Physical Security Reliability Standard, 70069-70085 [2014-27908]

Download as PDF Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations (2) ‘‘Affected landowners’’ include owners of interests, as noted in the most recent county/city tax records as receiving tax notice, in properties (including properties subject to rightsof-way and easements for facility sites, compressor stations, well sites, and all above-ground facilities, and access roads, pipe and contractor yards, and temporary work space) that will be directly affected by (i.e., used) and subject to ground disturbance as a result of activity under this section. * * * * * [FR Doc. 2014–27907 Filed 11–24–14; 8:45 am] BILLING CODE 6717–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM14–15–000; Order No. 802] Physical Security Reliability Standard Federal Energy Regulatory Commission, Energy. ACTION: Final rule. AGENCY: The Federal Energy Regulatory Commission (Commission) approves Reliability Standard CIP–014– 1 (Physical Security). The North American Electric Reliability Corporation, the Commission-certified Electric Reliability Organization, submitted Reliability Standard CIP– 014–1 for Commission approval in response to a Commission order issued on March 7, 2014. The purpose of Reliability Standard CIP–014–1 is to enhance physical security measures for the most critical Bulk-Power System facilities and thereby lessen the overall vulnerability of the Bulk-Power System against physical attacks. In addition, the Commission directs NERC to develop one modification to Reliability Standard CIP–014–1 and submit an informational filing. DATES: This rule is effective January 26, 2015. FOR FURTHER INFORMATION CONTACT: Regis Binder (Technical Information), Office of Electric Reliability, Division of Reliability Standards and Security, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, Telephone: (301) 665–1601, Regis.Binder@ferc.gov. Matthew Vlissides (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC wreier-aviles on DSK4TPTVN1PROD with RULES SUMMARY: VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 20426, Telephone: (202) 502–8408, Matthew.Vlissides@ferc.gov. SUPPLEMENTARY INFORMATION: Order No. 802 Final Rule (Issued November 20, 2014) 1. Pursuant to section 215 of the Federal Power Act (FPA), the Commission approves Reliability Standard CIP–014–1 (Physical Security).1 The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted Reliability Standard CIP– 014–1 for Commission approval in response to a Commission order issued on March 7, 2014.2 The purpose of Reliability Standard CIP–014–1 is to enhance physical security measures for the most critical Bulk-Power System facilities and thereby lessen the overall vulnerability of the Bulk-Power System facilities against physical attacks. In addition to approving Reliability Standard CIP–014–1, as discussed below, the Commission directs NERC to submit an informational filing and, pursuant to FPA section 215(d)(5), directs NERC to develop a modification to Reliability Standard CIP–014–1.3 I. Background A. Section 215 and Mandatory Reliability Standards 2. Section 215 of the FPA requires the Commission to certify an ERO to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Once approved, the Reliability Standards may be enforced in the United States by the ERO, subject to Commission oversight, or by the Commission independently.4 B. March 7 Order 3. In the March 7 Order, the Commission determined that physical attacks on the Bulk-Power System could adversely impact the reliable operation of the Bulk-Power System, resulting in instability, uncontrolled separation, or cascading failures. Moreover, the Commission observed that the then current Reliability Standards did not specifically require entities to take steps to reasonably protect against physical security attacks on the Bulk-Power System. Accordingly, to carry out section 215 of the FPA and to provide 1 16 U.S.C. 824o. Standards for Physical Security Measures, 146 FERC ¶ 61,166 (2014) (March 7 Order). 3 16 U.S.C. 824o(d)(5). 4 Id. 824o(e). 2 Reliability PO 00000 Frm 00017 Fmt 4700 Sfmt 4700 70069 for the reliable operation of the BulkPower System, the Commission directed NERC, pursuant to FPA section 215(d)(5), to develop and file for approval proposed Reliability Standards that address threats and vulnerabilities to the physical security of critical facilities on the Bulk-Power System. 4. The March 7 Order indicated that the Reliability Standards should require owners or operators of the Bulk-Power System to take at least three steps to address the risks that physical security attacks pose to the reliable operation of the Bulk-Power System. Specifically, the March 7 Order directed that the Reliability Standards should require: (1) Owners or operators of the Bulk-Power System to perform a risk assessment of their systems to identify their ‘‘critical facilities’’; (2) owners or operators of the identified critical facilities to evaluate the potential threats and vulnerabilities to those identified facilities; and (3) those owners or operators of critical facilities to develop and implement a security plan designed to protect against attacks to those identified critical facilities based on the assessment of the potential threats and vulnerabilities to their physical security. 5. The March 7 Order stated that the risk assessment used by an owner or operator to identify critical facilities should be verified by an entity other than the owner or operator, such as by NERC, the relevant Regional Entity, a reliability coordinator, or another entity.5 In addition, the March 7 Order indicated that the Reliability Standards should include a procedure for the verifying entity, as well as the Commission, to add or remove facilities from an owner’s or operator’s list of critical facilities.6 The March 7 Order further stated that the determination of threats and vulnerabilities and the security plan should be reviewed by NERC, the relevant Regional Entity, the reliability coordinator, or another entity with appropriate expertise. 6. The March 7 Order stated that, because the three steps of compliance with the contemplated Reliability Standards could contain sensitive or confidential information that, if released to the public, could jeopardize the reliable operation of the Bulk-Power System, NERC should include in the Reliability Standards a procedure that will ensure confidential treatment of sensitive or confidential information but still allow for the Commission, NERC and the Regional Entities to review and inspect any information that is needed 5 March 7 Order, 146 FERC ¶ 61,166 at P 11. 6 Id. E:\FR\FM\25NOR1.SGM 25NOR1 70070 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations to ensure compliance with the Reliability Standards.7 7. The Commission directed NERC to submit the proposed Reliability Standards to the Commission for approval within 90 days of issuance of the March 7 Order (i.e., June 5, 2014). C. NERC Petition 8. On May 23, 2014, NERC petitioned the Commission to approve Reliability Standard CIP–014–1 and its associated violation risk factors and violation severity levels, implementation plan, and effective date.8 NERC maintains that the Reliability Standard is just, reasonable, not unduly discriminatory, or preferential, and in the public interest. In addition, NERC asserts that the proposed Reliability Standard complies with the Commission’s directives in the March 7 Order. 9. NERC explains that Reliability Standard CIP–014–1 ‘‘serves the vital reliability goal of enhancing physical security measures for the most critical Bulk-Power System facilities and lessening the overall vulnerability of the Bulk-Power System to physical attacks.’’ 9 NERC maintains that the ‘‘appropriate focus of the proposed Reliability Standard is Transmission stations and Transmission substations, which are uniquely essential elements of the Bulk-Power System.’’ 10 The Reliability Standard is applicable to transmission owners that satisfy the Applicability Sections 4.1.1.1, 4.1.1.2, 4.1.1.3, or 4.1.1.4, and to transmission operators. NERC states that the transmission facilities covered by Applicability Sections 4.1.1.1 through 4.1.1.4 match the ‘‘Medium Impact’’ transmission facilities listed in Attachment 1 (Impact Rating Criteria), specifically, the ‘‘Medium Impact’’ 7 Id. P 10. explains that, to meet the 90-day deadline in the March 7 Order, the NERC Standards Committee approved waivers to NERC’s Standard Processes Manual to shorten the comment and ballot periods for the Standards Authorization Request and draft Reliability Standard. NERC Petition at 13–14. Reliability Standard CIP–014–1 is not attached to this Final Rule. The complete text of Reliability Standard CIP–014–1 is available on the Commission’s eLibrary document retrieval system in Docket No. RM14–15–000 and is posted on the ERO’s Web site, available at http:// www.nerc.com. 9 NERC Petition at 15–16. 10 Id. at 18. NERC states that, although the terms ‘‘Transmission stations’’ and ‘‘Transmission substations’’ are sometimes used interchangeably, Reliability Standard CIP–014–1 uses the term ‘‘Transmission substation’’ to refer to a facility contained within a physical border (e.g., a fence or wall) that contains one or more autotransformers. Id. According to NERC, the term ‘‘Transmission station,’’ as used in Reliability Standard CIP–014– 1, refers to a facility that functions as a switching station or switchyard but does not contain autotransformers. Id. at 18–19. wreier-aviles on DSK4TPTVN1PROD with RULES 8 NERC VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 each of its respective transmission stations, transmission substations, and primary control centers identified as critical in Requirement R1. 14. Requirement R5 requires each transmission owner and transmission operator to develop and implement documented physical security plans that cover each of their respective transmission stations, transmission substations, and primary control centers identified as critical in Requirement R1. 15. Requirement R6 requires that each transmission owner and transmission operator subject to Requirements R4 and R5 have an unaffiliated third party with appropriate experience review its Requirement R4 evaluation and Requirement R5 security plan. Requirement R6 states that the transmission owner or transmission operator must either modify its evaluation and security plan consistent with the recommendation, if any, of the reviewer or document its reasons for not doing so. In addition, Requirement R6 requires each transmission owner to implement procedures for protecting sensitive or confidential information made available to third-party reviewers or developed under the Reliability Standard from public disclosure. facilities described in Sections 2.4, 2.5, 2.6, and 2.7, of Reliability Standard CIP–002–5.1,11 According to NERC, the ‘‘standard drafting team determined that using the criteria for ‘Medium Impact’ Transmission Facilities set forth in Reliability Standard CIP–002–5.1 is an appropriate applicability threshold as the Commission has acknowledged that it is a technically sound basis for identifying Transmission Facilities, which, if compromised, would present an elevated risk to the Bulk-Power System.’’ 12 10. Reliability Standard CIP–014–1 has six requirements. Requirement R1 requires applicable transmission owners to perform risk assessments on a periodic basis to identify their transmission stations and transmission substations that, if rendered inoperable or damaged, could result in widespread instability, uncontrolled separation, or cascading within an Interconnection. Requirement R1 also requires transmission owners to identify the primary control center that operationally controls each of the identified transmission stations or transmission substations. 11. Requirement R2 requires that each applicable transmission owner have an unaffiliated third party with appropriate experience verify the risk assessment performed under Requirement R1. Requirement R2 states that the transmission owner must either modify its identification of facilities consistent with the verifier’s recommendation or document the technical basis for not doing so. In addition, Requirement R2 requires each transmission owner to implement procedures for protecting sensitive or confidential information made available to third-party verifiers or developed under the Reliability Standard from public disclosure. 12. Requirement R3 requires the transmission owner to notify a transmission operator that operationally controls a primary control center identified under Requirement R1 of such identification to ensure that the transmission operator has notice of the identification so that it may timely fulfill its obligations under Requirements R4 and R5 to protect the primary control center. 13. Requirement R4 requires each applicable transmission owner and transmission operator to conduct an evaluation of the potential threats and vulnerabilities of a physical attack on 16. On July 17, 2014, the Commission issued a Notice of Proposed Rulemaking proposing to approve Reliability Standard CIP–014–1 as just, reasonable, not unduly discriminatory or preferential, and in the public interest.13 In addition, the NOPR proposed to direct NERC to develop two modifications to the Reliability Standard. First, the NOPR proposed to direct NERC to develop a modification to allow applicable governmental authorities (i.e., the Commission and any other appropriate federal or provincial authorities) to add or subtract facilities from an applicable entity’s list of critical facilities under Requirement R1.14 Second, the NOPR proposed to direct NERC to modify the Reliability Standard to remove the term ‘‘widespread’’ as it appears in the phrase ‘‘widespread instability’’ in Requirement R1.15 The NOPR also proposed to direct NERC to submit two informational filings, one addressing the protection of ‘‘High Impact’’ control centers and the other addressing resiliency measures, to be submitted, respectively, within six months and one 11 Id. at 25 (citing Reliability Standard CIP–002– 5.1 (Cyber Security—BES Cyber System Categorization), Attachment 1 (Impact Rating Criteria)). 12 Id. 13 Physical Security Reliability Standard, Notice of Proposed Rulemaking, 79 FR 42,734 (July 23, 2014), 148 FERC ¶ 61,040 (2014) (NOPR). 14 Id. P 23. 15 Id. P 29. PO 00000 Frm 00018 Fmt 4700 Sfmt 4700 D. Notice of Proposed Rulemaking E:\FR\FM\25NOR1.SGM 25NOR1 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations wreier-aviles on DSK4TPTVN1PROD with RULES year following the effective date of a final rule in this proceeding.16 17. In response to the NOPR, the Commission received 33 sets of initial comments and six sets of reply comments. We address below the issues raised in the NOPR and comments. The Appendix to this final rule lists the entities that filed comments in response to the NOPR. II. Discussion 18. Pursuant to FPA section 215(d)(2), we approve Reliability Standard CIP– 014–1 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. The Commission also approves the associated violation risk factors, violation severity levels, implementation plan, and effective date proposed by NERC (i.e., the ‘‘first day of the first calendar quarter that is six months beyond’’ the effective date of the final rule in this proceeding).17 As discussed below, the Commission determines that Reliability Standard CIP–014–1 satisfies the directives in the March 7 Order concerning the development and submittal of physical security Reliability Standards. 19. In addition to approving Reliability Standard CIP–014–1, the Commission adopts in part the NOPR proposal directing NERC to develop and submit modifications to the Reliability Standard concerning the use of the term ‘‘widespread’’ in Requirement R1. The Commission determines that the term ‘‘widespread’’ is unclear with respect to the obligations it imposes on applicable entities; how it would be implemented by applicable entities; and how it would be enforced. Accordingly, the Commission directs NERC, pursuant to FPA section 215(d)(5), to remove the term ‘‘widespread’’ from Reliability Standard CIP–014–1 or, alternatively, to propose modifications to the Reliability Standard that address the Commission’s concerns. We direct that NERC submit a responsive modification within six months from the effective date of this final rule. 20. The Commission does not adopt the NOPR proposal that would have required NERC to develop and submit modifications to Reliability Standard CIP–014–1 to allow applicable governmental authorities (i.e., the Commission and any other appropriate federal or provincial authorities) to add or subtract facilities from an applicable entity’s list of critical facilities under Requirement R1. We determine that the Commission’s enforcement authority 16 Id. PP 35, 57. Petition, Exhibit B (Implementation Plan) at 1. under FPA section 215(e), and particularly the use of targeted auditing following implementation of Reliability Standard CIP–014–1, will allow us to address the concerns raised in the NOPR. 21. With respect to the informational filings proposed in the NOPR, the Commission adopts the proposal to direct NERC to make an informational filing addressing whether Reliability Standard CIP–014–1 provides physical security for all ‘‘High Impact’’ control centers, as that term is defined in Reliability Standard CIP–002–5.1, necessary for the reliable operation of the Bulk-Power System. However, the Commission extends the deadline for that informational filing until two years following the effective date of Reliability Standard CIP–014–1. The Commission, at this time, does not adopt the NOPR proposal to direct NERC to make an informational filing addressing resiliency. Instead, the Commission will continue to consider ways for industry to best inform the Commission of its current and future resiliency efforts, which could take the form of reports and/or technical conferences to address specific areas of concern (e.g., spare parts, fuel security, and advanced technologies). 22. We address below the following issues raised in the NOPR and in the comments: (A) Removal of the term ‘‘widespread’’; (B) applicable governmental authorities’ ability to add or subtract facilities from an entity’s list of critical facilities; (C) informational filing on ‘‘High Impact’’ control centers; (D) informational filing on resiliency; (E) third-party verification and review; (F) exclusion of generators from the applicability section of Reliability Standard CIP–014–1; (G) confidentiality; (H) other issues raised in comments; (I) violation risk factors and violation severity levels; and (J) implementation plan and effective date. A. Removal of the Term ‘‘Widespread’’ March 7 Order 23. The March 7 Order stated that a critical facility is ‘‘one that, if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System.’’ 18 NERC Petition 24. Reliability Standard CIP–014–1 states that its purpose is to ‘‘identify and protect Transmission stations and Transmission substations, and their 17 NERC VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 18 March PO 00000 7 Order, 146 FERC ¶ 61,166 at P 6. Frm 00019 Fmt 4700 Sfmt 4700 70071 associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.’’ 19 Requirement R1 states that the ‘‘initial and subsequent risk assessments shall consist of a transmission analysis or transmission analyses designed to identify the Transmission station(s) and Transmission substation(s) that if rendered inoperable or damaged could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.’’ NOPR 25. The NOPR proposed to direct NERC to modify Reliability Standard CIP–014–1 to remove the term ‘‘widespread’’ as it appears in the phrase ‘‘widespread instability.’’ The NOPR stated that the phrase ‘‘widespread instability’’ is undefined by NERC and is inconsistent with the March 7 Order’s explanation of ‘‘critical facility’’ and the definition of ‘‘reliable operation’’ in FPA section 215(a)(4).20 26. The NOPR stated that the use of ‘‘widespread instability’’ in Requirement R1 could, depending on the meaning of ‘‘widespread,’’ narrow the scope (and number) of identified critical facilities under Reliability Standard CIP–014–1 beyond what was contemplated in the March 7 Order. The NOPR also stated that the use of the term ‘‘widespread’’ could potentially render the Reliability Standard unenforceable or lead to an inadequate level of reliability by omitting facilities that are critical to the reliable operation of the Bulk-Power System. Comments 27. NERC comments that it does not oppose the NOPR directive but that the modification should be developed through NERC’s standards development process and NERC should be allowed to propose alternative clarifying language ‘‘to ensure the proposed Reliability Standard remains focused on Interconnection impacts and not local 19 NERC Petition at 17. facility] that, if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System.’’ March 7 Order, 146 FERC ¶ 61,166 at P 6; 16 U.S.C. 824o(a)(4) (‘‘The term ‘reliable operation’ means operating the elements of the bulk-power system within equipment and electric system thermal, voltage, and stability limits so that instability, uncontrolled separation, or cascading failures of such system will not occur as a result of a sudden disturbance, including a cybersecurity incident, or unanticipated failure of system elements.’’). 20 ‘‘[A E:\FR\FM\25NOR1.SGM 25NOR1 70072 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations impacts.’’ 21 NERC states that the term ‘‘widespread’’ was used to focus applicable entities’ security efforts on facilities whose loss would have more than a local area impact. 28. SIA, Idaho Power, Pa PUC, SmartSenseCom, Foundation and Pepco support the NOPR proposal because they believe that the term ‘‘widespread’’ is vague or inconsistent with the definition of ‘‘reliable operation’’ in FPA section 215.22 Pepco, for example, states that the term ‘‘widespread’’ is ambiguous, will require requests for clarification or interpretation and will expose applicable entities to ‘‘secondguessing’’ from auditors. KCP&L, while it does not state that it supports the proposal, acknowledges that the term ‘‘widespread’’ is vague and that the term ‘‘introduces interpretive language that may be problematic for compliance and enforcement interpretations as well as unintentionally narrow the scope of facilities.’’ 23 29. Other commenters do not support the proposed directive largely because they contend that the proposal may have the unintended consequence of expanding the scope of Reliability Standard CIP–014–1 to include localized events that have no impact on an Interconnection.24 APS, SCE, SDG&E, and G&T Cooperatives also maintain that while the term ‘‘widespread’’ is not defined by NERC, it appears elsewhere in the Reliability Standards, including in NERC’s definition of ‘‘Cascading’’ and in the TPL Reliability Standards, and is understood by industry. Associations also state that the Commission should withdraw the NOPR proposal; however, Associations state that, in the alternative, the Commission should clarify that removal of the term ‘‘widespread’’ is not intended to bring within the scope of Reliability Standard CIP–014–1 ‘‘a substation or station unless the applicable Transmission Owner determines through technical studies and analyses that include the application of engineering judgment and practice that the loss of such facility would have a critical impact on the operation of the [bulk electric system] in the event the asset is rendered Comments at 19. SIA Comments at 2; Idaho Power Comments at 2; Pa PUC Comments at 5; Pepco Comments at 4–5; SmartSenseCom Comments at 7– 8; Foundation Reply Comments at 7. 23 KCP&L Comments at 4. 24 See APS Comments at 3; SCE Comments at 3; SDG&E Comments at 4–5; TVA Comments at 9–10; Tallahassee Comments at 1; Oncor Comments at 3– 4; Ohio PUC Comments at 4–5; BPA Comments at 3; NARUC Comments at 11; G&T Cooperatives Comments at 8–11; Southern Comments at 7–10. inoperable or damaged.’’ 25 NARUC states that the proposal will add costs without necessarily improving reliability. 30. ITC, while agreeing that the term ‘‘widespread’’ is not well-defined and would render the Reliability Standard vague, contends that the definition of critical facility in Requirement R1 should be replaced by defining as critical all physical facilities that contain ‘‘High Impact’’ or ‘‘Medium Impact’’ BES Cyber Systems as those terms are defined in Reliability Standard CIP–002–5.1. Commission Determination 31. The Commission adopts the NOPR proposal in part and directs NERC to remove the term ‘‘widespread’’ from Reliability Standard CIP–014–1 or, alternatively, to propose modifications to the Reliability Standard that address the Commission’s concerns. The differing views expressed in the comments validate the concern raised in the NOPR that the meaning of the term ‘‘widespread’’ is unclear and subject to interpretation. 32. We stated in the March 7 Order that ‘‘the Reliability Standards that we are ordering today apply only to critical facilities that, if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System.26 We affirm the March 7 Order’s statement that ‘‘[m]ethodologies to determine these facilities should be based on objective analysis, technical expertise, and experienced judgment.’’ 27 33. However, incorporating the undefined term ‘‘widespread’’ in Reliability Standard CIP–014–1 introduces excessive uncertainty in identifying critical facilities under Requirement R1.28 As the Commission stated in the March 7 Order, only an instability that has a ‘‘critical impact on the operation of the interconnection’’ warrants finding that the facility causing the instability is critical under Requirement R1. The March 7 Order did not intend to suggest that the physical security Reliability Standards should address facilities that do not have a ‘‘critical impact on the operation of the 21 NERC wreier-aviles on DSK4TPTVN1PROD with RULES 22 See VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 25 Associations Comments at 14–15; see also APS Comments at 3–4, Southern Comments at 11. 26 March 7 Order, 146 FERC ¶ 61,166 at P 6 n.5. 27 Id. P 6. 28 See Version 5 Critical Infrastructure Protection Reliability Standards, Order No. 791, 78 FR 72,755 (Dec. 3, 2013), 145 FERC ¶ 61,160, at P 67 (2013), order granting clarification in part and denying rehearing, Order No. 791–A, 146 FERC ¶ 61,188 (2014) (directing removal or clarification ‘‘identify, assess and correct’’ language). PO 00000 Frm 00020 Fmt 4700 Sfmt 4700 interconnection.’’ This understanding is, we believe, unintentionally absent in Requirement R1 because the requirement only deems a facility critical when, if rendered inoperable or damaged, it could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection. The definition in Requirement R1 should not be dependent on how an applicable entity interprets the term ‘‘widespread’’ but instead should be modified to make clear that a facility that has a critical impact on the operation of an Interconnection is critical and therefore subject to Requirement R1. 34. While some commenters contend that the meaning of the term ‘‘widespread’’ is well-understood by industry, we find that there is ample evidence in the record to support the conclusion that the term is susceptible to different interpretations by applicable entities. Notably, KCP&L states that, while it was a participant in the standards drafting process for Reliability Standard CIP–014–1, it agrees that the term requires interpretation. Moreover, KCP&L and Pepco share our concern that compliance enforcement authorities may find it difficult to consistently enforce compliance with Requirement R1 without a clear understanding of the term’s meaning. 35. Accordingly, pursuant to FPA section 215(d)(5), the Commission directs NERC to develop a modification to Reliability Standard CIP–014–1 that either removes the term ‘‘widespread’’ from Requirement R1 or, in the alternative, proposes changes that address the Commission’s concerns. Further, we direct that NERC submit a responsive modification within six months from the effective date of this final rule. We recognize that certain entities commented on how NERC could modify Reliability Standard CIP–014–1 to address the Commission’s stated concerns.29 However, we conclude that it is appropriate to allow NERC to develop and propose a modification in the first instance. With respect to ITC’s more general comments regarding the scope of critical facilities in Requirement R1, we address the potential for applying the impact designations in Reliability Standard CIP–002–5.1 to Reliability Standard CIP–014–1, Requirement R1 in the section below regarding the NOPR’s proposed informational filing on ‘‘High Impact’’ control centers. 29 See, e.g., BPA Comments at 2; Ohio PUC Comments at 5; TVA Comments at 9, ITC Comments at 9. E:\FR\FM\25NOR1.SGM 25NOR1 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations B. Applicable Governmental Authority’s Ability To Add or Subtract Facilities From an Entity’s List of Critical Facilities March 7 Order 36. In the March 7 Order, the Commission stated that: [T]he risk assessment used by an owner or operator to identify critical facilities should be verified by an entity other than the owner or operator. Such verification could be performed by NERC, the relevant Regional Entity, a Reliability Coordinator, or another entity. The Reliability Standards should include a procedure for the verifying entity, as well as the Commission, to add or remove facilities from an owner’s or operator’s list of critical facilities. . . .30 wreier-aviles on DSK4TPTVN1PROD with RULES NERC Petition 37. Reliability Standard CIP–014–1 does not include a procedure that allows the Commission to add or subtract facilities from an applicable entity’s list of critical facilities under Requirement R1. Instead, NERC states that the Commission has the existing authority to enforce NERC Reliability Standards pursuant to FPA section 215(e)(3).31 NERC explains that a transmission owner must be able to demonstrate that its method for performing its risk assessment under Requirement R1 ‘‘was technically sound and reasonably designed to identify its critical Transmission stations and Transmission substations.’’ 