and CIP-002 R1 through R3; and (3) New entities that have come into
compliance with the CIP Standards and undergoing their first compliance
audit. FERC's revised burden analysis is based on the average amount of
time expended annually to obtain or maintain the information necessary
in the event of a compliance audit. The fact that the average company
may experience a spike in the burden hours immediately proceeding and
during a compliance audit is accounted for in the revised estimate.
The differences between the first and third categories of
respondents is that, as an entity goes through multiple compliance
audits, their processes become streamlined and more automated, which
then becomes reflected in a lessening of their burden. Other areas that
cause the burden numbers to fluctuate deal with the size of the
company, the number of overall electric assets they have, the number of
critical assets and critical cyber assets that they identify, etc.
Therefore, the total numbers currently used by FERC to calculate cost
burden are considered the case for an average-sized company with an
average number of Critical Assets and Critical Cyber Assets. It is
expected that the actual burden experienced by respondents may be
higher or lower than the Commission estimate, based on factors listed
above.
Based on observations over several audit cycles, FERC now thinks
that the preparation of the audit paperwork for an entity undergoing
their first compliance audit (respondent category 3) is approximately
3,840 hours. This represents 20 technical personnel working 50% of
their time over 8 weeks gathering and compiling all of the required
paperwork to show compliance. In addition, a secondary period that is
20% of the primary effort is estimated to be needed to respond and
gather information generated from questions arising from the initial
submission.
Based on observations over several audit cycles, FERC now thinks
that the burden associated with ongoing compliance and preparation for
future audits (respondent category 1) is less than entities coming into
compliance for the first time (respondent category 3) as they are
familiar with the audit compliance process and presumably will have
streamlined their processes to handle the data collection effort. FERC
estimates this should result in a reduction of 50% of their effort.
This would result in a burden of approximately 1,920 hours.
Finally, for those entities that have not identified Critical Cyber
Assets but must still show compliance with CIP-003 R1 and CIP-002 R1
through R3 (respondent category 2), FERC agrees with TANC and now
estimates that these entities must expend approximately 120 hours or
the equivalent of 3 employees working 50% of their time for 2 weeks.
FERC believes this is a reasonable estimate as the majority of these
entities are small and therefore have fewer electrical assets to
examine in order to determine if they have any Critical Assets, which
is the first stage of the CIP-002 process.
FERC has also reconsidered dividing the burden hours by three to
reflect the NERC audit schedule of 3-5 years and is instead not
dividing the burden hours at all. This is due to the fact that a
company will have to be obtaining and maintaining the information
necessary for an audit on a consistent basis, and not only during an
audit that occurs every 3-5 years. Therefore, the revised burden hours
presented here represent the average annual burden hours per
respondent, including the spikes that may result during an audit.
Action: The Commission is requesting a three-year extension of the
existing collection with no changes to the requirements.
Burden Statement: The revised estimated annual burden is shown
below in accordance with the discussion above. The Commission has
developed estimates using data from NERC's compliance registry as well
as a 2009 survey that was conducted by NERC to assess the number of
entities reporting Critical Cyber Assets.

----------------------------------------------------------------------------------------------------------------
Average number Average number of
Data collection Number of of responses burden hours per Total annual
respondents \6\ per respondent response \7\ hours
(1)................. (2) (3)................ (1) x (2) x (3)
----------------------------------------------------------------------------------------------------------------
FERC-725B:
Category 1--Estimate of U.S. 345................. 1 1,920.............. 662,400
Entities that have
identified Critical Cyber
Assets.
Category 2--Estimate of U.S. 1,156............... 1 120................ 138,720
Entities that have not
identified Critical Cyber
Assets.
Category 3--New U.S. Entities 6................... 1 3,840.............. 23,040
that have to come into
compliance with the CIP
Standards \8\.