32 NERC maintains that if ‘‘in the course of assessing an entity’s compliance with the proposed Reliability Standard, NERC, a Regional Entity or [the Commission] finds that the entity’s transmission analysis was patently deficient and the Requirement R2 verification process did not cure those deficiencies, they could use their enforcement authority to compel Transmission Owners to re-perform the risk assessment using assumptions designed to identify the appropriate critical facilities.’’ 33 NOPR 38. The NOPR stated that Reliability Standard CIP–014–1 does not include a procedure that allows the Commission to add or subtract facilities from an applicable entity’s list of critical facilities. The NOPR stated that if the Commission determined through an audit of an applicable entity, or through some other means, that a critical facility does not appear on the entity’s list of critical facilities, there is no provision 30 March 31 NERC 7 Order, 146 FERC ¶ 61,166 at P 11. Petition at 37. 32 Id. 33 Id. VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 in Reliability Standard CIP–014–1 to allow the Commission to require its inclusion. In the NOPR, the Commission proposed to direct NERC to modify the physical security Reliability Standard to ‘‘include a procedure that would allow applicable governmental authorities, i.e., the Commission and any other appropriate federal or provincial authorities, to add or subtract facilities from an applicable entity’s list of critical facilities.’’ 34 Comments 39. NERC asserts that the Commission should not adopt the NOPR proposal. NERC maintains that the proposal is unnecessary because it duplicates existing Commission compliance monitoring and enforcement authority.35 Moreover, NERC contends that the NOPR’s concerns surrounding the use of existing compliance and enforcement methods to ensure compliance with Requirement R1 are unsubstantiated. NERC states that if the NOPR proposal is adopted, then the Commission must better justify the reasons for the directive and limit and clarify the scope and content of the proposed directive. 40. Pa PUC, Foundation, SmartSenseCom and Paschall state that they support the NOPR proposal.36 Other commenters do not oppose the proposal but maintain that it should be clarified or modified if adopted by the Commission.37 41. The majority of commenters do not support the NOPR proposal for various legal and policy reasons.38 Associations’ comments are representative of this viewpoint in that they address: (1) The statutory authority to modify critical facility lists or otherwise allow the Commission (or any other governmental authority) an operational role in the performance of a Reliability Standard; (2) how the 34 NOPR, 148 FERC ¶ 61,040 at P 23. Comments at 8 (‘‘the Commission can use its broad enforcement authority to make certain that the applicable entity re-performs the risk assessment on whatever timeline the Commission deems appropriate or face penalties or sanctions under the FPA’’). 36 Pa PUC Comments at 5; Foundation Comments at 3; SmartSenseCom Comments at 6; Paschall Comments at 2. 37 See G&T Cooperatives Comments at 3–8; ITC Comments at 12; NYPSC Comments at 5–7; Pepco Comments at 5–7; Idaho Power Comments at 1–2. 38 See Southern Comments at 2–7; Trade Associations Comments at 5–12; GridWise Comments at 3–9; Duke Comments at 3–5; NARUC Comments at 4; KCP&L Comments at 2–4; SDG&E Comments at 3–4; Oncor Comments at 2–3; Entergy Comments at 1; TAPS Comments at 3–9; APS Comments at 2–3; BPA Comments at 2; SCE Comments at 2; Ohio PUC Comments at 3–4; TVA Comments at 6–9; CEA Comments at 3–9; NU Utilities Comments at 1. 35 NERC PO 00000 Frm 00021 Fmt 4700 Sfmt 4700 70073 Commission would afford entities due process in determining whether to direct the addition or removal of facilities while still maintaining confidentiality; and (3) what constitutes ‘‘any other appropriate federal or provincial authorities’’ and the legal authority and advisability of delegating responsibility to another government entity. Like NERC, Associations contend that the Commission already possesses the compliance and enforcement authority to ensure that applicable entities comply with Requirement R1.39 Specifically, Associations state that the ‘‘Commission has sufficient existing enforcement authority under the FPA to take actions to address concerns raised in the NOPR regarding the sufficiency of decisions made to identify critical facilities under CIP–014–1 . . . includ[ing] the use of traditional enforcement authority under Section 215(e)(3), including audits and investigations, which it has used on several occasions.’’ 40 Associations also request a technical conference in two years that addresses the implementation of Reliability Standard CIP–014–1. Commission Determination 42. Based on our review of the comments, we determine not to adopt the NOPR proposal. 43. We are persuaded by commenters that the NOPR directive would present NERC, as the entity that would have to develop the proposed modification, and the Commission, which would have to approve any NERC proposal, with a number of substantial policy issues. Ultimately, we believe that the NOPR proposal would require NERC and the Commission to expend resources that could be better applied elsewhere. 44. The Commission, instead, will focus its resources on carrying out compliance and enforcement activities to ensure that critical facilities are identified under Requirement R1. In its comments, NERC indicated that NERC staff will submit to the NERC Board of Trustees a report three months following implementation of Requirements R1, R2 and R3 concerning the scope of facilities identified as 39 Associations Comments at 9; see also TAPS Comments at 5 (‘‘If the Commission finds a Registered Entity’s risk assessment study to be inadequate because it lacks a critical facility, the Registered Entity will be in violation of [Requirement] R1 of the Physical Security standard . . . [t]he Commission could then direct a specific method of compliance . . . and impose daily penalties until the Registered Entity complies. If despite the threat of penalties, the Commission were concerned about the need for timely action, it could order the Registered Entity to come into compliance within a specified reasonable timeframe.’’). 40 Associations Comments at 9. E:\FR\FM\25NOR1.SGM 25NOR1 70074 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations critical, including the number of facilities identified as critical and their defining characteristics.41 NERC also committed to sending this report to Commission staff.42 Based on the results reported by NERC, we expect Commission staff to audit a representative number of applicable entities to ensure compliance with Reliability Standard CIP–014–1. Depending on the audit findings, the Commission will determine if there is a need for any further action by the Commission including, but not limited to, directing NERC to develop modifications to Reliability Standard CIP–014–1 to provide greater specificity to the methodology for determining critical facilities. At this time, we will not direct Commission staff to convene a technical conference on implementation of Reliability Standard CIP–014–1 in two-years’ time, as requested by Associations. We may revisit that proposal at a later time. C. Informational Filing on ‘‘High Impact’’ Control Centers wreier-aviles on DSK4TPTVN1PROD with RULES March 7 Order 45. The March 7 Order stated that a ‘‘critical facility is one that, if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System.’’ 43 The March 7 Order, while not mandating that a minimum number of facilities be deemed critical under the physical security Reliability Standards, explained that the ‘‘Commission expects that critical facilities generally will include, but not be limited to, critical substations and critical control centers.’’ 44 NERC Petition 46. NERC states that Reliability Standard CIP–014–1 addresses the protection of primary control centers, which NERC defines as facilities that ‘‘operationally control[ ] a Transmission station or Transmission substation when the electronic actions from the control center can cause direct physical actions at the identified Transmission station or Transmission substation, such as opening a breaker.’’ 45 47. NERC maintains that ‘‘[c]ontrol centers that provide back-up capability and control centers that cannot 41 NERC Comment at 27–28. NERC’s postimplementation reports are further discussed below. 42 Id. at 28. 43 March 7 Order, 146 FERC ¶ 61,166 at P 6. 44 Id. P 6, n.6. 45 NERC Petition at 19. VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 operationally control a critical Transmission station or Transmission substation do not present similar direct risks to Real-time operations if they are the target of a physical attack,’’ and thus they are not covered by Reliability Standard CIP–014–1.46 NERC explains that the destruction of a back-up control center would ‘‘have no direct reliability impact in Real-time as the entity can continue operation . . . from its primary control center.’’ 47 With respect to control centers that do not physically operate Bulk-Power System facilities, such as control centers operated by reliability coordinators, NERC states that, while ‘‘certain monitoring and oversight capabilities might be lost as a result of a physical attack on such control centers, the Transmission Owner or Transmission Operator that operationally controls the critical Transmission station or Transmission substation would be able to continue operating its transmission system to prevent widespread instability, uncontrolled separation, or Cascading within an Interconnection.’’ 48 48. NERC acknowledges that certain control centers categorized as ‘‘High Impact’’ or ‘‘Medium Impact’’ under Reliability Standard CIP–002–5.1 (Cyber Security—BES Cyber System Categorization) would not be covered control centers under Reliability Standard CIP–014–1.49 NERC explains that this situation: reflects the different nature of cyber security risks and physical security risks at control centers . . . [a] primary cyber security concern for control centers is the corruption of data or information and the potential for operators to take action based on corrupted data or information . . . [and] [t]his concern exists at control centers that operationally control Bulk-Power System facilities and those that do not. As such, there is no distinction in CIP–002–5.1 between these control centers . . . however, such a distinction is appropriate in the physical security context.50 49. NERC points out that Reliability Standard CIP–006–5 already requires physical security protections that are ‘‘designed to restrict physical access to locations containing High and Medium Impact Cyber Systems,’’ which include control centers and backup control centers for reliability coordinators, balancing authorities, transmission operators and generation operators irrespective of their ability to 46 Id. 47 Id. at 20. at 20–21. 49 Reliability Standard CIP–002–5.1 (Cyber Security—BES Cyber System Categorization), Attachment 1 (Impact Rating Criteria). 50 NERC Petition at 22 n.55. 48 Id. PO 00000 Frm 00022 Fmt 4700 Sfmt 4700 operationally control Bulk-Power System facilities.51 NOPR 50. The NOPR proposed to direct NERC to make an informational filing within six months of the effective date of a final rule in this proceeding indicating whether the development of Reliability Standards that provide physical security for all ‘‘High Impact’’ control centers, as that term is defined in Reliability Standard CIP–002–5.1, is necessary for the reliable operation of the Bulk-Power System. 51. The NOPR stated that primary and back-up control centers of functional entities other than transmission owners and operators identified as ‘‘High Impact’’ may warrant assessment and physical security controls under this Reliability Standard because a successful attack could prevent or impair situational awareness, especially from a wide-area perspective, or could allow attackers to distribute misleading and potentially harmful data and operating instructions that could result in instability, uncontrolled separation, or cascading failures. 52. The NOPR stated that the proposed informational filing should address whether there is a need for consistent treatment of ‘‘High Impact’’ control centers for cybersecurity and physical security purposes through the development of Reliability Standards that afford physical protection to all ‘‘High Impact’’ control centers. The NOPR also stated that the development of physical security protections for all ‘‘High Impact’’ control centers would not be without precedent because, as noted above, Reliability Standard CIP– 006–5 already requires that ‘‘High Impact’’ control centers have some physical protections, including restrictions on physical access, to protect BES Cyber Assets. However, the NOPR further stated that the security measures required by Reliability Standard CIP–006–5 may not be comparable to those required by Reliability Standard CIP–014–1, and thus may not be sufficient to ‘‘deter, detect, delay, assess, communicate, and respond to potential threats and vulnerabilities’’ as required in Requirement R5 of Reliability Standard CIP–014–1. Further, the NOPR stated that Reliability Standard CIP–006–5 does not require an ‘‘unaffiliated third party review’’ of the evaluation and security plan required by Reliability Standard CIP–014–1. 51 Id. E:\FR\FM\25NOR1.SGM at 21. 25NOR1 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations wreier-aviles on DSK4TPTVN1PROD with RULES Comments 53. NERC states that it does not oppose submitting an informational filing to address whether ‘‘High Impact’’ control centers warrant assessment and physical security controls under Reliability Standard CIP–014–1. However, NERC requests that the Commission modify the NOPR proposal to give NERC at least 12 months from the effective date of a final rule in this proceeding to submit the informational filing. 54. Other commenters, while not necessarily agreeing that all ‘‘High Impact’’ control centers should be subject to Reliability Standard CIP–014– 1, support the NOPR proposal for various reasons.52 Associations state that the informational filing ‘‘will provide a more granular mapping of the strategic considerations embedded in the CIP standards . . . as well as consideration of the issues relating to control centers not covered by CIP–014– 1.’’ 53 MISO and SDG&E state that the informational filing could be a useful way for identifying areas of possible improvement in the future. Some commenters, including Associations, recommend that the Commission direct NERC to submit the informational filing as critical energy infrastructure information (CEII). 55. ITC supports the proposed informational filing but states that the Commission should widen the scope of the informational filing to assess the benefits of extending Reliability Standard CIP–014–1 to all ‘‘High Impact’’ and ‘‘Medium Impact’’ BES Cyber Assets. ITC states that the definition of ‘‘critical’’ assets is insufficiently comprehensive because it fails to provide physical security for facilities that contain crucial Cyber Assets. ITC further states that identifying critical facilities under Requirement R1 is unnecessary because applicable entities already have a list of facilities containing ‘‘High Impact’’ and ‘‘Medium Impact’’ Cyber Assets, which could also serve as the list of critical facilities for the purposes of Reliability Standard CIP–014–1. SIA agrees that Requirement R1 should be modified to include all ‘‘High Impact’’ control centers. 56. Commenters opposed to the NOPR proposal contend that the informational filing is unnecessary or would be 52 See Associations Comments at 16; KCP&L Comments at 4; Foundation Comments at 7; SDG&E Comments at 5; Pa PUC Comments at 6; SCE Comments at 4; MISO Comments at 6–7. 53 Associations Comments at 16. VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 burdensome.54 Trade Associations state that Reliability Standard CIP–014–1 correctly focuses on the protection of primary control centers that operationally control transmission stations or substations identified under Requirement R1. Idaho Power states that Reliability Standard CIP–006–5 contains enough physical access controls to meet the expectations of ‘‘deter, detect, delay, assess, communicate, and respond’’ because there are extensive monitoring and alerting requirements that must be applied to all ‘‘High Impact’’ control centers. Reclamation states that Reliability Standard CIP–014–1 will capture all ‘‘High Impact’’ control centers as currently drafted. Pepco states that an informational filing would divert resources from implementation and compliance with Reliability Standard CIP–014–1. Commission Determination 57. The Commission adopts the NOPR proposal and directs NERC to submit an informational filing that addresses whether there is a need for consistent treatment of ‘‘High Impact’’ control centers for cybersecurity and physical security purposes through the development of Reliability Standards that afford physical protection to all ‘‘High Impact’’ control centers. The Commission, however, modifies the NOPR proposal and extends the due date for the informational filing to two years following the effective date of Reliability Standard CIP–014–1. 58. While we approve Reliability Standard CIP–014–1 in this final rule, including the Reliability Standard’s treatment of control centers, the Commission, for the reasons set forth in the NOPR, finds that NERC should assess whether all ‘‘High Impact’’ control centers should be protected under Reliability Standard CIP–014–1.55 We recognize that NERC and applicable entities will be in a better position to provide this assessment after implementation of Reliability Standard CIP–014–1 and Reliability Standard CIP–006–5, the latter of which provides some physical protection to ‘‘High Impact’’ control centers. Accordingly, the Commission directs NERC to submit the informational filing two years following the effective date of Reliability Standard CIP–014–1. The Commission, while not directing NERC to submit the informational filing as CEII, recognizes the concerns raised by commenters regarding confidentiality. The Commission expects NERC to 54 Trade Associations Comments at 12; Pepco Comments at 7. 55 See NOPR, 148 FERC ¶ 61,040 at PP 35–39. PO 00000 Frm 00023 Fmt 4700 Sfmt 4700 70075 prepare the informational filing and submit it in such a way as to protect any critical information from public disclosure. 59. At this time, the Commission will not direct NERC to address in the informational filing whether all ‘‘High Impact’’ and ‘‘Medium Impact’’ BES Cyber Assets should be considered critical for the purposes of Reliability Standard CIP–014, Requirement R1. We are sympathetic to several points raised in ITC’s comments, which echo some of the statements in the NOPR. However, as stated in the NOPR, the basis for directing an informational filing regarding control centers is found in the March 7 Order, where the Commission stated that it ‘‘expects that critical facilities generally will include, but not be limited to, critical substations and critical control centers.’’ 56 While NERC explained why not all ‘‘High Impact’’ control centers may be critical for the purposes of Reliability Standard CIP– 014–1, we conclude that this issue requires close attention and should be addressed in the informational filing. The broader concerns raised by ITC regarding the scope of Requirement R1 can be evaluated by NERC and industry as part of the implementation process. As we noted above, the Commission will devote resources to compliance with and enforcement of Reliability Standard CIP–014–1 to ensure that all critical facilities are identified pursuant to Requirement R1. Should the Commission find through these efforts, or through the post-implementation reports and informational filing that NERC will submit, that Requirement R1 as currently written is not capturing all critical facilities, then the Commission will act upon that information. D. Informational Filing on Resiliency March 7 Order 60. In the March 7 Order, the Commission stated that the development of physical security Reliability Standards ‘‘will help provide for the resiliency and reliable operation of the Bulk-Power System. To that end, the proposed Reliability Standards should allow owners or operators to consider resiliency of the grid in the risk assessment when identifying critical facilities, and the elements that make up those facilities, such as transformers that typically require significant time to repair or replace. As part of this process, owners or operators may consider elements of resiliency such as how the system is designed, operated, and 56 NOPR, 148 FERC ¶ 61,040 at P 44 (quoting March 7 Order, 146 FERC ¶ 61,166 at P 6 n.6). E:\FR\FM\25NOR1.SGM 25NOR1 70076 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations maintained, and the sophistication of recovery plans and inventory management.’’ 57 wreier-aviles on DSK4TPTVN1PROD with RULES NERC Petition 61. Reliability Standard CIP–014–1 mentions resiliency in Requirement R5, stating in Requirement R5.1 that the physical security plans that entities develop shall include, among other attributes: ‘‘Resiliency or security measures designed collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified during the evaluation conducted in Requirement R4.’’ The NERC petition describes Requirement R5.1, with regard to resiliency, as referring to ‘‘steps an entity may take that, while not specifically targeted as hardening the physical security of the site, help to decrease the potential adverse impact of a physical attack . . . including modifications to system topology or the construction of a new Transmission station . . . that would lessen the criticality of the facility.’’ 58 NOPR 62. The NOPR stated that the NERC petition describes resiliency measures that could be included in the required physical security plans. The NOPR also stated, however, that specific resiliency measures are not required by Reliability Standard CIP–014–1, which is consistent with the March 7 Order. Instead, the NOPR noted that Reliability Standard CIP–014–1 allows the security plans to be flexible in order to meet different threats and protect varying Bulk-Power System configurations. 63. The NOPR stated that resiliency is as, or even more, important than physical security given that physical security cannot protect against all possible attacks. The NOPR also stated that, in the case of the loss of a substation, the Bulk-Power System may depend on resiliency to minimize the impact of the loss of facilities and restore blacked-out portions of the BulkPower System as quickly as possible. The NOPR further stated that some entities may implement resiliency measures rather than security measures, such as by adding facilities or operating procedures that reduce or eliminate the importance of existing critical facilities, which could significantly improve reliability and resiliency. 64. The NOPR stated that the NERC petition indicated that the NERC Board of Trustees expects NERC management to monitor and assess the 57 March 58 NERC 7 Order, 146 FERC ¶ 61,166 at P 7. Petition at 42. VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 implementation of Reliability Standard CIP–014–1 on an ongoing basis, which would include: The number of assets identified as critical under the Reliability Standard; the defining characteristics of the assets identified as critical; the scope of security plans (i.e., the types of security and resiliency measures contemplated under the various security plans); the timelines included in the security plan for implementing the security and resiliency measures; and industry progress in implementing the Reliability Standard. The NOPR also stated that NERC explained that this information could be used to provide regular updates to Commission staff.59 The NOPR proposed to rely on NERC’s ongoing assessment of Reliability Standard CIP–014–1’s implementation and to require NERC to make such information available to Commission staff upon request. 65. In addition, the NOPR proposed to direct NERC to submit an informational filing that addresses the resiliency of the Bulk-Power System when confronted with the loss of critical facilities. The NOPR stated that the informational filing should explore what steps can be taken, in addition to those required by Reliability Standard CIP–014–1, to maintain the reliable operation of the Bulk-Power System when faced with the loss or degradation of critical facilities. The NOPR proposed to direct NERC to submit the informational filing within one year after the effective date of the final rule in this proceeding.60 Comments 66. NERC requests that the Commission not direct it to submit an informational filing on resiliency. NERC contends that an informational filing on resiliency would divert resources from NERC’s oversight of the implementation of Reliability Standard CIP–014–1 and NERC’s efforts to assess the Reliability Standard’s effectiveness. NERC states that it will monitor and assess implementation of Reliability Standard CIP–014–1, as described in NERC’s petition, and will prepare two initial reports for the NERC Board of Trustees, 59 NOPR, 148 FERC ¶ 61,040 at P 56. issued a report on severe impact resilience in 2012. See NERC, Severe Impact Resilience: Considerations and Recommendations (May 2012), available at http://www.nerc.com/ comm/OC/SIRTF%20Related%20Files%20DL/ SIRTF_Final_May_9_2012-Board_Accepted.pdf. The NOPR stated that the proposed informational filing could draw on the report but should also reflect subsequent work and development on this topic, particularly including supply chain, transporting and other logistical issues for equipment such as large transformers. NOPR, 148 FERC ¶ 61,040 at P 57. 60 NERC PO 00000 Frm 00024 Fmt 4700 Sfmt 4700 the first report being submitted three months following implementation of Requirements R1, R2 and R3 and the second report being submitted three months after implementation of Requirements R4, R5 and R6. With respect to the second report, NERC states that ‘‘[g]iven the NOPR’s discussion of resiliency, this report will pay particular attention to the resiliency measures included in entities’ security plans.’’ 61 NERC further states that it commits to provide both reports to Commission staff. 67. Pepco does not support the proposed informational filing because of the burden Pepco contends it would impose on NERC and registered entities, including diverting resources from the implementation of Reliability Standard CIP–014–1. Pepco asserts that resiliency is already addressed in Reliability Standard CIP–014–1. 68. SDG&E, MISO and Idaho Power support directing NERC to submit the proposed informational filing on resiliency as a way of determining next steps for enhancing the reliability of the Bulk-Power System.62 69. Other commenters, including Associations, while generally agreeing that the issue of resiliency needs to be considered, recommend that the Commission convene a technical conference rather than require NERC to submit an informational filing because, they maintain, a technical conference would be more effective.63 Commission Determination 70. The Commission determines not to adopt the NOPR proposal requiring NERC to submit an informational filing concerning resiliency of the Bulk-Power System. While commenters expressed differing views on whether an informational filing is needed, the comments recognized the importance of Bulk-Power System resiliency. In addition, NERC committed to providing the Commission with two reports following implementation of Reliability Standard CIP–014–1, which, NERC indicates, will address the issue of resiliency. 71. Rather than require NERC to submit an informational filing at this time, the Commission will review the NERC reports and will consider ways for industry to best inform the Commission of its current and future 61 NERC Comments at 28. SDG&E Comments at 5; MISO Comments at 6–7; Idaho Power Comments at 4; see also Paschall Comments at 2. 63 See Associations Comments at 17; KCP&L Comments at 6–7; SCE Comments at 4; Trade Associations Comments at 13–14; GridWise Comments at 3. 62 See E:\FR\FM\25NOR1.SGM 25NOR1 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations resiliency efforts, which could take the form of reports and/or technical conferences to address specific areas of concern (e.g., spare parts, fuel security, and advanced technologies). E. Third-Party Verification and Review March 7 Order NOPR 72. In the March 7 Order, the Commission stated that ‘‘the risk assessment used by an owner or operator to identify critical facilities should be verified by an entity other than the owner or operator . . . [and] [s]imilarly, the determination of threats and vulnerabilities and the security plan should also be reviewed by NERC, the relevant Regional Entity, the Reliability Coordinator, or another entity with appropriate expertise.’’ 64 wreier-aviles on DSK4TPTVN1PROD with RULES NERC Petition 73. Requirement R2 of Reliability Standard CIP–014–1 requires transmission owners to have their risk assessments verified by an unaffiliated third party. Requirement R6, likewise, requires each transmission owner and transmission operator to have their vulnerability and threat assessment(s) along with their security plan(s) for any critical facilities reviewed by an unaffiliated third party. 74. Regarding how an applicable entity is supposed to address any recommendations by a third-party verifier, Reliability Standard CIP–014–1, in Requirement R2.3, states that the transmission owner must either (a) ‘‘modify its identification . . . consistent with the recommendation’’ or (b) ‘‘document the technical basis for not modifying the identification in accordance with the recommendation.’’ Similarly, Requirement R6.3 sets forth the procedure for considering any recommendations from the reviewing entity as to the threat assessments and security plans: The applicable entity must either (a) ‘‘modify its evaluation or security plan(s) consistent with the recommendation’’ or (b) ‘‘document the reason(s) for not modifying the evaluation or security plan(s) consistent with the recommendation.’’ 75. NERC states that ‘‘[r]equiring documentation of the technical basis for not modifying the identification in accordance with the recommendation will help ensure that a Transmission Owner meaningfully considers the verifier’s recommendations and follows those recommendations unless it can technically justify its reasons for not doing so. To comply with Part 2.3, the technical justification must be sound 64 March 7 Order, 146 FERC ¶ 61,166 at P 11. VerDate Sep<11>2014 14:24 Nov 24, 2014 and based on acceptable approaches to conducting transmission analyses.’’ 65 The NERC petition contains a similar explanation for the third-party review (Requirement R6) of the threat assessments and security plans mandated in Requirements R4 and R5.66 Jkt 235001 76. The NOPR proposed to approve the third-party verification and review method proposed by NERC in Requirements R2 and R6. The NOPR stated that failure to provide a written, technically justifiable reason for rejecting a third-party recommendation would render the applicable entity noncompliant. With that understanding, the NOPR proposed to approve NERC’s proposed third-party verification and review in Requirements R2 and R6 of Reliability Standard CIP–014–1 as an equally efficient and effective alternative to the directive in the March 7 Order. Comments 77. NERC states that it supports the NOPR proposal. NERC states that thirdparty verification and review will provide another layer of expertise and independence to the identification of critical assets, the evaluation of threats and vulnerabilities, and the development of effective security plans. NERC reiterates that an applicable entity’s failure to provide a reasonable, written explanation for declining to follow a third-party recommendation would constitute non-compliance. 78. MISO, Reclamation, KCP&L, ITC, and G&T Cooperatives support the NOPR proposal but each suggest modifications or request clarification of Reliability Standard CIP–014–1.67 79. MISO states that entities like itself, that are both reliability coordinators and planning coordinators, may be subject to substantial, simultaneous demands by many transmission owners for concurrent verification of risk assessments. MISO notes that Requirement R2.2 requires applicable entities to have their risk assessment verified within 90 days of completion of the risk assessment. MISO states that firm adherence to the 90-day deadline could undermine the protections in Reliability Standard CIP– 014–1 by requiring verifying entities (e.g., MISO) to conduct hurried or shorter-than-optimal assessments. Accordingly, MISO seeks clarification that NERC has the discretion to extend 65 NERC Petition at 36. at 50. 67 See also Paschall Comments at 2; Foundation Comments at 7. the implementation deadline, especially with respect to the 90-day verification deadline in Requirement R2.2. Likewise, G&T Cooperatives, NIPSCO and KCP&L state that there should be flexibility regarding the 90-day deadline because of the limited pool of qualified thirdparty verifiers. 80. Reclamation states that transmission owners should have discretion to make decisions regarding third-party recommendations based on cost and risk analyses. Reclamation also states that Requirement 2.1 should be modified to require that third-party verifications be conducted by a transmission owner’s planning coordinator or transmission planner. If the transmission owner is also the planning coordinator and transmission planner, then Reclamation states that the verification should be conducted by the reliability coordinator. 81. KCP&L states that NERC should develop a pre-approved list of qualified third-party contractors or require third parties to register with NERC. KCP&L also seeks clarification that an independent system operator (ISO) or regional transmission operator (RTO) concurrent with its role as reliability coordinator could provide third-party review services. KCP&L states that it does not oppose having an RTO that is also a reliability coordinator or planning coordinator serve as a third-party reviewer but would not support a mandate requiring a specific third-party reviewer. KCP&L also seeks clarification of the meaning of the phrase ‘‘unaffiliated third-party.’’ 82. ITC states that the Commission should ‘‘confirm that the verification of a responsible entity’s risk assessment, threat assessment, and security plan, as specified in Requirements R2 and R6, constitutes full compliance by that responsible entity with respect to the risk assessment and security plan.’’ 68 83. NIPSCO, TVA and Idaho Power do not support the NOPR proposal. NIPSCO contends that third-party verification is ‘‘inconsistent with the approach to entity self-assessment applied in other Reliability Standards’’ and notes that the Version 5 CIP Reliability Standards do not include a provision for third-party review.69 NIPSCO also contends that the use of third parties could raise confidentiality concerns. Idaho Power maintains that the proposal should not be adopted because it does not require third parties to include a written or technical justification with their recommendations. Idaho Power also 66 Id. PO 00000 Frm 00025 Fmt 4700 Sfmt 4700 70077 68 ITC Comments at 10. Comments at 2. 69 NIPSCO E:\FR\FM\25NOR1.SGM 25NOR1 70078 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations states that ‘‘if a third-party verification and review process is incorporated in to the Standard, it should clearly describe the specific methodology and performance criteria to be applied.’’ 70 TVA states that FPA section 215 does not contemplate the use of third-party verifiers and reviewers acting in an enforcement role. TVA also contends that Reliability Standard CIP–014–1 does not contain any qualification criteria that third-party verifiers and reviewers must meet. TVA further states that using third-party verifiers and reviewers could compromise the confidentiality of critical information. Commission Determination 84. We adopt the NOPR proposal and approve the third-party verification and review provisions found in Requirements R2 and R6 of Reliability Standard CIP–014–1. These provisions, as stated by NERC, provide an important, independent layer of expertise in the identification, assessment and protection of critical facilities. 85. We disagree with the arguments raised in the comments submitted by NIPSCO, TVA and Idaho Power. The use of third-party verification and review in Reliability Standard CIP–014– 1 is not inconsistent with other Commission-approved Reliability Standards merely because third-party review is not used in other Reliability Standards. NIPSCO is correct that the Version 5 CIP Reliability Standards do not include third-party review provisions. However, as NIPSCO acknowledges, the Version 5 CIP Reliability Standards contain bright-line criteria that guide the determinations made by applicable entities in identifying BES Cyber Assets.71 By contrast, Reliability Standard CIP–014– 1 contains no such criteria and instead requires applicable entities to develop their own analysis. In addition, the threat evaluation in Requirement R4 and security plan in Requirement R6 involve areas of expertise that applicable entities in the electric industry may not possess and thus would strongly benefit from the experience of qualified third parties. 70 Idaho Power Comments at 3–4. also note that in Order No. 706, the Commission directed NERC to develop an external review procedure for the identification of critical assets by responsible entities. See Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ¶ 61,040, at PP 322–329, order on reh’g, Order No. 706–A, 123 FERC ¶ 61,174 (2008), order on clarification, Order No. 706–B, 126 FERC ¶ 61,229 (2009), order on clarification, Order No. 706–C, 127 FERC ¶ 61,273 (2009). wreier-aviles on DSK4TPTVN1PROD with RULES 71 We VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 86. Similarly, we disagree with TVA that the use of third-party verifiers and reviewers is inconsistent with FPA section 215. As discussed above, we reject TVA’s view that third-party verifiers and reviewers will be acting in an enforcement capacity. These third parties will have no authority to determine whether an applicable entity has violated a requirement of Reliability Standard CIP–014–1, require compliance, or issue penalties. Moreover, as stated in the NOPR, an applicable entity in some cases could be found to be in violation of a requirement even if the applicable entity’s actions were verified by a third party.72 We also determine that the requirements in Reliability Standard CIP–014–1 (i.e., Requirements R2.1 and R6.1) establishing the qualifications for thirdparty verifiers and reviewers are sufficient. As discussed below, as Reliability Standard CIP–014–1 is implemented, we are satisfied that NERC and Regional Entities will provide additional assistance to applicable entities to identify qualified third-party verifiers and reviewers if the need arises. We are also satisfied that Requirements R2.4 and R6.4 provide adequate protection against the disclosure of sensitive or confidential information. 87. In response to Idaho Power’s concern, we expect that third-party verifiers and reviewers will articulate a reasonable basis for their recommendations. The absence of such a basis for a recommendation could justify an applicable entity’s decision to decline to adopt the recommendation. We also see no reason to include in Reliability Standard CIP–014–1 ‘‘specific methodology and performance criteria’’ for third-party verification and review beyond what is already contained in the requirements and compliance measures recited in the Reliability Standard. 88. With respect to the other comments, there is no evidence in the record to support the conclusion that an insufficient number of qualified thirdparty verifiers and reviewers exists such that applicable entities will be unable to meet the 90-day deadline in Requirements R2 and R6. To the extent an applicable entity requires additional time to comply, that situation should be addressed on a case-by-case basis.73 Reclamation has not explained why 72 NOPR, 148 FERC ¶ 61,040 at P 23. similar reasons, we reject Entergy’s suggestion that Reliability Standard CIP–014–1 include language providing for flexibility concerning delays in compliance with deadlines contained in the Reliability Standard due to acts of nature. See Entergy Comments at 1. 73 For PO 00000 Frm 00026 Fmt 4700 Sfmt 4700 Requirement R2.1 should be modified to require that a transmission owner use its planning coordinator or transmission planner as a verifier, and thus we reject that proposal. In addition, addressing Reclamation’s second point, while risk and cost could be aspects of an applicable entity’s technical justification for declining to follow a third-party recommendation, ultimately there must be a sufficient objective basis in the justification document from which to determine that the applicable entity acted reasonably in declining to follow the recommendation. 89. With respect to KCP&L’s comments, there may be value in NERC developing a list of qualified third-party verifiers and reviewers or otherwise requiring some form of registration process for third-party verifiers and reviewers. The Commission, however, will not direct NERC to do so at this time. We expect that NERC could, as Reliability Standard CIP–014–1 is implemented, pursue or, if necessary, propose such an effort if warranted. Indeed, Reliability Standard CIP–014–1 appears to contemplate such a role for NERC by indicating in Requirement R6.1 that an entity is qualified to serve as a reviewer if ‘‘approved by the ERO.’’ In addition, we see no reason why an ISO or RTO could not serve as a thirdparty verifier or reviewer provided it satisfies the qualifications stated in Requirements R2.1 and R6.1. We also conclude that the term ‘‘unaffiliated third party’’ is sufficiently clear. As NERC stated in its petition, ‘‘the term ‘unaffiliated’ means that the selected verifying entity cannot be a corporate affiliate (i.e., the verifying entity cannot be an entity that corporately controls, is controlled by or is under common control with, the Transmission Owner). The verifying entity also cannot be a division of the Transmission Owner that operates as a functional unit.’’ 74 KCP&L does not indicate what, in this explanation, is ambiguous or requires clarification. 90. With respect to ITC’s comment, third-party verification under Requirement R2 adds an important layer of expertise and independence in the identification of critical facilities. However, verification under Requirement R2 is not intended to and, indeed, cannot cure an applicable entity’s failure to comply with Requirement R1 if it is determined by the compliance enforcement authority that the applicable entity failed to do so, a situation that ITC concedes could 74 NERC E:\FR\FM\25NOR1.SGM Petition at 34–35. 25NOR1 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations happen.75 We anticipate that a properly verified critical facility list will normally result in compliance with Requirement R1, but the Commission cannot foreclose the possibility that that may not be the case.76 generation connected to applicable Transmission stations or Transmission substations. Additionally, the [March 7] order does not explicitly mention generation assets and is reasonably understood to focus on the most critical Transmission Facilities.79 F. Generators 93. NERC explains that generator owners and generator operators were not included in the applicability section because, ‘‘while the loss of a generator facility due to a physical attack may have local reliability effects, the loss of the facility is unlikely to have the widespread, uncontrollable impact’’ contemplated for loss of a critical facility in the March 7 Order.80 NERC maintains that a ‘‘generation facility does not have the same critical functionality as certain Transmission stations and Transmission substations due to the limited size of generating plants, the availability of other generation capacity connected to the grid, and planned resilience of the transmission system to react to the loss of a generation facility.’’ 81 March 7 Order 91. The March 7 Order did not direct NERC to make the physical security Reliability Standards applicable to specific functional entity types. The March 7 Order stated that ‘‘some of the requirements imposed by these newly proposed Reliability Standards may best be performed by the owner and other activity may best be performed by the operator,’’ and that NERC should clearly indicate which entity is responsible for each requirement.77 With regard to the applicable types of facilities, the Commission stated that it ‘‘is not requiring NERC to adopt a specific type of risk assessment, nor is the Commission requiring that a mandatory number of facilities be identified as critical facilities under the Reliability Standards.’’ 78 NERC Petition 92. In explaining why the Reliability Standard does not include generator owners and generator operators as applicable entities, the standard drafting team found that: wreier-aviles on DSK4TPTVN1PROD with RULES it was not necessary to include Generator Operators and Generator Owners in the Reliability Standard. First, Transmission stations or Transmission substations interconnecting generation facilities are considered when determining applicability. Transmission Owners will consider those Transmission stations and Transmission substations that include a Transmission station on the high side of the Generator Step-up transformer (GSU) using Applicability Section 4.1.1.1 and 4.1.1.2 . . . Second, the transmission analysis or analyses conducted under Requirement R1 should take into account the impact of the loss of 75 ITC Comments at 9 (‘‘ITC further doesn’t disagree that, in extremely dire circumstances, a risk assessment which has been verified by a thirdparty may nonetheless be so deficient (and the third-party review be similarly inadequate) that it could be considered non-compliant.’’); see also NERC Petition at 37 (‘‘If, in the course of assessing an entity’s compliance with the proposed Reliability Standard, NERC, a Regional Entity, or FERC finds that the entity’s transmission analysis was patently deficient and that the Requirement R2 verification process did not cure those deficiencies, they could use their enforcement authority to compel Transmission Owners to re-perform the risk assessment using assumptions designed to identify the appropriate critical facilities.’’). 76 See Order No. 706, 122 FERC ¶ 61,040 at P 320 (denying ‘‘safe harbor’’ for good faith compliance with CIP Reliability Standards). 77 March 7 Order, 146 FERC ¶ 61,166 at P 6, n.4. 78 Id. P 6. VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 NOPR 94. The NOPR proposed to approve the applicability section of the Reliability Standard CIP–014–1 without the inclusion of generator owners and generator operators. The NOPR stated that omitting generator owners and generator operators from the applicability section is consistent with the March 7 Order. The NOPR affirmed the statement in the March 7 Order that the ‘‘number of facilities identified as critical will be relatively small compared to the number of facilities that comprise the Bulk-Power System.’’ 82 The NOPR proposed to accept NERC’s justification for excluding generator owners and operators because it is in keeping with the March 7 Order’s focus on protecting the most critical facilities. The NOPR stated that, according to NERC, a generation facility ‘‘does not have the same critical functionality as certain Transmission stations and Transmission substations due to the limited size of generating plants, the availability of 79 NERC Petition, Exhibit A (Proposed Reliability Standard) at 23. The standard drafting team provided the following example: ‘‘a Transmission station or Transmission substation identified as a Transmission Owner facility that interconnects generation will be subject to the Requirement R1 risk assessment if it operates at 500 kV or greater or if it is connected at 200 kV–499 kV to three or more other Transmission stations or Transmission substations and has an ‘aggregate weighted value’ exceeding 3000 according to the table in Applicability Section 4.1.1.2.’’ Id. at 23. 80 NERC Petition at 22. 81 Id. 82 NOPR, 148 FERC ¶ 61,040 at P 44 (quoting March 7 Order, 146 FERC ¶ 61,166 at P 12). PO 00000 Frm 00027 Fmt 4700 Sfmt 4700 70079 other generation capacity connected to the grid, and planned resilience of the transmission system to react to the loss of a generation facility.’’ 83 The NOPR also noted that Requirement R1 mandates a transmission analysis that accounts for transmission owner- or transmission operator-owned substations that connect generating stations to the Bulk-Power System with step-up transformers. 95. While proposing to accept the applicability section of the proposed Reliability Standard, the NOPR stated that NERC’s proposed omission of generator owners and generator operators could potentially exempt substations owned or operated by generators. The NOPR sought comment on the potential reliability impact of excluding generator owned or operated substations. Comments 96. NERC states that it supports the NOPR proposal to approve the applicability criteria in Reliability Standard CIP–014–1 without the inclusion of generator owners and generator operators. NERC, reiterating the justification in the NERC petition, states that the loss of a generation facility is unlikely to result in critical impacts on the Bulk-Power System. 97. Associations, Trade Associations, Reclamation, G&T Cooperatives, KCP&L, Idaho Power, and APS also support the NOPR proposal.84 Associations’ comments are representative of the comments supportive of the NOPR proposal in that Associations state that generation facilities will be considered in Reliability Standard CIP–014–1, even without generator owners and generator operators included in the applicability criteria, because all generators interconnected to applicable transmission stations or substations will be in included in the transmission analysis under applicability sections 4.1.1.1 and 4.1.1.2. 98. Paschall states, without elaboration, that generation facilities should be included within the scope of Reliability Standard CIP–014–1. Foundation comments that it supports Reliability Standard CIP–014–1, as modified in the NOPR, and also advocates for the inclusion of certain generation facilities in a second stage physical security Reliability Standard (discussed in Section H below). 83 NOPR, 148 FERC ¶ 61,040 at P 45 (quoting NERC Petition at 22). 84 Associations Comments at 16–17; Trade Associations Comments at 12–13; Reclamation Comments at 1; G&T Cooperatives Comments at 13– 14; KCP&L Comments at 5; Idaho Power Comments at 3; APS Comments at 4–5. E:\FR\FM\25NOR1.SGM 25NOR1 70080 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations Commission Determination 99. We adopt the NOPR proposal and approve the applicability criteria in Reliability Standard CIP–014–1 without the inclusion of generator owners and generator operators. As the Commission stated in the NOPR, we agree with NERC that a generation facility ‘‘does not have the same critical functionality as certain Transmission stations and Transmission substations due to the limited size of generating plants, the availability of other generation capacity connected to the grid, and planned resilience of the transmission system to react to the loss of a generation facility.’’ 100. Paschall provides a conclusory statement that generation facilities should be included in Reliability Standard CIP–014–1, but does not provide a rationale for this position. Thus, we find Paschall’s comments unpersuasive. G. Confidentiality March 7 Order 101. The March 7 Order stated that: All three steps of compliance with the Reliability Standard described above could contain sensitive or confidential information that, if released to the public, could jeopardize the reliable operation of the BulkPower System. Guarding sensitive or confidential information is essential to protecting the public by discouraging attacks on critical infrastructure. Therefore, NERC should include in the Reliability Standards a procedure that will ensure confidential treatment of sensitive or confidential information but still allow for the Commission, NERC and the Regional Entities to review and inspect any information that is needed to ensure compliance with the Reliability Standards.85 wreier-aviles on DSK4TPTVN1PROD with RULES NERC Petition 102. Reliability Standard CIP–014–1 includes two requirements addressing the concerns over confidentiality. Requirements R2.2 and R6.4, which are substantially the same, state that ‘‘[e]ach Transmission Owner shall implement procedures, such as the use of nondisclosure agreements, for protecting sensitive or confidential information made available to the unaffiliated third party [verifier or reviewer] and to protect or exempt sensitive or confidential information developed pursuant to this Reliability Standard from public disclosure.’’ Comments 103. Associations, GridWise, Duke, Seattle, ITC, and Trade Associations state that the Commission should explicitly address the issue of 85 March 7 Order, 146 FERC ¶ 61,166 at P 10. VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 confidentiality in the final rule. Associations state that the Commission should state that any data produced or collected by an RTO in accordance with a requirement of Reliability Standard CIP–014–1 are protected and should not be made available to a market monitor pursuant to a RTO tariff or market monitor agreement. Associations state that, at a minimum, a market monitor should have to make a filing with the Commission explaining the need for such information and indicating how the market monitor would protect such information from disclosure. GridWise and ITC state that they share Associations’ concerns regarding confidentiality. 104. Trade Associations and Seattle comment that the final rule should contain an explicit statement that Reliability Standard CIP–014–1 is intended to preempt any state or local public disclosure laws. SWTDUG’s reply comments question the Commission’s legal authority to preempt state or local public disclosure laws, as suggested by Trade Associations and Seattle, without further Congressional action. 105. Duke comments that the Commission should take all necessary steps to protect the confidential information related to the activities of applicable entities, the Commission, NERC and Regional Entities in performance of their obligations under Reliability Standard CIP–014–1. Duke states that, pursuant to the Commission’s regulations, the ‘‘disposition of each violation or alleged violation that relates to a Cybersecurity Incident or that would jeopardize the security of the Bulk-Power System if publicly disclosed shall be nonpublic unless the Commission directs otherwise.’’ 86 Duke recommends interpreting this provision to include violations of Reliability Standard CIP– 014–1 or to revise the regulation to do so. Duke also maintains that: (1) The risk assessment required under Requirement R1; (2) the third-party verification performed under Requirement R2; (3) the notification provided to transmission operators under Requirement R3; (4) the evaluation of threats and vulnerabilities performed under Requirement R4; (5) the development of physical security plans performed under Requirement R5; and (6) the third-party review performed under Requirement R6 all qualify as CEII. In addition, Duke states that this information is also exempt from the Freedom of Information Act under the (b)(4) exemption for ‘‘trade secrets and 86 18 PO 00000 CFR 39.7(b)(4). Frm 00028 Fmt 4700 Sfmt 4700 commercial or financial information obtained from a person and privileged or confidential.’’ Commission Determination 106. In the March 7 Order, the Commission recognized that compliance with the contemplated physical security Reliability Standards would likely require the development or sharing of confidential or sensitive material that, if disclosed to the public, could jeopardize the reliable operation of the Bulk-Power System. As a result, the Commission directed NERC to include adequate procedures in the Reliability Standards to prevent the dissemination of confidential or sensitive information. 107. We find that NERC has included sufficient safeguards in Reliability Standard CIP–014–1 to ensure that confidential or sensitive information produced in compliance with the Reliability Standard will not be publicly disclosed. Reliability Standard CIP– 014–1 includes requirements regarding the sharing of information between applicable entities and third-party verifiers and reviewers in Requirements R2.4 and R6.4. Moreover, the ‘‘Compliance’’ section of Reliability Standard CIP–014–1 provides: ‘‘Confidentiality: To protect the confidentiality and sensitive nature of the evidence for demonstrating compliance with this standard, all evidence will be retained at the Transmission Owner’s and Transmission Operator’s facilities.’’ 108. The Commission will take all necessary and appropriate steps, as provided for in our governing statutes and regulations, to preserve an applicable entity’s confidential or sensitive information when the public disclosure of such information could jeopardize the reliable operation of the Bulk-Power System. However, we decline to address in this final rule issues of preemption or the specific mechanism for treating confidential or sensitive information. Moreover, we find that it would be inappropriate to address Associations’ request concerning the disclosure of information related to compliance with Reliability Standard CIP–014–1 to market monitors pursuant to a market monitor agreement or RTO tariff. No such agreements or tariffs are before us in this rulemaking proceeding. H. Other Issues 109. Entergy seeks clarification as to whether the requirement in Reliability Standard CIP–014–1, Requirement R5 that an applicable entity ‘‘shall develop and implement a documented physical security plan(s) that covers their E:\FR\FM\25NOR1.SGM 25NOR1 wreier-aviles on DSK4TPTVN1PROD with RULES Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations respective Transmission station(s), Transmission substation(s), and primary control center(s) . . . [and] shall be developed within 120 calendar days following the completion of Requirement R2 and executed according to the timeline specified in the physical security plan(s)’’ means that the actions called for in the security plan must be completed within 120 days. We see no ambiguity in Requirement R5 as the requirement only states that the security plan, not the actions called for in the plan, must be developed within 120 calendar days. 110. Reclamation proposes that the term ‘‘risk assessment’’ in Requirement R1 of Reliability Standard CIP–014–1 be changed to ‘‘impact assessment’’ because the requirement contemplates an assessment on the impact of the loss of facilities on the stability of the bulk electric system rather than a ‘‘risk assessment.’’ Reclamation further states that, based on the generally accepted meaning of the term ‘‘risk assessment,’’ that term better correlates to Requirement R4. We see no practical reason to require NERC to modify the nomenclature used in Requirement R1. Similarly, we see no reason to require NERC to change ‘‘risk assessment’’ to ‘‘threat risk assessment,’’ as suggested by Paschall, or to require NERC to define ‘‘risk assessment’’ because the term is largely defined in Requirement R1. 