[[Page 31322]]

Entities no longer required Category 1: -2...... 1 Category 1 (2 -3,840
to comply with CIP Standards respondents):
(Two category 1 respondents 1,920.
and four category 2
respondents).
Category 2: -4...... ................ Category 2 (4 -480
respondents): 120.
------------------------------------------------------------------------------
Totals................... 1,501............... ................ ................... 819,840
----------------------------------------------------------------------------------------------------------------

The total estimated annual cost burden to respondents is:
---------------------------------------------------------------------------

\6\ The NERC Compliance Registry as of 9/28/2010 indicated that
2079 entities were registered for NERC's compliance program. Of
these, 2057 were identified as being U.S. entities. Staff concluded
that of the 2057 U.S. entities, only 1501 were registered for at
least one CIP-related function. According to an April 7, 2009, memo
to industry, NERC's VP and Chief Security Officer noted that only
31% of entities responded to an earlier survey and reported that
they had at least one Critical Asset, and only 23% reported having a
Critical Cyber Asset. Staff applied the 23% reporting to the 1501
figure to obtain an estimate. The 6 new entities listed here are
assumed to match a similar set of 6 entities that would drop out in
an existing year. Thus, the net estimate of respondents remains at
1501 per year.
\7\ Calculations:
Respondent category 3:
20 employees x (working 50%) x (40 hrs/week) x (8 weeks) = 3200
hours
20 employees x (working 20%) x (3200 hrs) = 640 hours
Total = 3840
Respondent category 2:
3 employees x (working 50%) x (40 hrs/week) x (2 weeks) = 120
hours
Respondent category 1:
50% of 3840 hours = 1920
\8\ These respondents and those in the subsequent column of the
table (with the corresponding burden and cost figures) were not
included in the 60-day public notice due to an oversight by
Commission staff.
---------------------------------------------------------------------------

Category 1, Entities that have identified Critical Assets
= 658,560 (662,400-3,840) hours @ $96 = $63,221,760
Category 2, Entities that have not identified Critical
Assets = 138,240 (138,720-480) hours @ $96 = $13,271,040
Category 3, New U.S. Entities that have to comply with CIP
Standards = 23,040 hours @ $96 = $2,211,840
Storage Costs for Entities that have identified Critical
Assets \9\ = 345 Entities @ $15.25 = $5,261
---------------------------------------------------------------------------

\9\ This cost category was not included in the 60-day public
notice due to an oversight by Commission staff.
---------------------------------------------------------------------------

Total Cost for the FERC-725B = $78,709,901

The hourly rate of $96 is the average cost of legal services ($230 per
hour), technical employees ($40 per hour) and administrative support
($18 per hour), based on hourly rates from the Bureau of Labor
Statistics (BLS) and the 2009 Billing Rates and Practices Survey
Report.\10\ The $15.25 rate for storage costs for each entity is an
estimate based on the average costs to service and store 1 GB of data
to demonstrate compliance with the CIP Standards.\11\
---------------------------------------------------------------------------

\10\ Bureau of Labor Statistics figures were obtained from
https://www.bls.gov/oes/current/naics2_22.htm, and 2009 Billing
Rates figures were obtained from https://www.marylandlawyerblog.com/2009/07/average_hourly_rate_for_lawyer.html. Legal services were
based on the national average billing rate (contracting out) from
the above report and BLS hourly earnings (in-house personnel). It is
assumed that 25% of respondents have in-house legal personnel.
\11\ Based on the aggregate cost of an IBM advanced data
protection server.
---------------------------------------------------------------------------

The reporting burden includes the total time, effort, or financial
resources expended to generate, maintain, retain, disclose, or provide
the information including: (1) Reviewing instructions; (2) developing,
acquiring, installing, and utilizing technology and systems for the
purposes of collecting, validating, verifying, processing, maintaining,
disclosing and providing information; (3) adjusting the existing ways
to comply with any previously applicable instructions and requirements;
(4) training personnel to respond to a collection of information; (5)
searching data sources; (6) completing and reviewing the collection of
information; and (7) transmitting, or otherwise disclosing the
information.
Comments are invited on: (1) Whether the proposed collection of
information is necessary for the proper performance of the functions of
the Commission, including whether the information will have practical
utility; (2) the accuracy of the agency's estimates of the burden of
the proposed collection of information, including the validity of the
methodology and assumptions used; (3) ways to enhance the quality,
utility and clarity of the information to be collected; and (4) ways to
minimize the burden of the collections of information on those who are
to respond, including the use of appropriate automated, electronic,
mechanical, or other technological collection techniques or other forms
of information technology, e.g. permitting electronic submission of
responses.

Dated: May 25, 2011.
Kimberly D. Bose,
Secretary.
[FR Doc. 2011-13475 Filed 5-27-11; 8:45 am]
BILLING CODE 6717-01-P

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.