111. Foundation recommends that the Commission direct NERC to begin development of a second phase physical security Reliability Standard. Foundation maintains that such a Reliability Standard would address deficiencies in Reliability Standard CIP– 014–1, including the exclusion of generation facilities and certain control centers. For example, Foundation maintains that the loss of a single generation facility could cause cascading outages on the Bulk-Power System. However, for the reasons discussed in Sections C and F above, we are not persuaded that there is a sufficient factual basis at this time to direct NERC to develop a second phase physical security Reliability Standard. While we decline to direct NERC to develop a second phase physical security Reliability Standard at this time, the informational filing on ‘‘High Impact’’ control centers required in this final rule, the post-implementation reports that NERC has committed to provide to the Commission, the Commission’s compliance and enforcement efforts, and other outreach with NERC, industry and the public, will inform the Commission’s views going forward as to what additional VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 steps, if any, might be required to help ensure the reliable operation of the Bulk-Power System in the face of physical security threats. I. Violation Risk Factors and Violation Severity Levels 112. Each requirement of Reliability Standard CIP–014–1 includes one violation risk factor and has an associated set of at least one violation severity level. The ranges of penalties for violations will be based on the sanctions table and supporting penalty determination process described in the Commission-approved NERC Sanction Guidelines, according to the NERC petition. The NOPR proposed to approve the violation risk factors and violation severity levels for the requirements in Reliability Standard CIP–014–1 consistent with the Commission’s established guidelines.87 The Commission did not receive any comments regarding this aspect of the NOPR. Accordingly, the Commission approves the violation risk factors and violation severity levels for the requirements in Reliability Standard CIP–014–1. J. Implementation Plan and Effective Date NERC Petition 113. The NERC petition proposes that Reliability Standard CIP–014–1 become effective the ‘‘first day of the first calendar quarter that is six months beyond the date that this standard is approved by applicable regulatory authorities’’ (i.e., the effective date of a final rule in this proceeding approving the proposed Reliability Standard).88 NERC states that the initial risk assessment required under Requirement R1 must be completed by or before the effective date of the proposed Reliability Standard.89 As described in the requirements of the Reliability 87 North American Electric Reliability Corp., 135 FERC ¶ 61,166 (2011). 88 NERC Petition, Exhibit B (Implementation Plan) at 1. Exhibit B also delineates the completion timelines for Requirements R2 through R6. Parts 2.1, 2.2, and 2.4 of Requirement R2 shall be completed within 90 calendar days of the effective date of the Reliability Standard. Part 2.3 of Requirement R2 shall be completed within 60 calendar days of the completion of performance under Requirement R2 part 2.2. Requirement R3 shall be completed within 7 calendar days of completion of performance under Requirement R2. Requirements R4 and R5 shall be completed within 120 calendar days of completion of performance under Requirement R2. Parts 6.1, 6.2, and 6.4 of Requirement R6 shall be completed within 90 calendar days of completion of performance under Requirement R5. Part 6.3 of Requirement R6 shall be completed within 60 calendar days of Requirement R6 part 6.2. 89 Id. PO 00000 Frm 00029 Fmt 4700 Sfmt 4700 70081 Standard, NERC also identifies when Requirements R2, R3, R4, R5, and R6 must be complied with following the effective date of Reliability Standard CIP–014–1. NOPR 114. The NOPR proposed to approve NERC’s implementation plan and effective date for Reliability Standard CIP–014–1. Comments 115. KCP&L states that the Commission should make it clear if the effective date of Reliability Standard CIP–014–1 will be earlier than April 2016, which KCP&L states is the effective date of Reliability Standard CIP–002–5. KCP&L states that the ‘‘basis for determination of criticality in CIP– 014–1 references the same applicability as found in the CIP–002–5 . . . [and the] potential disconnect in implementation dates may impact registered entities adversely in preparations for Critical Infrastructure Protection standards or in application of physical security improvements given the work required to identify critical assets.’’ 90 Commission Determination 116. We approve the implementation plan and effective date proposed by NERC for Reliability Standard CIP–014– 1. In response to KCP&L’s comment, we understand that, pursuant to the implementation plan and effective date proposed by NERC and approved herein, Reliability Standard CIP–014–1 will become effective before April 2016. III. Information Collection Statement 117. The Paperwork Reduction Act (PRA) 91 requires each federal agency to seek and obtain Office of Management and Budget (OMB) approval before undertaking a collection of information directed to ten or more persons or contained in a rule of general applicability. OMB regulations require approval of certain information collection requirements imposed by agency rules.92 Upon approval of a collection(s) of information, OMB will assign an OMB control number and an expiration date. Respondents subject to the filing requirements of an agency rule will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number. 90 KCP&L Comments at 7. U.S.C. 3501–3520. 92 See 5 CFR 1320.10. 91 44 E:\FR\FM\25NOR1.SGM 25NOR1 70082 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations Comments 118. Associations state that developing a security plan will cost more than $19,000 per company and ‘‘should include a more realistic estimate of costs to comply with the proposed standard because of the influence that the Commission’s assessment may have on the judgment of state utility commission or other regulatory authorities determining the prudence of costs incurred to comply with the proposed standard.’’ 93 Associations also state ‘‘that it understands that one medium-sized investor-owned utility anticipates that third-party contract support will cost approximately $270,000 for conducting transmission studies under R1, thirdparty verification under R2, analyses of threats under R4, and support for security plan development under R5.’’ 94 Associations further state that the Commission’s estimate did not include the cost of implementing the actual security measures included in applicable entity security plan. KCP&L states that it supports Associations’ comments. Commission Determination 119. We adopt the Information Collection Statement estimates contained in the NOPR. As we have previously stated, the estimates provided in an Information Collection Statement are meant to quantify the paperwork burden imposed by a final rule.95 The Information Collection Statement is not intended to estimate the cost of compliance with the requirements of a Reliability Standard approved in a final rule.96 Associations has not explained why it believes the Commission’s paperwork burden estimate is not ‘‘realistic’’ or what would be a ‘‘realistic’’ figure other than to relate, in a footnote, that it understands that an unidentified medium-sized utility anticipates that compliance with requirements of Reliability Standard CIP–014–1, rather than the paperwork burden imposed by a final rule approving the Reliability Standard, will cost approximately $270,000. Associations’ comments do not provide any creditable evidence or analysis to cause us to reevaluate the paperwork burden estimate contained in the NOPR. Accordingly, as set forth below, we adopt the NOPR’s Information Collection Statement burden and cost estimates. 120. The Commission based its estimates on the number of respondents on the NERC compliance registry as of May 28, 2014. According to the registry, there are 357 transmission owners (TOs) and 197 transmission operators (TOPs). The NERC compliance registry also shows that there are only 19 transmission operators that are not also registered as a transmission owner. 121. The burden associated with the final rule is included in FERC–725U (Mandatory Reliability Standards: Reliability Standard CIP–014, OMB Control Number 1902–0274).97 Thefollowing table shows the Commission’s burden and cost estimates, broken down by requirement and year: FERC–725U Requirements in reliability standard CIP–014–1 over Number and type of respondents Number of responses per respondent Total number of responses Average burden hours and cost per response 98 Total burden hours and total cost years 1–3 (1) (2) (1)*(2)=(3) (4) (3)*(4) Year 1: R1 ...................................................... 357 TOs ........... 1 357 R2 ...................................................... 357 TOs ........... 1 357 R3 ...................................................... 2 TOPs ............. 1 2 R4 ...................................................... 30 TOs .............. 2 TOPs ............. 30 TOs .............. 2 TOPs ............. 30 TOs .............. 2 TOPs ............. 357 TOs ........... 2 TOPs ............. 1 .............................. 1 .............................. 1 .............................. 1 .............................. 357 TOs ........... 2 TOPs ............. 30 TOs .............. ........................... 30 TOs .............. R5 ...................................................... R6 ...................................................... Record Retention ...................................... Year 2: Record Retention ............................... Year 3: R1 ...................................................... R2 ...................................................... 93 Associations Comments at 19. at 19 n.19. 95 As defined in the PRA, ‘‘the term ‘‘burden’’ means time, effort, or financial resources expended by persons to generate, maintain, or provide information to or for a Federal agency, including the resources expended for—(A) reviewing instructions; (B) acquiring, installing, and utilizing technology and systems; (C) adjusting the existing ways to comply with any previously applicable instructions and requirements; (D) searching data sources; (E) completing and reviewing the collection of information; and (F) transmitting, or otherwise disclosing the information.’’ wreier-aviles on DSK4TPTVN1PROD with RULES 94 Id. VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 32 .............................. 32 .............................. 32 .............................. 359 .............................. 20 $1,220 34 $2,342 1 $128 80 $4,880 320 $19,520 304 $18,812 2 $64 7,140 $435,540 12,138 $836,094 2 $256 2,560 $156,160 10,240 $624,640 9,728 $601,984 718 $22,976 1 .............................. 359 .............................. 2 $64 718 $22,976 1 .............................. 1 30 .............................. 30 20 $1,220 34 600 $36,600 1,029 96 Version 5 Critical Infrastructure Protection Reliability Standards, Order No. 791, 78 FR 72,755 (Dec. 3, 2013), 145 FERC ¶ 61,160, at P 235 (2013), order granting clarification in part and denying rehearing, Order No. 791–A, 146 FERC ¶ 61,188 (2014). 97 The requirement for NERC to make the informational filing is part of the responsibilities related to being the nation-wide Electric Reliability Organization. The burden related to that filing is part of FERC–725 (OMB Control Number 1902– 0225). 98 The estimates for cost per response are derived using the following formula: Average Burden Hours PO 00000 Frm 00030 Fmt 4700 Sfmt 4700 per Response * XX per Hour = Average Cost per Response. The hourly cost figures are based on data for wages plus benefits from the Bureau of Labor Statistics (as of September 4, 2014) at http:// www.bls.gov/oes/current/naics3_221000.htm and http://www.bls.gov/news.release/ecec.nr0.htm. The figures are rounded for the purposes of calculations in this table and are: • For electrical engineers: $60.87/hr., rounded to $61/hr. • for attorneys: $128/hr. • for administrative staff: $31.86/hr., rounded to $32/hr. E:\FR\FM\25NOR1.SGM 25NOR1 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations 70083 FERC–725U—Continued Requirements in reliability standard CIP–014–1 over Number and type of respondents Number of responses per respondent Total number of responses Average burden hours and cost per response 98 Total burden hours and total cost years 1–3 (1) (2) (1)*(2)=(3) (4) (3)*(4) ........................... 2 TOPs ............. ........................... 30 TOs .............. 2 TOPs ............. 30 TOs .............. 2 TOPs ............. 30 TOs .............. 2 TOPs ............. 357 TOs ........... 2 TOPs ............. .............................. 1 .............................. 1 .............................. 1 .............................. 1 .............................. 1 .............................. .............................. 2 .............................. 32 .............................. 32 .............................. 32 .............................. 359 .............................. $2,342 1 $128 80 $4,880 80 $4,880 134 $8,442 2 $64 $70,260 2 $256 2,560 $156,160 2,560 $156,160 4,288 $270,144 718 $22,976 ........................... ........................... ........................... ........................... ........................... ........................... .............................. .............................. .............................. .............................. .............................. .............................. .............................. .............................. .............................. .............................. .............................. .............................. .............................. .............................. .............................. .............................. .............................. .............................. 42,526 $2,677,650 718 $22,976 11,748 $712,556 ........................... ........................... .............................. .............................. .............................. .............................. .............................. .............................. 54,992 $3,413,182 R3 ...................................................... R4 ...................................................... R5 ...................................................... R6 ...................................................... Record Retention ............................... Year 1 Total ................................ Year 2 Total ................................ Year 3 Total ................................ wreier-aviles on DSK4TPTVN1PROD with RULES TOTAL (for Years 1–3) ....... 122. In arriving at the figures in the above table, the Commission made the following assumptions: a. Requirement R1: We assume that responsible entities will complete the required risk assessment at approximately the same time as they complete the assessments required under the existing TPL Reliability Standards. Accordingly, the burden for Reliability Standard CIP–014–1 only represents the documentation required in addition to what entities currently prepare. Conservatively, we assume that in the first year all transmission owners and transmission operators will complete the required risk assessment.99 In the third year, we assume that only 30 transmission operators will be required to do another risk assessment and that the entities with critical facilities after the first risk assessment will still have critical facilities after the second risk assessment. b. Requirement R5: We assume that developing physical security plans in the first year will be more time consuming than in later years because in later years the plans will likely only need to be updated. 123. Title: FERC–725U, Mandatory Reliability Standards: Reliability Standard CIP–014–1. 99 While it is likely that only large transmission owners and transmission operators will have critical facilities under Requirement R1, the Commission’s estimate includes all transmission owners and operators because reliable data on what percentage of large owners and operators control critical facilities is unavailable. VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 Action: Proposed Collection of Information. OMB Control No: 1902–0274. Respondents: Business or other for profit, and not for profit institutions. Frequency of Responses: Ongoing. Necessity of the Information: Reliability Standard CIP–014–1 implements the Congressional mandate of the Energy Policy Act of 2005 to develop mandatory and enforceable Reliability Standards to better ensure the reliability of the nation’s BulkPower System. Specifically, Reliability Standard CIP–014–1 ensures that applicable entities with critical BulkPower System facilities develop and implement physical security plans to address physical security threats and vulnerabilities that could result in widespread instability, uncontrolled separation, or cascading within an Interconnection. Internal review: The Commission has reviewed Reliability Standard CIP–014– 1 and has determined that the Reliability Standard is necessary to ensure the reliability and integrity of the nation’s Bulk-Power System. 124. Interested persons may obtain information on the reporting requirements by contacting: Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426 [Attention: Ellen Brown, Office of the Executive Director, email: DataClearance@ferc.gov, Phone: (202) 502–8663, fax: (202) 273–0873]. Comments on the requirements of this rule may also be sent to the Office of PO 00000 Frm 00031 Fmt 4700 Sfmt 4700 Information and Regulatory Affairs, Office of Management and Budget, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission]. For security reasons, comments should be sent by email to OMB at oira_submission@ omb.eop.gov. Comments submitted to OMB should refer to FERC–725U and OMB Control No. 1902–0274. IV. Environmental Analysis 125. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.100 The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.101 The actions here fall within this categorical exclusion in the Commission’s regulations. V. Regulatory Flexibility Act 126. The Regulatory Flexibility Act of 1980 (RFA) 102 generally requires a description and analysis of proposed 100 Order No. 486, Regulations Implementing the National Environmental Policy Act of 1969, 52 FR 47897 (Dec. 17, 1987), FERC Stats. & Regs. Regulations Preambles 1986–1990 ¶ 30,783 (1987). 101 18 CFR 380.4(a)(2)(ii). 102 5 U.S.C. 601–612. E:\FR\FM\25NOR1.SGM 25NOR1 70084 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations rules that will have significant economic impact on a substantial number of small entities. 127. The Small Business Administration (SBA) revised its size standard (effective January 22, 2014) for electric utilities from a standard based on megawatt hours to a standard based on the number of employees, including affiliates.103 Under SBA’s new size standards, transmission owners and transmission operators likely come under the following category and associated size threshold: Electric bulk power transmission and control, at 500 employees.104 128. The NOPR stated that, based on U.S. economic census data, the approximate percentage of small firms in this category is 57 percent.105 The NOPR also stated that the Commission did not have information concerning how the economic census data compares with entities registered with NERC and is unable to estimate the number of small transmission owners and transmission operators using the new SBA definition. However, the NOPR stated that Reliability Standard CIP–014–1 only applies to transmission owners and transmission operators that own and/or operate certain critical Bulk-Power System facilities. In the NOPR, the Commission stated that it believes that Reliability Standard CIP– 014–1 will be applicable to a relatively small group of large entities. No comments were received addressing the Commission’s proposed certification.106 129. Accordingly, the Commission certifies that Reliability Standard CIP– 014–1 will not have a significant impact on a substantial number of small entities. Accordingly, no regulatory flexibility analysis is required. VI. Document Availability 130. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the Internet through the Commission’s Home Page (http:// www.ferc.gov) and in the Commission’s Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A, Washington DC 20426. 131. From the Commission’s Home Page on the Internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number excluding the Abbreviation last three digits of this document in the docket number field. 132. User assistance is available for eLibrary and the Commission’s Web site during normal business hours from the Commission’s Online Support at 202– 502–6652 (toll free at 1–866–208–3676) or email at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502–8371, TTY (202) 502–8659. Email the Public Reference Room at public.referenceroom@ferc.gov. VII. Effective Date and Congressional Notification 133. This final rule is effective January 26, 2015. The Commission has determined, with the concurrence of the Administrator of the Office of Information and Regulatory Affairs of OMB, that this rule is not a ‘‘major rule’’ as defined in section 351 of the Small Business Regulatory Enforcement Fairness Act of 1996.107 This final rule is being submitted to the Senate, House, and Government Accountability Office. By the Commission. Nathaniel J. Davis, Sr., Deputy Secretary. Note: This appendix will not appear in the Code of Federal Regulations. Appendix Commenter Initial Commenters wreier-aviles on DSK4TPTVN1PROD with RULES APS ................................................. Associations .................................... BPA ................................................. CEA ................................................. Duke ................................................ Entergy ............................................ Foundation ...................................... GridWise ......................................... G&T Cooperatives .......................... Idaho Power .................................... ITC .................................................. KCP&L ............................................ MISO ............................................... NARUC ........................................... NEMA .............................................. NERC .............................................. NU ................................................... NYPSC ............................................ Ohio PUC ........................................ Oncor .............................................. Pa PUC ........................................... Paschall ........................................... Pepco .............................................. Reclamation .................................... Seattle ............................................. Arizona Public Service Company. Edison Electric Institute, Electric Power Supply Association, Electricity Consumers Resource Council. Bonneville Power Administration. Canadian Electricity Association. Duke Energy Corporation. Entergy. Foundation for Resilient Societies. GridWise Alliance. Associated Electric Cooperative, Inc., Basin Electric Power Cooperative, and Tri-State Generation and Transmission Association, Inc. Idaho Power Company. International Transmission Company. Kansas City Power & Light Company and KCP&L Greater Missouri Operations Company. Midcontinent Independent System Operator, Inc. National Association of Regulatory Utility Commissioners. National Electrical Manufactures Association. North American Electric Reliability Corporation. Utilities Northeast Utilities System. New York Public Service Commission. Public Utilities Commission of Ohio. Oncor Electric Delivery Company LLC. Pennsylvania Public Utility Commission. Roger Paschall. Pepco Holdings, Inc. U.S. Department of Interior, Bureau of Reclamation. City of Seattle. 103 SBA Final Rule on ‘‘Small Business Size Standards: Utilities,’’ 78 FR 77,343 (Dec. 23, 2013). 104 13 CFR 121.201, Sector 22, Utilities. 105 NOPR, 148 FERC ¶ 61,040 at P 70. Data and further information are available on the SBA Web site. See SBA Firm Size Data, available at http:// www.sba.gov/advocacy/849/12162. Since issuance VerDate Sep<11>2014 14:24 Nov 24, 2014 Jkt 235001 of the NOPR, the Commission has obtained data that enables us to estimate more closely the number of small entities affected by this final rule. We now estimate that 28 percent (or 103 out of the 359 entities) are small entities. 106 To the extent that Associations’ comments, which we addressed above in the Information PO 00000 Frm 00032 Fmt 4700 Sfmt 4700 Collection Statement section, were also directed to the Commission’s proposed certification regarding the Regulatory Flexibility Act, Associations’ comments do not dispute any of the assumptions underlying the proposed certification or contest the proposed certification itself. 107 5 U.S.C. 804(2). E:\FR\FM\25NOR1.SGM 25NOR1 Federal Register / Vol. 79, No. 227 / Tuesday, November 25, 2014 / Rules and Regulations 70085 Abbreviation Commenter SCE ................................................. SDG&E ............................................ SIA .................................................. Southern .......................................... TAPS ............................................... TVA ................................................. Trade Associations ......................... Southern California Edison. San Diego Gas & Electric. Security Industry Association. Southern Company Services, Inc. Transmission Access Policy Study Group. Tennessee Valley Authority. American Public Power Association, Large Public Power Council, National Rural Electric Cooperative Association. Xcel Energy Services Inc. Xcel ................................................. Reply Commenters Foundation ...................................... ITC .................................................. NIPSCO .......................................... SmartSenseCom ............................. SWTDUG ........................................ Tallahassee ..................................... Foundation for Resilient Societies. International Transmission Company. Northern Indiana Public Service Company. SmartSenseCom, Inc. Southwest Transmission Dependent Utility Group. City of Tallahassee. [FR Doc. 2014–27908 Filed 11–24–14; 8:45 am] BILLING CODE 6717–01–P DEPARTMENT OF JUSTICE Drug Enforcement Administration 21 CFR Part 1301 [Docket No. DEA–394] RIN 1117–AB38 Exemption From Registration for Persons Authorized Under U.S. Nuclear Regulatory Commission or Agreement State Medical Use Licenses or Permits and Administering the Drug Product DaTscanTM Drug Enforcement Administration, Department of Justice. ACTION: Interim final rule with request for comment. AGENCY: The Drug Enforcement Administration (DEA) is amending its regulations to waive the requirement of registration for persons who are authorized under United States Nuclear Regulatory Commission or Agreement State medical use licenses or permits and administer the drug product DaTscanTM. SUMMARY: Effective November 25, 2014. Interested persons may file written comments on this interim final rule pursuant to 5 U.S.C. 553. Electronic comments must be submitted, and written comments must be postmarked, on or before January 26, 2015. Commenters should be aware that the electronic Federal Docket Management System will not accept comments after midnight Eastern Time on the last day of the comment period. ADDRESSES: To ensure proper handling of comments, please reference ‘‘Docket wreier-aviles on DSK4TPTVN1PROD with RULES DATES: VerDate Sep<11>2014 16:47 Nov 24, 2014 Jkt 235001 No. DEA–394’’ on all electronic and written correspondence. The DEA encourages that all comments be submitted electronically through the Federal eRulemaking Portal which provides the ability to type short comments directly into the comment field on the Web page or attach a file for lengthier comments. Please go to http:// www.regulations.gov and follow the online instructions at that site for submitting comments. Paper comments that duplicate electronic submissions are not necessary. Should you, however, wish to submit written comments in lieu of electronic comments, they must be sent via regular or express mail to: Drug Enforcement Administration, Attention: DEA Federal Register Representative/ODXL, 8701 Morrissette Drive, Springfield, Virginia 22152. FOR FURTHER INFORMATION CONTACT: Imelda L. Paredes, Office of Diversion Control, Drug Enforcement Administration; Mailing Address: 8701 Morrissette Drive, Springfield, Virginia 22152, Telephone: (202) 598–6812. SUPPLEMENTARY INFORMATION: Posting of Public Comments Please note that all comments received in response to this docket are considered part of the public record and will be made available for public inspection online at http:// www.regulations.gov. Such information includes personal identifying information (such as your name, address, etc.) voluntarily submitted by the commenter. The Freedom of Information Act (FOIA) applies to all comments received. If you want to submit personal identifying information (such as your name, address, etc.) as part of your comment, but do not want it to be made publicly available, you must include the phrase ‘‘PERSONAL IDENTIFYING PO 00000 Frm 00033 Fmt 4700 Sfmt 4700 INFORMATION’’ in the first paragraph of your comment. You must also place all of the personal identifying information you do not want made publicly available in the first paragraph of your comment and identify what information you want redacted. If you want to submit confidential business information as part of your comment, but do not want it to be made publicly available, you must include the phrase ‘‘CONFIDENTIAL BUSINESS INFORMATION’’ in the first paragraph of your comment. You must also prominently identify the confidential business information to be redacted within the comment. If a comment has so much confidential business information that it cannot be effectively redacted, all or part of that comment may not be made publicly available. Comments containing personal identifying information or confidential business information identified as directed above will be made publicly available in redacted form. An electronic copy of this document and supplemental information to this interim final rule with request for comment are available at http:// www.regulations.gov for easy reference. If you wish to personally inspect the comments and materials received or the supporting documentation the DEA used in preparing the interim final rule with request for comment, these materials will be available for public inspection by appointment. To arrange a viewing, please see the FOR FURTHER INFORMATION CONTACT paragraph above. Legal Authority The DEA implements and enforces titles II and III of the Comprehensive Drug Abuse Prevention and Control Act of 1970, as amended. Titles II and III are referred to as the ‘‘Controlled Substances Act’’ and the ‘‘Controlled E:\FR\FM\25NOR1.SGM 25NOR1

Agencies

[Federal Register Volume 79, Number 227 (Tuesday, November 25, 2014)]
[Rules and Regulations]
[Pages 70069-70085]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-27908]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM14-15-000; Order No. 802]


Physical Security Reliability Standard

AGENCY: Federal Energy Regulatory Commission, Energy.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Energy Regulatory Commission (Commission) approves 
Reliability Standard CIP-014-1 (Physical Security). The North American 
Electric Reliability Corporation, the Commission-certified Electric 
Reliability Organization, submitted Reliability Standard CIP-014-1 for 
Commission approval in response to a Commission order issued on March 
7, 2014. The purpose of Reliability Standard CIP-014-1 is to enhance 
physical security measures for the most critical Bulk-Power System 
facilities and thereby lessen the overall vulnerability of the Bulk-
Power System against physical attacks. In addition, the Commission 
directs NERC to develop one modification to Reliability Standard CIP-
014-1 and submit an informational filing.

DATES:  This rule is effective January 26, 2015.

FOR FURTHER INFORMATION CONTACT: 
Regis Binder (Technical Information), Office of Electric Reliability, 
Division of Reliability Standards and Security, Federal Energy 
Regulatory Commission, 888 First Street NE., Washington, DC 20426, 
Telephone: (301) 665-1601, Regis.Binder@ferc.gov.

Matthew Vlissides (Legal Information), Office of the General Counsel, 
Federal Energy Regulatory Commission, 888 First Street NE., Washington, 
DC 20426, Telephone: (202) 502-8408, Matthew.Vlissides@ferc.gov.

SUPPLEMENTARY INFORMATION: 

Order No. 802

Final Rule

(Issued November 20, 2014)
    1. Pursuant to section 215 of the Federal Power Act (FPA), the 
Commission approves Reliability Standard CIP-014-1 (Physical 
Security).\1\ The North American Electric Reliability Corporation 
(NERC), the Commission-certified Electric Reliability Organization 
(ERO), submitted Reliability Standard CIP-014-1 for Commission approval 
in response to a Commission order issued on March 7, 2014.\2\ The 
purpose of Reliability Standard CIP-014-1 is to enhance physical 
security measures for the most critical Bulk-Power System facilities 
and thereby lessen the overall vulnerability of the Bulk-Power System 
facilities against physical attacks. In addition to approving 
Reliability Standard CIP-014-1, as discussed below, the Commission 
directs NERC to submit an informational filing and, pursuant to FPA 
section 215(d)(5), directs NERC to develop a modification to 
Reliability Standard CIP-014-1.\3\
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824o.
    \2\ Reliability Standards for Physical Security Measures, 146 
FERC ] 61,166 (2014) (March 7 Order).
    \3\ 16 U.S.C. 824o(d)(5).
---------------------------------------------------------------------------

I. Background

A. Section 215 and Mandatory Reliability Standards

    2. Section 215 of the FPA requires the Commission to certify an ERO 
to develop mandatory and enforceable Reliability Standards, subject to 
Commission review and approval. Once approved, the Reliability 
Standards may be enforced in the United States by the ERO, subject to 
Commission oversight, or by the Commission independently.\4\
---------------------------------------------------------------------------

    \4\ Id. 824o(e).
---------------------------------------------------------------------------

B. March 7 Order

    3. In the March 7 Order, the Commission determined that physical 
attacks on the Bulk-Power System could adversely impact the reliable 
operation of the Bulk-Power System, resulting in instability, 
uncontrolled separation, or cascading failures. Moreover, the 
Commission observed that the then current Reliability Standards did not 
specifically require entities to take steps to reasonably protect 
against physical security attacks on the Bulk-Power System. 
Accordingly, to carry out section 215 of the FPA and to provide for the 
reliable operation of the Bulk-Power System, the Commission directed 
NERC, pursuant to FPA section 215(d)(5), to develop and file for 
approval proposed Reliability Standards that address threats and 
vulnerabilities to the physical security of critical facilities on the 
Bulk-Power System.
    4. The March 7 Order indicated that the Reliability Standards 
should require owners or operators of the Bulk-Power System to take at 
least three steps to address the risks that physical security attacks 
pose to the reliable operation of the Bulk-Power System. Specifically, 
the March 7 Order directed that the Reliability Standards should 
require: (1) Owners or operators of the Bulk-Power System to perform a 
risk assessment of their systems to identify their ``critical 
facilities''; (2) owners or operators of the identified critical 
facilities to evaluate the potential threats and vulnerabilities to 
those identified facilities; and (3) those owners or operators of 
critical facilities to develop and implement a security plan designed 
to protect against attacks to those identified critical facilities 
based on the assessment of the potential threats and vulnerabilities to 
their physical security.
    5. The March 7 Order stated that the risk assessment used by an 
owner or operator to identify critical facilities should be verified by 
an entity other than the owner or operator, such as by NERC, the 
relevant Regional Entity, a reliability coordinator, or another 
entity.\5\ In addition, the March 7 Order indicated that the 
Reliability Standards should include a procedure for the verifying 
entity, as well as the Commission, to add or remove facilities from an 
owner's or operator's list of critical facilities.\6\ The March 7 Order 
further stated that the determination of threats and vulnerabilities 
and the security plan should be reviewed by NERC, the relevant Regional 
Entity, the reliability coordinator, or another entity with appropriate 
expertise.
---------------------------------------------------------------------------

    \5\ March 7 Order, 146 FERC ] 61,166 at P 11.
    \6\ Id.
---------------------------------------------------------------------------

    6. The March 7 Order stated that, because the three steps of 
compliance with the contemplated Reliability Standards could contain 
sensitive or confidential information that, if released to the public, 
could jeopardize the reliable operation of the Bulk-Power System, NERC 
should include in the Reliability Standards a procedure that will 
ensure confidential treatment of sensitive or confidential information 
but still allow for the Commission, NERC and the Regional Entities to 
review and inspect any information that is needed

[[Page 70070]]

to ensure compliance with the Reliability Standards.\7\
---------------------------------------------------------------------------

    \7\ Id. P 10.
---------------------------------------------------------------------------

    7. The Commission directed NERC to submit the proposed Reliability 
Standards to the Commission for approval within 90 days of issuance of 
the March 7 Order (i.e., June 5, 2014).

C. NERC Petition

    8. On May 23, 2014, NERC petitioned the Commission to approve 
Reliability Standard CIP-014-1 and its associated violation risk 
factors and violation severity levels, implementation plan, and 
effective date.\8\ NERC maintains that the Reliability Standard is 
just, reasonable, not unduly discriminatory, or preferential, and in 
the public interest. In addition, NERC asserts that the proposed 
Reliability Standard complies with the Commission's directives in the 
March 7 Order.
---------------------------------------------------------------------------

    \8\ NERC explains that, to meet the 90-day deadline in the March 
7 Order, the NERC Standards Committee approved waivers to NERC's 
Standard Processes Manual to shorten the comment and ballot periods 
for the Standards Authorization Request and draft Reliability 
Standard. NERC Petition at 13-14. Reliability Standard CIP-014-1 is 
not attached to this Final Rule. The complete text of Reliability 
Standard CIP-014-1 is available on the Commission's eLibrary 
document retrieval system in Docket No. RM14-15-000 and is posted on 
the ERO's Web site, available at http://www.nerc.com.
---------------------------------------------------------------------------

    9. NERC explains that Reliability Standard CIP-014-1 ``serves the 
vital reliability goal of enhancing physical security measures for the 
most critical Bulk-Power System facilities and lessening the overall 
vulnerability of the Bulk-Power System to physical attacks.'' \9\ NERC 
maintains that the ``appropriate focus of the proposed Reliability 
Standard is Transmission stations and Transmission substations, which 
are uniquely essential elements of the Bulk-Power System.'' \10\ The 
Reliability Standard is applicable to transmission owners that satisfy 
the Applicability Sections 4.1.1.1, 4.1.1.2, 4.1.1.3, or 4.1.1.4, and 
to transmission operators. NERC states that the transmission facilities 
covered by Applicability Sections 4.1.1.1 through 4.1.1.4 match the 
``Medium Impact'' transmission facilities listed in Attachment 1 
(Impact Rating Criteria), specifically, the ``Medium Impact'' 
facilities described in Sections 2.4, 2.5, 2.6, and 2.7, of Reliability 
Standard CIP-002-5.1,\11\ According to NERC, the ``standard drafting 
team determined that using the criteria for `Medium Impact' 
Transmission Facilities set forth in Reliability Standard CIP-002-5.1 
is an appropriate applicability threshold as the Commission has 
acknowledged that it is a technically sound basis for identifying 
Transmission Facilities, which, if compromised, would present an 
elevated risk to the Bulk-Power System.'' \12\
---------------------------------------------------------------------------

    \9\ NERC Petition at 15-16.
    \10\ Id. at 18. NERC states that, although the terms 
``Transmission stations'' and ``Transmission substations'' are 
sometimes used interchangeably, Reliability Standard CIP-014-1 uses 
the term ``Transmission substation'' to refer to a facility 
contained within a physical border (e.g., a fence or wall) that 
contains one or more autotransformers. Id. According to NERC, the 
term ``Transmission station,'' as used in Reliability Standard CIP-
014-1, refers to a facility that functions as a switching station or 
switchyard but does not contain autotransformers. Id. at 18-19.
    \11\ Id. at 25 (citing Reliability Standard CIP-002-5.1 (Cyber 
Security--BES Cyber System Categorization), Attachment 1 (Impact 
Rating Criteria)).
    \12\ Id.
---------------------------------------------------------------------------

    10. Reliability Standard CIP-014-1 has six requirements. 
Requirement R1 requires applicable transmission owners to perform risk 
assessments on a periodic basis to identify their transmission stations 
and transmission substations that, if rendered inoperable or damaged, 
could result in widespread instability, uncontrolled separation, or 
cascading within an Interconnection. Requirement R1 also requires 
transmission owners to identify the primary control center that 
operationally controls each of the identified transmission stations or 
transmission substations.
    11. Requirement R2 requires that each applicable transmission owner 
have an unaffiliated third party with appropriate experience verify the 
risk assessment performed under Requirement R1. Requirement R2 states 
that the transmission owner must either modify its identification of 
facilities consistent with the verifier's recommendation or document 
the technical basis for not doing so. In addition, Requirement R2 
requires each transmission owner to implement procedures for protecting 
sensitive or confidential information made available to third-party 
verifiers or developed under the Reliability Standard from public 
disclosure.
    12. Requirement R3 requires the transmission owner to notify a 
transmission operator that operationally controls a primary control 
center identified under Requirement R1 of such identification to ensure 
that the transmission operator has notice of the identification so that 
it may timely fulfill its obligations under Requirements R4 and R5 to 
protect the primary control center.
    13. Requirement R4 requires each applicable transmission owner and 
transmission operator to conduct an evaluation of the potential threats 
and vulnerabilities of a physical attack on each of its respective 
transmission stations, transmission substations, and primary control 
centers identified as critical in Requirement R1.
    14. Requirement R5 requires each transmission owner and 
transmission operator to develop and implement documented physical 
security plans that cover each of their respective transmission 
stations, transmission substations, and primary control centers 
identified as critical in Requirement R1.
    15. Requirement R6 requires that each transmission owner and 
transmission operator subject to Requirements R4 and R5 have an 
unaffiliated third party with appropriate experience review its 
Requirement R4 evaluation and Requirement R5 security plan. Requirement 
R6 states that the transmission owner or transmission operator must 
either modify its evaluation and security plan consistent with the 
recommendation, if any, of the reviewer or document its reasons for not 
doing so. In addition, Requirement R6 requires each transmission owner 
to implement procedures for protecting sensitive or confidential 
information made available to third-party reviewers or developed under 
the Reliability Standard from public disclosure.

D. Notice of Proposed Rulemaking

    16. On July 17, 2014, the Commission issued a Notice of Proposed 
Rulemaking proposing to approve Reliability Standard CIP-014-1 as just, 
reasonable, not unduly discriminatory or preferential, and in the 
public interest.\13\ In addition, the NOPR proposed to direct NERC to 
develop two modifications to the Reliability Standard. First, the NOPR 
proposed to direct NERC to develop a modification to allow applicable 
governmental authorities (i.e., the Commission and any other 
appropriate federal or provincial authorities) to add or subtract 
facilities from an applicable entity's list of critical facilities 
under Requirement R1.\14\ Second, the NOPR proposed to direct NERC to 
modify the Reliability Standard to remove the term ``widespread'' as it 
appears in the phrase ``widespread instability'' in Requirement R1.\15\ 
The NOPR also proposed to direct NERC to submit two informational 
filings, one addressing the protection of ``High Impact'' control 
centers and the other addressing resiliency measures, to be submitted, 
respectively, within six months and one

[[Page 70071]]

year following the effective date of a final rule in this 
proceeding.\16\
---------------------------------------------------------------------------

    \13\ Physical Security Reliability Standard, Notice of Proposed 
Rulemaking, 79 FR 42,734 (July 23, 2014), 148 FERC ] 61,040 (2014) 
(NOPR).
    \14\ Id. P 23.
    \15\ Id. P 29.
    \16\ Id. PP 35, 57.
---------------------------------------------------------------------------

    17. In response to the NOPR, the Commission received 33 sets of 
initial comments and six sets of reply comments. We address below the 
issues raised in the NOPR and comments. The Appendix to this final rule 
lists the entities that filed comments in response to the NOPR.

II. Discussion

    18. Pursuant to FPA section 215(d)(2), we approve Reliability 
Standard CIP-014-1 as just, reasonable, not unduly discriminatory or 
preferential, and in the public interest. The Commission also approves 
the associated violation risk factors, violation severity levels, 
implementation plan, and effective date proposed by NERC (i.e., the 
``first day of the first calendar quarter that is six months beyond'' 
the effective date of the final rule in this proceeding).\17\ As 
discussed below, the Commission determines that Reliability Standard 
CIP-014-1 satisfies the directives in the March 7 Order concerning the 
development and submittal of physical security Reliability Standards.
---------------------------------------------------------------------------

    \17\ NERC Petition, Exhibit B (Implementation Plan) at 1.
---------------------------------------------------------------------------

    19. In addition to approving Reliability Standard CIP-014-1, the 
Commission adopts in part the NOPR proposal directing NERC to develop 
and submit modifications to the Reliability Standard concerning the use 
of the term ``widespread'' in Requirement R1. The Commission determines 
that the term ``widespread'' is unclear with respect to the obligations 
it imposes on applicable entities; how it would be implemented by 
applicable entities; and how it would be enforced. Accordingly, the 
Commission directs NERC, pursuant to FPA section 215(d)(5), to remove 
the term ``widespread'' from Reliability Standard CIP-014-1 or, 
alternatively, to propose modifications to the Reliability Standard 
that address the Commission's concerns. We direct that NERC submit a 
responsive modification within six months from the effective date of 
this final rule.
    20. The Commission does not adopt the NOPR proposal that would have 
required NERC to develop and submit modifications to Reliability 
Standard CIP-014-1 to allow applicable governmental authorities (i.e., 
the Commission and any other appropriate federal or provincial 
authorities) to add or subtract facilities from an applicable entity's 
list of critical facilities under Requirement R1. We determine that the 
Commission's enforcement authority under FPA section 215(e), and 
particularly the use of targeted auditing following implementation of 
Reliability Standard CIP-014-1, will allow us to address the concerns 
raised in the NOPR.
    21. With respect to the informational filings proposed in the NOPR, 
the Commission adopts the proposal to direct NERC to make an 
informational filing addressing whether Reliability Standard CIP-014-1 
provides physical security for all ``High Impact'' control centers, as 
that term is defined in Reliability Standard CIP-002-5.1, necessary for 
the reliable operation of the Bulk-Power System. However, the 
Commission extends the deadline for that informational filing until two 
years following the effective date of Reliability Standard CIP-014-1. 
The Commission, at this time, does not adopt the NOPR proposal to 
direct NERC to make an informational filing addressing resiliency. 
Instead, the Commission will continue to consider ways for industry to 
best inform the Commission of its current and future resiliency 
efforts, which could take the form of reports and/or technical 
conferences to address specific areas of concern (e.g., spare parts, 
fuel security, and advanced technologies).
    22. We address below the following issues raised in the NOPR and in 
the comments: (A) Removal of the term ``widespread''; (B) applicable 
governmental authorities' ability to add or subtract facilities from an 
entity's list of critical facilities; (C) informational filing on 
``High Impact'' control centers; (D) informational filing on 
resiliency; (E) third-party verification and review; (F) exclusion of 
generators from the applicability section of Reliability Standard CIP-
014-1; (G) confidentiality; (H) other issues raised in comments; (I) 
violation risk factors and violation severity levels; and (J) 
implementation plan and effective date.

A. Removal of the Term ``Widespread''

March 7 Order
    23. The March 7 Order stated that a critical facility is ``one 
that, if rendered inoperable or damaged, could have a critical impact 
on the operation of the interconnection through instability, 
uncontrolled separation or cascading failures on the Bulk-Power 
System.'' \18\
---------------------------------------------------------------------------

    \18\ March 7 Order, 146 FERC ] 61,166 at P 6.
---------------------------------------------------------------------------

NERC Petition
    24. Reliability Standard CIP-014-1 states that its purpose is to 
``identify and protect Transmission stations and Transmission 
substations, and their associated primary control centers, that if 
rendered inoperable or damaged as a result of a physical attack could 
result in widespread instability, uncontrolled separation, or Cascading 
within an Interconnection.'' \19\ Requirement R1 states that the 
``initial and subsequent risk assessments shall consist of a 
transmission analysis or transmission analyses designed to identify the 
Transmission station(s) and Transmission substation(s) that if rendered 
inoperable or damaged could result in widespread instability, 
uncontrolled separation, or Cascading within an Interconnection.''
---------------------------------------------------------------------------

    \19\ NERC Petition at 17.
---------------------------------------------------------------------------

NOPR
    25. The NOPR proposed to direct NERC to modify Reliability Standard 
CIP-014-1 to remove the term ``widespread'' as it appears in the phrase 
``widespread instability.'' The NOPR stated that the phrase 
``widespread instability'' is undefined by NERC and is inconsistent 
with the March 7 Order's explanation of ``critical facility'' and the 
definition of ``reliable operation'' in FPA section 215(a)(4).\20\
---------------------------------------------------------------------------

    \20\ ``[A facility] that, if rendered inoperable or damaged, 
could have a critical impact on the operation of the interconnection 
through instability, uncontrolled separation or cascading failures 
on the Bulk-Power System.'' March 7 Order, 146 FERC ] 61,166 at P 6; 
16 U.S.C. 824o(a)(4) (``The term `reliable operation' means 
operating the elements of the bulk-power system within equipment and 
electric system thermal, voltage, and stability limits so that 
instability, uncontrolled separation, or cascading failures of such 
system will not occur as a result of a sudden disturbance, including 
a cybersecurity incident, or unanticipated failure of system 
elements.'').
---------------------------------------------------------------------------

    26. The NOPR stated that the use of ``widespread instability'' in 
Requirement R1 could, depending on the meaning of ``widespread,'' 
narrow the scope (and number) of identified critical facilities under 
Reliability Standard CIP-014-1 beyond what was contemplated in the 
March 7 Order. The NOPR also stated that the use of the term 
``widespread'' could potentially render the Reliability Standard 
unenforceable or lead to an inadequate level of reliability by omitting 
facilities that are critical to the reliable operation of the Bulk-
Power System.
Comments
    27. NERC comments that it does not oppose the NOPR directive but 
that the modification should be developed through NERC's standards 
development process and NERC should be allowed to propose alternative 
clarifying language ``to ensure the proposed Reliability Standard 
remains focused on Interconnection impacts and not local

[[Page 70072]]

impacts.'' \21\ NERC states that the term ``widespread'' was used to 
focus applicable entities' security efforts on facilities whose loss 
would have more than a local area impact.
---------------------------------------------------------------------------

    \21\ NERC Comments at 19.
---------------------------------------------------------------------------

    28. SIA, Idaho Power, Pa PUC, SmartSenseCom, Foundation and Pepco 
support the NOPR proposal because they believe that the term 
``widespread'' is vague or inconsistent with the definition of 
``reliable operation'' in FPA section 215.\22\ Pepco, for example, 
states that the term ``widespread'' is ambiguous, will require requests 
for clarification or interpretation and will expose applicable entities 
to ``second-guessing'' from auditors. KCP&L, while it does not state 
that it supports the proposal, acknowledges that the term 
``widespread'' is vague and that the term ``introduces interpretive 
language that may be problematic for compliance and enforcement 
interpretations as well as unintentionally narrow the scope of 
facilities.'' \23\
---------------------------------------------------------------------------

    \22\ See SIA Comments at 2; Idaho Power Comments at 2; Pa PUC 
Comments at 5; Pepco Comments at 4-5; SmartSenseCom Comments at 7-8; 
Foundation Reply Comments at 7.
    \23\ KCP&L Comments at 4.
---------------------------------------------------------------------------

    29. Other commenters do not support the proposed directive largely 
because they contend that the proposal may have the unintended 
consequence of expanding the scope of Reliability Standard CIP-014-1 to 
include localized events that have no impact on an Interconnection.\24\ 
APS, SCE, SDG&E, and G&T Cooperatives also maintain that while the term 
``widespread'' is not defined by NERC, it appears elsewhere in the 
Reliability Standards, including in NERC's definition of ``Cascading'' 
and in the TPL Reliability Standards, and is understood by industry. 
Associations also state that the Commission should withdraw the NOPR 
proposal; however, Associations state that, in the alternative, the 
Commission should clarify that removal of the term ``widespread'' is 
not intended to bring within the scope of Reliability Standard CIP-014-
1 ``a substation or station unless the applicable Transmission Owner 
determines through technical studies and analyses that include the 
application of engineering judgment and practice that the loss of such 
facility would have a critical impact on the operation of the [bulk 
electric system] in the event the asset is rendered inoperable or 
damaged.'' \25\ NARUC states that the proposal will add costs without 
necessarily improving reliability.
---------------------------------------------------------------------------

    \24\ See APS Comments at 3; SCE Comments at 3; SDG&E Comments at 
4-5; TVA Comments at 9-10; Tallahassee Comments at 1; Oncor Comments 
at 3-4; Ohio PUC Comments at 4-5; BPA Comments at 3; NARUC Comments 
at 11; G&T Cooperatives Comments at 8-11; Southern Comments at 7-10.
    \25\ Associations Comments at 14-15; see also APS Comments at 3-
4, Southern Comments at 11.
---------------------------------------------------------------------------

    30. ITC, while agreeing that the term ``widespread'' is not well-
defined and would render the Reliability Standard vague, contends that 
the definition of critical facility in Requirement R1 should be 
replaced by defining as critical all physical facilities that contain 
``High Impact'' or ``Medium Impact'' BES Cyber Systems as those terms 
are defined in Reliability Standard CIP-002-5.1.
Commission Determination
    31. The Commission adopts the NOPR proposal in part and directs 
NERC to remove the term ``widespread'' from Reliability Standard CIP-
014-1 or, alternatively, to propose modifications to the Reliability 
Standard that address the Commission's concerns. The differing views 
expressed in the comments validate the concern raised in the NOPR that 
the meaning of the term ``widespread'' is unclear and subject to 
interpretation.
    32. We stated in the March 7 Order that ``the Reliability Standards 
that we are ordering today apply only to critical facilities that, if 
rendered inoperable or damaged, could have a critical impact on the 
operation of the interconnection through instability, uncontrolled 
separation or cascading failures on the Bulk-Power System.\26\ We 
affirm the March 7 Order's statement that ``[m]ethodologies to 
determine these facilities should be based on objective analysis, 
technical expertise, and experienced judgment.'' \27\
---------------------------------------------------------------------------

    \26\ March 7 Order, 146 FERC ] 61,166 at P 6 n.5.
    \27\ Id. P 6.
---------------------------------------------------------------------------

    33. However, incorporating the undefined term ``widespread'' in 
Reliability Standard CIP-014-1 introduces excessive uncertainty in 
identifying critical facilities under Requirement R1.\28\ As the 
Commission stated in the March 7 Order, only an instability that has a 
``critical impact on the operation of the interconnection'' warrants 
finding that the facility causing the instability is critical under 
Requirement R1. The March 7 Order did not intend to suggest that the 
physical security Reliability Standards should address facilities that 
do not have a ``critical impact on the operation of the 
interconnection.'' This understanding is, we believe, unintentionally 
absent in Requirement R1 because the requirement only deems a facility 
critical when, if rendered inoperable or damaged, it could result in 
widespread instability, uncontrolled separation, or Cascading within an 
Interconnection. The definition in Requirement R1 should not be 
dependent on how an applicable entity interprets the term 
``widespread'' but instead should be modified to make clear that a 
facility that has a critical impact on the operation of an 
Interconnection is critical and therefore subject to Requirement R1.
---------------------------------------------------------------------------

    \28\ See Version 5 Critical Infrastructure Protection 
Reliability Standards, Order No. 791, 78 FR 72,755 (Dec. 3, 2013), 
145 FERC ] 61,160, at P 67 (2013), order granting clarification in 
part and denying rehearing, Order No. 791-A, 146 FERC ] 61,188 
(2014) (directing removal or clarification ``identify, assess and 
correct'' language).
---------------------------------------------------------------------------

    34. While some commenters contend that the meaning of the term 
``widespread'' is well-understood by industry, we find that there is 
ample evidence in the record to support the conclusion that the term is 
susceptible to different interpretations by applicable entities. 
Notably, KCP&L states that, while it was a participant in the standards 
drafting process for Reliability Standard CIP-014-1, it agrees that the 
term requires interpretation. Moreover, KCP&L and Pepco share our 
concern that compliance enforcement authorities may find it difficult 
to consistently enforce compliance with Requirement R1 without a clear 
understanding of the term's meaning.
    35. Accordingly, pursuant to FPA section 215(d)(5), the Commission 
directs NERC to develop a modification to Reliability Standard CIP-014-
1 that either removes the term ``widespread'' from Requirement R1 or, 
in the alternative, proposes changes that address the Commission's 
concerns. Further, we direct that NERC submit a responsive modification 
within six months from the effective date of this final rule. We 
recognize that certain entities commented on how NERC could modify 
Reliability Standard CIP-014-1 to address the Commission's stated 
concerns.\29\ However, we conclude that it is appropriate to allow NERC 
to develop and propose a modification in the first instance. With 
respect to ITC's more general comments regarding the scope of critical 
facilities in Requirement R1, we address the potential for applying the 
impact designations in Reliability Standard CIP-002-5.1 to Reliability 
Standard CIP-014-1, Requirement R1 in the section below regarding the 
NOPR's proposed informational filing on ``High Impact'' control 
centers.
---------------------------------------------------------------------------

    \29\ See, e.g., BPA Comments at 2; Ohio PUC Comments at 5; TVA 
Comments at 9, ITC Comments at 9.

---------------------------------------------------------------------------

[[Page 70073]]

B. Applicable Governmental Authority's Ability To Add or Subtract 
Facilities From an Entity's List of Critical Facilities

March 7 Order
    36. In the March 7 Order, the Commission stated that:

    [T]he risk assessment used by an owner or operator to identify 
critical facilities should be verified by an entity other than the 
owner or operator. Such verification could be performed by NERC, the 
relevant Regional Entity, a Reliability Coordinator, or another 
entity. The Reliability Standards should include a procedure for the 
verifying entity, as well as the Commission, to add or remove 
facilities from an owner's or operator's list of critical 
facilities. . . .\30\
---------------------------------------------------------------------------

    \30\ March 7 Order, 146 FERC ] 61,166 at P 11.
---------------------------------------------------------------------------

NERC Petition
    37. Reliability Standard CIP-014-1 does not include a procedure 
that allows the Commission to add or subtract facilities from an 
applicable entity's list of critical facilities under Requirement R1. 
Instead, NERC states that the Commission has the existing authority to 
enforce NERC Reliability Standards pursuant to FPA section 
215(e)(3).\31\ NERC explains that a transmission owner must be able to 
demonstrate that its method for performing its risk assessment under 
Requirement R1 ``was technically sound and reasonably designed to 
identify its critical Transmission stations and Transmission 
substations.'' \32\ NERC maintains that if ``in the course of assessing 
an entity's compliance with the proposed Reliability Standard, NERC, a 
Regional Entity or [the Commission] finds that the entity's 
transmission analysis was patently deficient and the Requirement R2 
verification process did not cure those deficiencies, they could use 
their enforcement authority to compel Transmission Owners to re-perform 
the risk assessment using assumptions designed to identify the 
appropriate critical facilities.'' \33\
NOPR
---------------------------------------------------------------------------

    \31\ NERC Petition at 37.
    \32\ Id.
    \33\ Id.
---------------------------------------------------------------------------

    38. The NOPR stated that Reliability Standard CIP-014-1 does not 
include a procedure that allows the Commission to add or subtract 
facilities from an applicable entity's list of critical facilities. The 
NOPR stated that if the Commission determined through an audit of an 
applicable entity, or through some other means, that a critical 
facility does not appear on the entity's list of critical facilities, 
there is no provision in Reliability Standard CIP-014-1 to allow the 
Commission to require its inclusion. In the NOPR, the Commission 
proposed to direct NERC to modify the physical security Reliability 
Standard to ``include a procedure that would allow applicable 
governmental authorities, i.e., the Commission and any other 
appropriate federal or provincial authorities, to add or subtract 
facilities from an applicable entity's list of critical facilities.'' 
\34\
---------------------------------------------------------------------------

    \34\ NOPR, 148 FERC ] 61,040 at P 23.
---------------------------------------------------------------------------

Comments
    39. NERC asserts that the Commission should not adopt the NOPR 
proposal. NERC maintains that the proposal is unnecessary because it 
duplicates existing Commission compliance monitoring and enforcement 
authority.\35\ Moreover, NERC contends that the NOPR's concerns 
surrounding the use of existing compliance and enforcement methods to 
ensure compliance with Requirement R1 are unsubstantiated. NERC states 
that if the NOPR proposal is adopted, then the Commission must better 
justify the reasons for the directive and limit and clarify the scope 
and content of the proposed directive.
---------------------------------------------------------------------------

    \35\ NERC Comments at 8 (``the Commission can use its broad 
enforcement authority to make certain that the applicable entity re-
performs the risk assessment on whatever timeline the Commission 
deems appropriate or face penalties or sanctions under the FPA'').
---------------------------------------------------------------------------

    40. Pa PUC, Foundation, SmartSenseCom and Paschall state that they 
support the NOPR proposal.\36\ Other commenters do not oppose the 
proposal but maintain that it should be clarified or modified if 
adopted by the Commission.\37\
---------------------------------------------------------------------------

    \36\ Pa PUC Comments at 5; Foundation Comments at 3; 
SmartSenseCom Comments at 6; Paschall Comments at 2.
    \37\ See G&T Cooperatives Comments at 3-8; ITC Comments at 12; 
NYPSC Comments at 5-7; Pepco Comments at 5-7; Idaho Power Comments 
at 1-2.
---------------------------------------------------------------------------

    41. The majority of commenters do not support the NOPR proposal for 
various legal and policy reasons.\38\ Associations' comments are 
representative of this viewpoint in that they address: (1) The 
statutory authority to modify critical facility lists or otherwise 
allow the Commission (or any other governmental authority) an 
operational role in the performance of a Reliability Standard; (2) how 
the Commission would afford entities due process in determining whether 
to direct the addition or removal of facilities while still maintaining 
confidentiality; and (3) what constitutes ``any other appropriate 
federal or provincial authorities'' and the legal authority and 
advisability of delegating responsibility to another government entity. 
Like NERC, Associations contend that the Commission already possesses 
the compliance and enforcement authority to ensure that applicable 
entities comply with Requirement R1.\39\ Specifically, Associations 
state that the ``Commission has sufficient existing enforcement 
authority under the FPA to take actions to address concerns raised in 
the NOPR regarding the sufficiency of decisions made to identify 
critical facilities under CIP-014-1 . . . includ[ing] the use of 
traditional enforcement authority under Section 215(e)(3), including 
audits and investigations, which it has used on several occasions.'' 
\40\ Associations also request a technical conference in two years that 
addresses the implementation of Reliability Standard CIP-014-1.
---------------------------------------------------------------------------

    \38\ See Southern Comments at 2-7; Trade Associations Comments 
at 5-12; GridWise Comments at 3-9; Duke Comments at 3-5; NARUC 
Comments at 4; KCP&L Comments at 2-4; SDG&E Comments at 3-4; Oncor 
Comments at 2-3; Entergy Comments at 1; TAPS Comments at 3-9; APS 
Comments at 2-3; BPA Comments at 2; SCE Comments at 2; Ohio PUC 
Comments at 3-4; TVA Comments at 6-9; CEA Comments at 3-9; NU 
Utilities Comments at 1.
    \39\ Associations Comments at 9; see also TAPS Comments at 5 
(``If the Commission finds a Registered Entity's risk assessment 
study to be inadequate because it lacks a critical facility, the 
Registered Entity will be in violation of [Requirement] R1 of the 
Physical Security standard . . . [t]he Commission could then direct 
a specific method of compliance . . . and impose daily penalties 
until the Registered Entity complies. If despite the threat of 
penalties, the Commission were concerned about the need for timely 
action, it could order the Registered Entity to come into compliance 
within a specified reasonable timeframe.'').
    \40\ Associations Comments at 9.
---------------------------------------------------------------------------

Commission Determination
    42. Based on our review of the comments, we determine not to adopt 
the NOPR proposal.
    43. We are persuaded by commenters that the NOPR directive would 
present NERC, as the entity that would have to develop the proposed 
modification, and the Commission, which would have to approve any NERC 
proposal, with a number of substantial policy issues. Ultimately, we 
believe that the NOPR proposal would require NERC and the Commission to 
expend resources that could be better applied elsewhere.
    44. The Commission, instead, will focus its resources on carrying 
out compliance and enforcement activities to ensure that critical 
facilities are identified under Requirement R1. In its comments, NERC 
indicated that NERC staff will submit to the NERC Board of Trustees a 
report three months following implementation of Requirements R1, R2 and 
R3 concerning the scope of facilities identified as

[[Page 70074]]

critical, including the number of facilities identified as critical and 
their defining characteristics.\41\ NERC also committed to sending this 
report to Commission staff.\42\ Based on the results reported by NERC, 
we expect Commission staff to audit a representative number of 
applicable entities to ensure compliance with Reliability Standard CIP-
014-1. Depending on the audit findings, the Commission will determine 
if there is a need for any further action by the Commission including, 
but not limited to, directing NERC to develop modifications to 
Reliability Standard CIP-014-1 to provide greater specificity to the 
methodology for determining critical facilities. At this time, we will 
not direct Commission staff to convene a technical conference on 
implementation of Reliability Standard CIP-014-1 in two-years' time, as 
requested by Associations. We may revisit that proposal at a later 
time.
---------------------------------------------------------------------------

    \41\ NERC Comment at 27-28. NERC's post-implementation reports 
are further discussed below.
    \42\ Id. at 28.
---------------------------------------------------------------------------

C. Informational Filing on ``High Impact'' Control Centers

March 7 Order
    45. The March 7 Order stated that a ``critical facility is one 
that, if rendered inoperable or damaged, could have a critical impact 
on the operation of the interconnection through instability, 
uncontrolled separation or cascading failures on the Bulk-Power 
System.'' \43\ The March 7 Order, while not mandating that a minimum 
number of facilities be deemed critical under the physical security 
Reliability Standards, explained that the ``Commission expects that 
critical facilities generally will include, but not be limited to, 
critical substations and critical control centers.'' \44\
---------------------------------------------------------------------------

    \43\ March 7 Order, 146 FERC ] 61,166 at P 6.
    \44\ Id. P 6, n.6.
---------------------------------------------------------------------------

NERC Petition
    46. NERC states that Reliability Standard CIP-014-1 addresses the 
protection of primary control centers, which NERC defines as facilities 
that ``operationally control[ ] a Transmission station or Transmission 
substation when the electronic actions from the control center can 
cause direct physical actions at the identified Transmission station or 
Transmission substation, such as opening a breaker.'' \45\
---------------------------------------------------------------------------

    \45\ NERC Petition at 19.
---------------------------------------------------------------------------

    47. NERC maintains that ``[c]ontrol centers that provide back-up 
capability and control centers that cannot operationally control a 
critical Transmission station or Transmission substation do not present 
similar direct risks to Real-time operations if they are the target of 
a physical attack,'' and thus they are not covered by Reliability 
Standard CIP-014-1.\46\ NERC explains that the destruction of a back-up 
control center would ``have no direct reliability impact in Real-time 
as the entity can continue operation . . . from its primary control 
center.'' \47\ With respect to control centers that do not physically 
operate Bulk-Power System facilities, such as control centers operated 
by reliability coordinators, NERC states that, while ``certain 
monitoring and oversight capabilities might be lost as a result of a 
physical attack on such control centers, the Transmission Owner or 
Transmission Operator that operationally controls the critical 
Transmission station or Transmission substation would be able to 
continue operating its transmission system to prevent widespread 
instability, uncontrolled separation, or Cascading within an 
Interconnection.'' \48\
---------------------------------------------------------------------------

    \46\ Id.
    \47\ Id. at 20.
    \48\ Id. at 20-21.
---------------------------------------------------------------------------

    48. NERC acknowledges that certain control centers categorized as 
``High Impact'' or ``Medium Impact'' under Reliability Standard CIP-
002-5.1 (Cyber Security--BES Cyber System Categorization) would not be 
covered control centers under Reliability Standard CIP-014-1.\49\ NERC 
explains that this situation:
---------------------------------------------------------------------------

    \49\ Reliability Standard CIP-002-5.1 (Cyber Security--BES Cyber 
System Categorization), Attachment 1 (Impact Rating Criteria).

reflects the different nature of cyber security risks and physical 
security risks at control centers . . . [a] primary cyber security 
concern for control centers is the corruption of data or information 
and the potential for operators to take action based on corrupted 
data or information . . . [and] [t]his concern exists at control 
centers that operationally control Bulk-Power System facilities and 
those that do not. As such, there is no distinction in CIP-002-5.1 
between these control centers . . . however, such a distinction is 
appropriate in the physical security context.\50\
---------------------------------------------------------------------------

    \50\ NERC Petition at 22 n.55.

    49. NERC points out that Reliability Standard CIP-006-5 already 
requires physical security protections that are ``designed to restrict 
physical access to locations containing High and Medium Impact Cyber 
Systems,'' which include control centers and backup control centers for 
reliability coordinators, balancing authorities, transmission operators 
and generation operators irrespective of their ability to operationally 
control Bulk-Power System facilities.\51\
---------------------------------------------------------------------------

    \51\ Id. at 21.
---------------------------------------------------------------------------

NOPR
    50. The NOPR proposed to direct NERC to make an informational 
filing within six months of the effective date of a final rule in this 
proceeding indicating whether the development of Reliability Standards 
that provide physical security for all ``High Impact'' control centers, 
as that term is defined in Reliability Standard CIP-002-5.1, is 
necessary for the reliable operation of the Bulk-Power System.
    51. The NOPR stated that primary and back-up control centers of 
functional entities other than transmission owners and operators 
identified as ``High Impact'' may warrant assessment and physical 
security controls under this Reliability Standard because a successful 
attack could prevent or impair situational awareness, especially from a 
wide-area perspective, or could allow attackers to distribute 
misleading and potentially harmful data and operating instructions that 
could result in instability, uncontrolled separation, or cascading 
failures.
    52. The NOPR stated that the proposed informational filing should 
address whether there is a need for consistent treatment of ``High 
Impact'' control centers for cybersecurity and physical security 
purposes through the development of Reliability Standards that afford 
physical protection to all ``High Impact'' control centers. The NOPR 
also stated that the development of physical security protections for 
all ``High Impact'' control centers would not be without precedent 
because, as noted above, Reliability Standard CIP-006-5 already 
requires that ``High Impact'' control centers have some physical 
protections, including restrictions on physical access, to protect BES 
Cyber Assets. However, the NOPR further stated that the security 
measures required by Reliability Standard CIP-006-5 may not be 
comparable to those required by Reliability Standard CIP-014-1, and 
thus may not be sufficient to ``deter, detect, delay, assess, 
communicate, and respond to potential threats and vulnerabilities'' as 
required in Requirement R5 of Reliability Standard CIP-014-1. Further, 
the NOPR stated that Reliability Standard CIP-006-5 does not require an 
``unaffiliated third party review'' of the evaluation and security plan 
required by Reliability Standard CIP-014-1.

[[Page 70075]]

Comments
    53. NERC states that it does not oppose submitting an informational 
filing to address whether ``High Impact'' control centers warrant 
assessment and physical security controls under Reliability Standard 
CIP-014-1. However, NERC requests that the Commission modify the NOPR 
proposal to give NERC at least 12 months from the effective date of a 
final rule in this proceeding to submit the informational filing.
    54. Other commenters, while not necessarily agreeing that all 
``High Impact'' control centers should be subject to Reliability 
Standard CIP-014-1, support the NOPR proposal for various reasons.\52\ 
Associations state that the informational filing ``will provide a more 
granular mapping of the strategic considerations embedded in the CIP 
standards . . . as well as consideration of the issues relating to 
control centers not covered by CIP-014-1.'' \53\ MISO and SDG&E state 
that the informational filing could be a useful way for identifying 
areas of possible improvement in the future. Some commenters, including 
Associations, recommend that the Commission direct NERC to submit the 
informational filing as critical energy infrastructure information 
(CEII).
---------------------------------------------------------------------------

    \52\ See Associations Comments at 16; KCP&L Comments at 4; 
Foundation Comments at 7; SDG&E Comments at 5; Pa PUC Comments at 6; 
SCE Comments at 4; MISO Comments at 6-7.
    \53\ Associations Comments at 16.
---------------------------------------------------------------------------

    55. ITC supports the proposed informational filing but states that 
the Commission should widen the scope of the informational filing to 
assess the benefits of extending Reliability Standard CIP-014-1 to all 
``High Impact'' and ``Medium Impact'' BES Cyber Assets. ITC states that 
the definition of ``critical'' assets is insufficiently comprehensive 
because it fails to provide physical security for facilities that 
contain crucial Cyber Assets. ITC further states that identifying 
critical facilities under Requirement R1 is unnecessary because 
applicable entities already have a list of facilities containing ``High 
Impact'' and ``Medium Impact'' Cyber Assets, which could also serve as 
the list of critical facilities for the purposes of Reliability 
Standard CIP-014-1. SIA agrees that Requirement R1 should be modified 
to include all ``High Impact'' control centers.
    56. Commenters opposed to the NOPR proposal contend that the 
informational filing is unnecessary or would be burdensome.\54\ Trade 
Associations state that Reliability Standard CIP-014-1 correctly 
focuses on the protection of primary control centers that operationally 
control transmission stations or substations identified under 
Requirement R1. Idaho Power states that Reliability Standard CIP-006-5 
contains enough physical access controls to meet the expectations of 
``deter, detect, delay, assess, communicate, and respond'' because 
there are extensive monitoring and alerting requirements that must be 
applied to all ``High Impact'' control centers. Reclamation states that 
Reliability Standard CIP-014-1 will capture all ``High Impact'' control 
centers as currently drafted. Pepco states that an informational filing 
would divert resources from implementation and compliance with 
Reliability Standard CIP-014-1.
---------------------------------------------------------------------------

    \54\ Trade Associations Comments at 12; Pepco Comments at 7.
---------------------------------------------------------------------------

Commission Determination
    57. The Commission adopts the NOPR proposal and directs NERC to 
submit an informational filing that addresses whether there is a need 
for consistent treatment of ``High Impact'' control centers for 
cybersecurity and physical security purposes through the development of 
Reliability Standards that afford physical protection to all ``High 
Impact'' control centers. The Commission, however, modifies the NOPR 
proposal and extends the due date for the informational filing to two 
years following the effective date of Reliability Standard CIP-014-1.
    58. While we approve Reliability Standard CIP-014-1 in this final 
rule, including the Reliability Standard's treatment of control 
centers, the Commission, for the reasons set forth in the NOPR, finds 
that NERC should assess whether all ``High Impact'' control centers 
should be protected under Reliability Standard CIP-014-1.\55\ We 
recognize that NERC and applicable entities will be in a better 
position to provide this assessment after implementation of Reliability 
Standard CIP-014-1 and Reliability Standard CIP-006-5, the latter of 
which provides some physical protection to ``High Impact'' control 
centers. Accordingly, the Commission directs NERC to submit the 
informational filing two years following the effective date of 
Reliability Standard CIP-014-1. The Commission, while not directing 
NERC to submit the informational filing as CEII, recognizes the 
concerns raised by commenters regarding confidentiality. The Commission 
expects NERC to prepare the informational filing and submit it in such 
a way as to protect any critical information from public disclosure.
---------------------------------------------------------------------------

    \55\ See NOPR, 148 FERC ] 61,040 at PP 35-39.
---------------------------------------------------------------------------

    59. At this time, the Commission will not direct NERC to address in 
the informational filing whether all ``High Impact'' and ``Medium 
Impact'' BES Cyber Assets should be considered critical for the 
purposes of Reliability Standard CIP-014, Requirement R1. We are 
sympathetic to several points raised in ITC's comments, which echo some 
of the statements in the NOPR. However, as stated in the NOPR, the 
basis for directing an informational filing regarding control centers 
is found in the March 7 Order, where the Commission stated that it 
``expects that critical facilities generally will include, but not be 
limited to, critical substations and critical control centers.'' \56\ 
While NERC explained why not all ``High Impact'' control centers may be 
critical for the purposes of Reliability Standard CIP-014-1, we 
conclude that this issue requires close attention and should be 
addressed in the informational filing. The broader concerns raised by 
ITC regarding the scope of Requirement R1 can be evaluated by NERC and 
industry as part of the implementation process. As we noted above, the 
Commission will devote resources to compliance with and enforcement of 
Reliability Standard CIP-014-1 to ensure that all critical facilities 
are identified pursuant to Requirement R1. Should the Commission find 
through these efforts, or through the post-implementation reports and 
informational filing that NERC will submit, that Requirement R1 as 
currently written is not capturing all critical facilities, then the 
Commission will act upon that information.
---------------------------------------------------------------------------

    \56\ NOPR, 148 FERC ] 61,040 at P 44 (quoting March 7 Order, 146 
FERC ] 61,166 at P 6 n.6).
---------------------------------------------------------------------------

D. Informational Filing on Resiliency

March 7 Order
    60. In the March 7 Order, the Commission stated that the 
development of physical security Reliability Standards ``will help 
provide for the resiliency and reliable operation of the Bulk-Power 
System. To that end, the proposed Reliability Standards should allow 
owners or operators to consider resiliency of the grid in the risk 
assessment when identifying critical facilities, and the elements that 
make up those facilities, such as transformers that typically require 
significant time to repair or replace. As part of this process, owners 
or operators may consider elements of resiliency such as how the system 
is designed, operated, and

[[Page 70076]]

maintained, and the sophistication of recovery plans and inventory 
management.'' \57\
---------------------------------------------------------------------------

    \57\ March 7 Order, 146 FERC ] 61,166 at P 7.
---------------------------------------------------------------------------

NERC Petition
    61. Reliability Standard CIP-014-1 mentions resiliency in 
Requirement R5, stating in Requirement R5.1 that the physical security 
plans that entities develop shall include, among other attributes: 
``Resiliency or security measures designed collectively to deter, 
detect, delay, assess, communicate, and respond to potential physical 
threats and vulnerabilities identified during the evaluation conducted 
in Requirement R4.'' The NERC petition describes Requirement R5.1, with 
regard to resiliency, as referring to ``steps an entity may take that, 
while not specifically targeted as hardening the physical security of 
the site, help to decrease the potential adverse impact of a physical 
attack . . . including modifications to system topology or the 
construction of a new Transmission station . . . that would lessen the 
criticality of the facility.'' \58\
---------------------------------------------------------------------------

    \58\ NERC Petition at 42.
---------------------------------------------------------------------------

NOPR
    62. The NOPR stated that the NERC petition describes resiliency 
measures that could be included in the required physical security 
plans. The NOPR also stated, however, that specific resiliency measures 
are not required by Reliability Standard CIP-014-1, which is consistent 
with the March 7 Order. Instead, the NOPR noted that Reliability 
Standard CIP-014-1 allows the security plans to be flexible in order to 
meet different threats and protect varying Bulk-Power System 
configurations.
    63. The NOPR stated that resiliency is as, or even more, important 
than physical security given that physical security cannot protect 
against all possible attacks. The NOPR also stated that, in the case of 
the loss of a substation, the Bulk-Power System may depend on 
resiliency to minimize the impact of the loss of facilities and restore 
blacked-out portions of the Bulk-Power System as quickly as possible. 
The NOPR further stated that some entities may implement resiliency 
measures rather than security measures, such as by adding facilities or 
operating procedures that reduce or eliminate the importance of 
existing critical facilities, which could significantly improve 
reliability and resiliency.
    64. The NOPR stated that the NERC petition indicated that the NERC 
Board of Trustees expects NERC management to monitor and assess the 
implementation of Reliability Standard CIP-014-1 on an ongoing basis, 
which would include: The number of assets identified as critical under 
the Reliability Standard; the defining characteristics of the assets 
identified as critical; the scope of security plans (i.e., the types of 
security and resiliency measures contemplated under the various 
security plans); the timelines included in the security plan for 
implementing the security and resiliency measures; and industry 
progress in implementing the Reliability Standard. The NOPR also stated 
that NERC explained that this information could be used to provide 
regular updates to Commission staff.\59\ The NOPR proposed to rely on 
NERC's ongoing assessment of Reliability Standard CIP-014-1's 
implementation and to require NERC to make such information available 
to Commission staff upon request.
---------------------------------------------------------------------------

    \59\ NOPR, 148 FERC ] 61,040 at P 56.
---------------------------------------------------------------------------

    65. In addition, the NOPR proposed to direct NERC to submit an 
informational filing that addresses the resiliency of the Bulk-Power 
System when confronted with the loss of critical facilities. The NOPR 
stated that the informational filing should explore what steps can be 
taken, in addition to those required by Reliability Standard CIP-014-1, 
to maintain the reliable operation of the Bulk-Power System when faced 
with the loss or degradation of critical facilities. The NOPR proposed 
to direct NERC to submit the informational filing within one year after 
the effective date of the final rule in this proceeding.\60\
---------------------------------------------------------------------------

    \60\ NERC issued a report on severe impact resilience in 2012. 
See NERC, Severe Impact Resilience: Considerations and 
Recommendations (May 2012), available at http://www.nerc.com/comm/OC/SIRTF%20Related%20Files%20DL/SIRTF_Final_May_9_2012-Board_Accepted.pdf. The NOPR stated that the proposed informational 
filing could draw on the report but should also reflect subsequent 
work and development on this topic, particularly including supply 
chain, transporting and other logistical issues for equipment such 
as large transformers. NOPR, 148 FERC ] 61,040 at P 57.
---------------------------------------------------------------------------

Comments
    66. NERC requests that the Commission not direct it to submit an 
informational filing on resiliency. NERC contends that an informational 
filing on resiliency would divert resources from NERC's oversight of 
the implementation of Reliability Standard CIP-014-1 and NERC's efforts 
to assess the Reliability Standard's effectiveness. NERC states that it 
will monitor and assess implementation of Reliability Standard CIP-014-
1, as described in NERC's petition, and will prepare two initial 
reports for the NERC Board of Trustees, the first report being 
submitted three months following implementation of Requirements R1, R2 
and R3 and the second report being submitted three months after 
implementation of Requirements R4, R5 and R6. With respect to the 
second report, NERC states that ``[g]iven the NOPR's discussion of 
resiliency, this report will pay particular attention to the resiliency 
measures included in entities' security plans.'' \61\ NERC further 
states that it commits to provide both reports to Commission staff.
---------------------------------------------------------------------------

    \61\ NERC Comments at 28.
---------------------------------------------------------------------------

    67. Pepco does not support the proposed informational filing 
because of the burden Pepco contends it would impose on NERC and 
registered entities, including diverting resources from the 
implementation of Reliability Standard CIP-014-1. Pepco asserts that 
resiliency is already addressed in Reliability Standard CIP-014-1.
    68. SDG&E, MISO and Idaho Power support directing NERC to submit 
the proposed informational filing on resiliency as a way of determining 
next steps for enhancing the reliability of the Bulk-Power System.\62\
---------------------------------------------------------------------------

    \62\ See SDG&E Comments at 5; MISO Comments at 6-7; Idaho Power 
Comments at 4; see also Paschall Comments at 2.
---------------------------------------------------------------------------

    69. Other commenters, including Associations, while generally 
agreeing that the issue of resiliency needs to be considered, recommend 
that the Commission convene a technical conference rather than require 
NERC to submit an informational filing because, they maintain, a 
technical conference would be more effective.\63\
---------------------------------------------------------------------------

    \63\ See Associations Comments at 17; KCP&L Comments at 6-7; SCE 
Comments at 4; Trade Associations Comments at 13-14; GridWise 
Comments at 3.
---------------------------------------------------------------------------

Commission Determination
    70. The Commission determines not to adopt the NOPR proposal 
requiring NERC to submit an informational filing concerning resiliency 
of the Bulk-Power System. While commenters expressed differing views on 
whether an informational filing is needed, the comments recognized the 
importance of Bulk-Power System resiliency. In addition, NERC committed 
to providing the Commission with two reports following implementation 
of Reliability Standard CIP-014-1, which, NERC indicates, will address 
the issue of resiliency.
    71. Rather than require NERC to submit an informational filing at 
this time, the Commission will review the NERC reports and will 
consider ways for industry to best inform the Commission of its current 
and future

[[Page 70077]]

resiliency efforts, which could take the form of reports and/or 
technical conferences to address specific areas of concern (e.g., spare 
parts, fuel security, and advanced technologies).

E. Third-Party Verification and Review

March 7 Order
    72. In the March 7 Order, the Commission stated that ``the risk 
assessment used by an owner or operator to identify critical facilities 
should be verified by an entity other than the owner or operator . . . 
[and] [s]imilarly, the determination of threats and vulnerabilities and 
the security plan should also be reviewed by NERC, the relevant 
Regional Entity, the Reliability Coordinator, or another entity with 
appropriate expertise.'' \64\
---------------------------------------------------------------------------

    \64\ March 7 Order, 146 FERC ] 61,166 at P 11.
---------------------------------------------------------------------------

NERC Petition
    73. Requirement R2 of Reliability Standard CIP-014-1 requires 
transmission owners to have their risk assessments verified by an 
unaffiliated third party. Requirement R6, likewise, requires each 
transmission owner and transmission operator to have their 
vulnerability and threat assessment(s) along with their security 
plan(s) for any critical facilities reviewed by an unaffiliated third 
party.
    74. Regarding how an applicable entity is supposed to address any 
recommendations by a third-party verifier, Reliability Standard CIP-
014-1, in Requirement R2.3, states that the transmission owner must 
either (a) ``modify its identification . . . consistent with the 
recommendation'' or (b) ``document the technical basis for not 
modifying the identification in accordance with the recommendation.'' 
Similarly, Requirement R6.3 sets forth the procedure for considering 
any recommendations from the reviewing entity as to the threat 
assessments and security plans: The applicable entity must either (a) 
``modify its evaluation or security plan(s) consistent with the 
recommendation'' or (b) ``document the reason(s) for not modifying the 
evaluation or security plan(s) consistent with the recommendation.''
    75. NERC states that ``[r]equiring documentation of the technical 
basis for not modifying the identification in accordance with the 
recommendation will help ensure that a Transmission Owner meaningfully 
considers the verifier's recommendations and follows those 
recommendations unless it can technically justify its reasons for not 
doing so. To comply with Part 2.3, the technical justification must be 
sound and based on acceptable approaches to conducting transmission 
analyses.'' \65\ The NERC petition contains a similar explanation for 
the third-party review (Requirement R6) of the threat assessments and 
security plans mandated in Requirements R4 and R5.\66\
---------------------------------------------------------------------------

    \65\ NERC Petition at 36.
    \66\ Id. at 50.
---------------------------------------------------------------------------

NOPR
    76. The NOPR proposed to approve the third-party verification and 
review method proposed by NERC in Requirements R2 and R6. The NOPR 
stated that failure to provide a written, technically justifiable 
reason for rejecting a third-party recommendation would render the 
applicable entity non-compliant. With that understanding, the NOPR 
proposed to approve NERC's proposed third-party verification and review 
in Requirements R2 and R6 of Reliability Standard CIP-014-1 as an 
equally efficient and effective alternative to the directive in the 
March 7 Order.
Comments
    77. NERC states that it supports the NOPR proposal. NERC states 
that third-party verification and review will provide another layer of 
expertise and independence to the identification of critical assets, 
the evaluation of threats and vulnerabilities, and the development of 
effective security plans. NERC reiterates that an applicable entity's 
failure to provide a reasonable, written explanation for declining to 
follow a third-party recommendation would constitute non-compliance.
    78. MISO, Reclamation, KCP&L, ITC, and G&T Cooperatives support the 
NOPR proposal but each suggest modifications or request clarification 
of Reliability Standard CIP-014-1.\67\
---------------------------------------------------------------------------

    \67\ See also Paschall Comments at 2; Foundation Comments at 7.
---------------------------------------------------------------------------

    79. MISO states that entities like itself, that are both 
reliability coordinators and planning coordinators, may be subject to 
substantial, simultaneous demands by many transmission owners for 
concurrent verification of risk assessments. MISO notes that 
Requirement R2.2 requires applicable entities to have their risk 
assessment verified within 90 days of completion of the risk 
assessment. MISO states that firm adherence to the 90-day deadline 
could undermine the protections in Reliability Standard CIP-014-1 by 
requiring verifying entities (e.g., MISO) to conduct hurried or 
shorter-than-optimal assessments. Accordingly, MISO seeks clarification 
that NERC has the discretion to extend the implementation deadline, 
especially with respect to the 90-day verification deadline in 
Requirement R2.2. Likewise, G&T Cooperatives, NIPSCO and KCP&L state 
that there should be flexibility regarding the 90-day deadline because 
of the limited pool of qualified third-party verifiers.
    80. Reclamation states that transmission owners should have 
discretion to make decisions regarding third-party recommendations 
based on cost and risk analyses. Reclamation also states that 
Requirement 2.1 should be modified to require that third-party 
verifications be conducted by a transmission owner's planning 
coordinator or transmission planner. If the transmission owner is also 
the planning coordinator and transmission planner, then Reclamation 
states that the verification should be conducted by the reliability 
coordinator.
    81. KCP&L states that NERC should develop a pre-approved list of 
qualified third-party contractors or require third parties to register 
with NERC. KCP&L also seeks clarification that an independent system 
operator (ISO) or regional transmission operator (RTO) concurrent with 
its role as reliability coordinator could provide third-party review 
services. KCP&L states that it does not oppose having an RTO that is 
also a reliability coordinator or planning coordinator serve as a 
third-party reviewer but would not support a mandate requiring a 
specific third-party reviewer. KCP&L also seeks clarification of the 
meaning of the phrase ``unaffiliated third-party.''
    82. ITC states that the Commission should ``confirm that the 
verification of a responsible entity's risk assessment, threat 
assessment, and security plan, as specified in Requirements R2 and R6, 
constitutes full compliance by that responsible entity with respect to 
the risk assessment and security plan.'' \68\
---------------------------------------------------------------------------

    \68\ ITC Comments at 10.
---------------------------------------------------------------------------

    83. NIPSCO, TVA and Idaho Power do not support the NOPR proposal. 
NIPSCO contends that third-party verification is ``inconsistent with 
the approach to entity self-assessment applied in other Reliability 
Standards'' and notes that the Version 5 CIP Reliability Standards do 
not include a provision for third-party review.\69\ NIPSCO also 
contends that the use of third parties could raise confidentiality 
concerns. Idaho Power maintains that the proposal should not be adopted 
because it does not require third parties to include a written or 
technical justification with their recommendations. Idaho Power also

[[Page 70078]]

states that ``if a third-party verification and review process is 
incorporated in to the Standard, it should clearly describe the 
specific methodology and performance criteria to be applied.'' \70\ TVA 
states that FPA section 215 does not contemplate the use of third-party 
verifiers and reviewers acting in an enforcement role. TVA also 
contends that Reliability Standard CIP-014-1 does not contain any 
qualification criteria that third-party verifiers and reviewers must 
meet. TVA further states that using third-party verifiers and reviewers 
could compromise the confidentiality of critical information.
---------------------------------------------------------------------------

    \69\ NIPSCO Comments at 2.
    \70\ Idaho Power Comments at 3-4.
---------------------------------------------------------------------------

Commission Determination
    84. We adopt the NOPR proposal and approve the third-party 
verification and review provisions found in Requirements R2 and R6 of 
Reliability Standard CIP-014-1. These provisions, as stated by NERC, 
provide an important, independent layer of expertise in the 
identification, assessment and protection of critical facilities.
    85. We disagree with the arguments raised in the comments submitted 
by NIPSCO, TVA and Idaho Power. The use of third-party verification and 
review in Reliability Standard CIP-014-1 is not inconsistent with other 
Commission-approved Reliability Standards merely because third-party 
review is not used in other Reliability Standards. NIPSCO is correct 
that the Version 5 CIP Reliability Standards do not include third-party 
review provisions. However, as NIPSCO acknowledges, the Version 5 CIP 
Reliability Standards contain bright-line criteria that guide the 
determinations made by applicable entities in identifying BES Cyber 
Assets.\71\ By contrast, Reliability Standard CIP-014-1 contains no 
such criteria and instead requires applicable entities to develop their 
own analysis. In addition, the threat evaluation in Requirement R4 and 
security plan in Requirement R6 involve areas of expertise that 
applicable entities in the electric industry may not possess and thus 
would strongly benefit from the experience of qualified third parties.
---------------------------------------------------------------------------

    \71\ We also note that in Order No. 706, the Commission directed 
NERC to develop an external review procedure for the identification 
of critical assets by responsible entities. See Mandatory 
Reliability Standards for Critical Infrastructure Protection, Order 
No. 706, 122 FERC ] 61,040, at PP 322-329, order on reh'g, Order No. 
706-A, 123 FERC ] 61,174 (2008), order on clarification, Order No. 
706-B, 126 FERC ] 61,229 (2009), order on clarification, Order No. 
706-C, 127 FERC ] 61,273 (2009).
---------------------------------------------------------------------------

    86. Similarly, we disagree with TVA that the use of third-party 
verifiers and reviewers is inconsistent with FPA section 215. As 
discussed above, we reject TVA's view that third-party verifiers and 
reviewers will be acting in an enforcement capacity. These third 
parties will have no authority to determine whether an applicable 
entity has violated a requirement of Reliability Standard CIP-014-1, 
require compliance, or issue penalties. Moreover, as stated in the 
NOPR, an applicable entity in some cases could be found to be in 
violation of a requirement even if the applicable entity's actions were 
verified by a third party.\72\ We also determine that the requirements 
in Reliability Standard CIP-014-1 (i.e., Requirements R2.1 and R6.1) 
establishing the qualifications for third-party verifiers and reviewers 
are sufficient. As discussed below, as Reliability Standard CIP-014-1 
is implemented, we are satisfied that NERC and Regional Entities will 
provide additional assistance to applicable entities to identify 
qualified third-party verifiers and reviewers if the need arises. We 
are also satisfied that Requirements R2.4 and R6.4 provide adequate 
protection against the disclosure of sensitive or confidential 
information.
---------------------------------------------------------------------------

    \72\ NOPR, 148 FERC ] 61,040 at P 23.
---------------------------------------------------------------------------

    87. In response to Idaho Power's concern, we expect that third-
party verifiers and reviewers will articulate a reasonable basis for 
their recommendations. The absence of such a basis for a recommendation 
could justify an applicable entity's decision to decline to adopt the 
recommendation. We also see no reason to include in Reliability 
Standard CIP-014-1 ``specific methodology and performance criteria'' 
for third-party verification and review beyond what is already 
contained in the requirements and compliance measures recited in the 
Reliability Standard.
    88. With respect to the other comments, there is no evidence in the 
record to support the conclusion that an insufficient number of 
qualified third-party verifiers and reviewers exists such that 
applicable entities will be unable to meet the 90-day deadline in 
Requirements R2 and R6. To the extent an applicable entity requires 
additional time to comply, that situation should be addressed on a 
case-by-case basis.\73\ Reclamation has not explained why Requirement 
R2.1 should be modified to require that a transmission owner use its 
planning coordinator or transmission planner as a verifier, and thus we 
reject that proposal. In addition, addressing Reclamation's second 
point, while risk and cost could be aspects of an applicable entity's 
technical justification for declining to follow a third-party 
recommendation, ultimately there must be a sufficient objective basis 
in the justification document from which to determine that the 
applicable entity acted reasonably in declining to follow the 
recommendation.
---------------------------------------------------------------------------

    \73\ For similar reasons, we reject Entergy's suggestion that 
Reliability Standard CIP-014-1 include language providing for 
flexibility concerning delays in compliance with deadlines contained 
in the Reliability Standard due to acts of nature. See Entergy 
Comments at 1.
---------------------------------------------------------------------------

    89. With respect to KCP&L's comments, there may be value in NERC 
developing a list of qualified third-party verifiers and reviewers or 
otherwise requiring some form of registration process for third-party 
verifiers and reviewers. The Commission, however, will not direct NERC 
to do so at this time. We expect that NERC could, as Reliability 
Standard CIP-014-1 is implemented, pursue or, if necessary, propose 
such an effort if warranted. Indeed, Reliability Standard CIP-014-1 
appears to contemplate such a role for NERC by indicating in 
Requirement R6.1 that an entity is qualified to serve as a reviewer if 
``approved by the ERO.'' In addition, we see no reason why an ISO or 
RTO could not serve as a third-party verifier or reviewer provided it 
satisfies the qualifications stated in Requirements R2.1 and R6.1. We 
also conclude that the term ``unaffiliated third party'' is 
sufficiently clear. As NERC stated in its petition, ``the term 
`unaffiliated' means that the selected verifying entity cannot be a 
corporate affiliate (i.e., the verifying entity cannot be an entity 
that corporately controls, is controlled by or is under common control 
with, the Transmission Owner). The verifying entity also cannot be a 
division of the Transmission Owner that operates as a functional 
unit.'' \74\ KCP&L does not indicate what, in this explanation, is 
ambiguous or requires clarification.
---------------------------------------------------------------------------

    \74\ NERC Petition at 34-35.
---------------------------------------------------------------------------

    90. With respect to ITC's comment, third-party verification under 
Requirement R2 adds an important layer of expertise and independence in 
the identification of critical facilities. However, verification under 
Requirement R2 is not intended to and, indeed, cannot cure an 
applicable entity's failure to comply with Requirement R1 if it is 
determined by the compliance enforcement authority that the applicable 
entity failed to do so, a situation that ITC concedes could

[[Page 70079]]

happen.\75\ We anticipate that a properly verified critical facility 
list will normally result in compliance with Requirement R1, but the 
Commission cannot foreclose the possibility that that may not be the 
case.\76\
---------------------------------------------------------------------------

    \75\ ITC Comments at 9 (``ITC further doesn't disagree that, in 
extremely dire circumstances, a risk assessment which has been 
verified by a third-party may nonetheless be so deficient (and the 
third-party review be similarly inadequate) that it could be 
considered non-compliant.''); see also NERC Petition at 37 (``If, in 
the course of assessing an entity's compliance with the proposed 
Reliability Standard, NERC, a Regional Entity, or FERC finds that 
the entity's transmission analysis was patently deficient and that 
the Requirement R2 verification process did not cure those 
deficiencies, they could use their enforcement authority to compel 
Transmission Owners to re-perform the risk assessment using 
assumptions designed to identify the appropriate critical 
facilities.'').
    \76\ See Order No. 706, 122 FERC ] 61,040 at P 320 (denying 
``safe harbor'' for good faith compliance with CIP Reliability 
Standards).
---------------------------------------------------------------------------

F. Generators

March 7 Order
    91. The March 7 Order did not direct NERC to make the physical 
security Reliability Standards applicable to specific functional entity 
types. The March 7 Order stated that ``some of the requirements imposed 
by these newly proposed Reliability Standards may best be performed by 
the owner and other activity may best be performed by the operator,'' 
and that NERC should clearly indicate which entity is responsible for 
each requirement.\77\ With regard to the applicable types of 
facilities, the Commission stated that it ``is not requiring NERC to 
adopt a specific type of risk assessment, nor is the Commission 
requiring that a mandatory number of facilities be identified as 
critical facilities under the Reliability Standards.'' \78\
---------------------------------------------------------------------------

    \77\ March 7 Order, 146 FERC ] 61,166 at P 6, n.4.
    \78\ Id. P 6.
---------------------------------------------------------------------------

NERC Petition
    92. In explaining why the Reliability Standard does not include 
generator owners and generator operators as applicable entities, the 
standard drafting team found that:

it was not necessary to include Generator Operators and Generator 
Owners in the Reliability Standard. First, Transmission stations or 
Transmission substations interconnecting generation facilities are 
considered when determining applicability. Transmission Owners will 
consider those Transmission stations and Transmission substations 
that include a Transmission station on the high side of the 
Generator Step-up transformer (GSU) using Applicability Section 
4.1.1.1 and 4.1.1.2 . . . Second, the transmission analysis or 
analyses conducted under Requirement R1 should take into account the 
impact of the loss of generation connected to applicable 
Transmission stations or Transmission substations. Additionally, the 
[March 7] order does not explicitly mention generation assets and is 
reasonably understood to focus on the most critical Transmission 
Facilities.\79\
---------------------------------------------------------------------------

    \79\ NERC Petition, Exhibit A (Proposed Reliability Standard) at 
23. The standard drafting team provided the following example: ``a 
Transmission station or Transmission substation identified as a 
Transmission Owner facility that interconnects generation will be 
subject to the Requirement R1 risk assessment if it operates at 500 
kV or greater or if it is connected at 200 kV-499 kV to three or 
more other Transmission stations or Transmission substations and has 
an `aggregate weighted value' exceeding 3000 according to the table 
in Applicability Section 4.1.1.2.'' Id. at 23.

    93. NERC explains that generator owners and generator operators 
were not included in the applicability section because, ``while the 
loss of a generator facility due to a physical attack may have local 
reliability effects, the loss of the facility is unlikely to have the 
widespread, uncontrollable impact'' contemplated for loss of a critical 
facility in the March 7 Order.\80\ NERC maintains that a ``generation 
facility does not have the same critical functionality as certain 
Transmission stations and Transmission substations due to the limited 
size of generating plants, the availability of other generation 
capacity connected to the grid, and planned resilience of the 
transmission system to react to the loss of a generation facility.'' 
\81\
---------------------------------------------------------------------------

    \80\ NERC Petition at 22.
    \81\ Id.
---------------------------------------------------------------------------

NOPR
    94. The NOPR proposed to approve the applicability section of the 
Reliability Standard CIP-014-1 without the inclusion of generator 
owners and generator operators. The NOPR stated that omitting generator 
owners and generator operators from the applicability section is 
consistent with the March 7 Order. The NOPR affirmed the statement in 
the March 7 Order that the ``number of facilities identified as 
critical will be relatively small compared to the number of facilities 
that comprise the Bulk-Power System.'' \82\ The NOPR proposed to accept 
NERC's justification for excluding generator owners and operators 
because it is in keeping with the March 7 Order's focus on protecting 
the most critical facilities. The NOPR stated that, according to NERC, 
a generation facility ``does not have the same critical functionality 
as certain Transmission stations and Transmission substations due to 
the limited size of generating plants, the availability of other 
generation capacity connected to the grid, and planned resilience of 
the transmission system to react to the loss of a generation 
facility.'' \83\ The NOPR also noted that Requirement R1 mandates a 
transmission analysis that accounts for transmission owner- or 
transmission operator-owned substations that connect generating 
stations to the Bulk-Power System with step-up transformers.
---------------------------------------------------------------------------

    \82\ NOPR, 148 FERC ] 61,040 at P 44 (quoting March 7 Order, 146 
FERC ] 61,166 at P 12).
    \83\ NOPR, 148 FERC ] 61,040 at P 45 (quoting NERC Petition at 
22).
---------------------------------------------------------------------------

    95. While proposing to accept the applicability section of the 
proposed Reliability Standard, the NOPR stated that NERC's proposed 
omission of generator owners and generator operators could potentially 
exempt substations owned or operated by generators. The NOPR sought 
comment on the potential reliability impact of excluding generator 
owned or operated substations.
Comments
    96. NERC states that it supports the NOPR proposal to approve the 
applicability criteria in Reliability Standard CIP-014-1 without the 
inclusion of generator owners and generator operators. NERC, 
reiterating the justification in the NERC petition, states that the 
loss of a generation facility is unlikely to result in critical impacts 
on the Bulk-Power System.
    97. Associations, Trade Associations, Reclamation, G&T 
Cooperatives, KCP&L, Idaho Power, and APS also support the NOPR 
proposal.\84\ Associations' comments are representative of the comments 
supportive of the NOPR proposal in that Associations state that 
generation facilities will be considered in Reliability Standard CIP-
014-1, even without generator owners and generator operators included 
in the applicability criteria, because all generators interconnected to 
applicable transmission stations or substations will be in included in 
the transmission analysis under applicability sections 4.1.1.1 and 
4.1.1.2.
---------------------------------------------------------------------------

    \84\ Associations Comments at 16-17; Trade Associations Comments 
at 12-13; Reclamation Comments at 1; G&T Cooperatives Comments at 
13-14; KCP&L Comments at 5; Idaho Power Comments at 3; APS Comments 
at 4-5.
---------------------------------------------------------------------------

    98. Paschall states, without elaboration, that generation 
facilities should be included within the scope of Reliability Standard 
CIP-014-1. Foundation comments that it supports Reliability Standard 
CIP-014-1, as modified in the NOPR, and also advocates for the 
inclusion of certain generation facilities in a second stage physical 
security Reliability Standard (discussed in Section H below).

[[Page 70080]]

Commission Determination
    99. We adopt the NOPR proposal and approve the applicability 
criteria in Reliability Standard CIP-014-1 without the inclusion of 
generator owners and generator operators. As the Commission stated in 
the NOPR, we agree with NERC that a generation facility ``does not have 
the same critical functionality as certain Transmission stations and 
Transmission substations due to the limited size of generating plants, 
the availability of other generation capacity connected to the grid, 
and planned resilience of the transmission system to react to the loss 
of a generation facility.''
    100. Paschall provides a conclusory statement that generation 
facilities should be included in Reliability Standard CIP-014-1, but 
does not provide a rationale for this position. Thus, we find 
Paschall's comments unpersuasive.

G. Confidentiality

March 7 Order
    101. The March 7 Order stated that:

    All three steps of compliance with the Reliability Standard 
described above could contain sensitive or confidential information 
that, if released to the public, could jeopardize the reliable 
operation of the Bulk-Power System. Guarding sensitive or 
confidential information is essential to protecting the public by 
discouraging attacks on critical infrastructure. Therefore, NERC 
should include in the Reliability Standards a procedure that will 
ensure confidential treatment of sensitive or confidential 
information but still allow for the Commission, NERC and the 
Regional Entities to review and inspect any information that is 
needed to ensure compliance with the Reliability Standards.\85\
---------------------------------------------------------------------------

    \85\ March 7 Order, 146 FERC ] 61,166 at P 10.
---------------------------------------------------------------------------

NERC Petition
    102. Reliability Standard CIP-014-1 includes two requirements 
addressing the concerns over confidentiality. Requirements R2.2 and 
R6.4, which are substantially the same, state that ``[e]ach 
Transmission Owner shall implement procedures, such as the use of non- 
disclosure agreements, for protecting sensitive or confidential 
information made available to the unaffiliated third party [verifier or 
reviewer] and to protect or exempt sensitive or confidential 
information developed pursuant to this Reliability Standard from public 
disclosure.''
Comments
    103. Associations, GridWise, Duke, Seattle, ITC, and Trade 
Associations state that the Commission should explicitly address the 
issue of confidentiality in the final rule. Associations state that the 
Commission should state that any data produced or collected by an RTO 
in accordance with a requirement of Reliability Standard CIP-014-1 are 
protected and should not be made available to a market monitor pursuant 
to a RTO tariff or market monitor agreement. Associations state that, 
at a minimum, a market monitor should have to make a filing with the 
Commission explaining the need for such information and indicating how 
the market monitor would protect such information from disclosure. 
GridWise and ITC state that they share Associations' concerns regarding 
confidentiality.
    104. Trade Associations and Seattle comment that the final rule 
should contain an explicit statement that Reliability Standard CIP-014-
1 is intended to preempt any state or local public disclosure laws. 
SWTDUG's reply comments question the Commission's legal authority to 
preempt state or local public disclosure laws, as suggested by Trade 
Associations and Seattle, without further Congressional action.
    105. Duke comments that the Commission should take all necessary 
steps to protect the confidential information related to the activities 
of applicable entities, the Commission, NERC and Regional Entities in 
performance of their obligations under Reliability Standard CIP-014-1. 
Duke states that, pursuant to the Commission's regulations, the 
``disposition of each violation or alleged violation that relates to a 
Cybersecurity Incident or that would jeopardize the security of the 
Bulk-Power System if publicly disclosed shall be nonpublic unless the 
Commission directs otherwise.'' \86\ Duke recommends interpreting this 
provision to include violations of Reliability Standard CIP-014-1 or to 
revise the regulation to do so. Duke also maintains that: (1) The risk 
assessment required under Requirement R1; (2) the third-party 
verification performed under Requirement R2; (3) the notification 
provided to transmission operators under Requirement R3; (4) the 
evaluation of threats and vulnerabilities performed under Requirement 
R4; (5) the development of physical security plans performed under 
Requirement R5; and (6) the third-party review performed under 
Requirement R6 all qualify as CEII. In addition, Duke states that this 
information is also exempt from the Freedom of Information Act under 
the (b)(4) exemption for ``trade secrets and commercial or financial 
information obtained from a person and privileged or confidential.''
---------------------------------------------------------------------------

    \86\ 18 CFR 39.7(b)(4).
---------------------------------------------------------------------------

Commission Determination
    106. In the March 7 Order, the Commission recognized that 
compliance with the contemplated physical security Reliability 
Standards would likely require the development or sharing of 
confidential or sensitive material that, if disclosed to the public, 
could jeopardize the reliable operation of the Bulk-Power System. As a 
result, the Commission directed NERC to include adequate procedures in 
the Reliability Standards to prevent the dissemination of confidential 
or sensitive information.
    107. We find that NERC has included sufficient safeguards in 
Reliability Standard CIP-014-1 to ensure that confidential or sensitive 
information produced in compliance with the Reliability Standard will 
not be publicly disclosed. Reliability Standard CIP-014-1 includes 
requirements regarding the sharing of information between applicable 
entities and third-party verifiers and reviewers in Requirements R2.4 
and R6.4. Moreover, the ``Compliance'' section of Reliability Standard 
CIP-014-1 provides: ``Confidentiality: To protect the confidentiality 
and sensitive nature of the evidence for demonstrating compliance with 
this standard, all evidence will be retained at the Transmission 
Owner's and Transmission Operator's facilities.''
    108. The Commission will take all necessary and appropriate steps, 
as provided for in our governing statutes and regulations, to preserve 
an applicable entity's confidential or sensitive information when the 
public disclosure of such information could jeopardize the reliable 
operation of the Bulk-Power System. However, we decline to address in 
this final rule issues of preemption or the specific mechanism for 
treating confidential or sensitive information. Moreover, we find that 
it would be inappropriate to address Associations' request concerning 
the disclosure of information related to compliance with Reliability 
Standard CIP-014-1 to market monitors pursuant to a market monitor 
agreement or RTO tariff. No such agreements or tariffs are before us in 
this rulemaking proceeding.

H. Other Issues

    109. Entergy seeks clarification as to whether the requirement in 
Reliability Standard CIP-014-1, Requirement R5 that an applicable 
entity ``shall develop and implement a documented physical security 
plan(s) that covers their

[[Page 70081]]

respective Transmission station(s), Transmission substation(s), and 
primary control center(s) . . . [and] shall be developed within 120 
calendar days following the completion of Requirement R2 and executed 
according to the timeline specified in the physical security plan(s)'' 
means that the actions called for in the security plan must be 
completed within 120 days. We see no ambiguity in Requirement R5 as the 
requirement only states that the security plan, not the actions called 
for in the plan, must be developed within 120 calendar days.
    110. Reclamation proposes that the term ``risk assessment'' in 
Requirement R1 of Reliability Standard CIP-014-1 be changed to ``impact 
assessment'' because the requirement contemplates an assessment on the 
impact of the loss of facilities on the stability of the bulk electric 
system rather than a ``risk assessment.'' Reclamation further states 
that, based on the generally accepted meaning of the term ``risk 
assessment,'' that term better correlates to Requirement R4. We see no 
practical reason to require NERC to modify the nomenclature used in 
Requirement R1. Similarly, we see no reason to require NERC to change 
``risk assessment'' to ``threat risk assessment,'' as suggested by 
Paschall, or to require NERC to define ``risk assessment'' because the 
term is largely defined in Requirement R1.
    111. Foundation recommends that the Commission direct NERC to begin 
development of a second phase physical security Reliability Standard. 
Foundation maintains that such a Reliability Standard would address 
deficiencies in Reliability Standard CIP-014-1, including the exclusion 
of generation facilities and certain control centers. For example, 
Foundation maintains that the loss of a single generation facility 
could cause cascading outages on the Bulk-Power System. However, for 
the reasons discussed in Sections C and F above, we are not persuaded 
that there is a sufficient factual basis at this time to direct NERC to 
develop a second phase physical security Reliability Standard. While we 
decline to direct NERC to develop a second phase physical security 
Reliability Standard at this time, the informational filing on ``High 
Impact'' control centers required in this final rule, the post-
implementation reports that NERC has committed to provide to the 
Commission, the Commission's compliance and enforcement efforts, and 
other outreach with NERC, industry and the public, will inform the 
Commission's views going forward as to what additional steps, if any, 
might be required to help ensure the reliable operation of the Bulk-
Power System in the face of physical security threats.

I. Violation Risk Factors and Violation Severity Levels

    112. Each requirement of Reliability Standard CIP-014-1 includes 
one violation risk factor and has an associated set of at least one 
violation severity level. The ranges of penalties for violations will 
be based on the sanctions table and supporting penalty determination 
process described in the Commission-approved NERC Sanction Guidelines, 
according to the NERC petition. The NOPR proposed to approve the 
violation risk factors and violation severity levels for the 
requirements in Reliability Standard CIP-014-1 consistent with the 
Commission's established guidelines.\87\ The Commission did not receive 
any comments regarding this aspect of the NOPR. Accordingly, the 
Commission approves the violation risk factors and violation severity 
levels for the requirements in Reliability Standard CIP-014-1.
---------------------------------------------------------------------------

    \87\ North American Electric Reliability Corp., 135 FERC ] 
61,166 (2011).
---------------------------------------------------------------------------

J. Implementation Plan and Effective Date

NERC Petition
    113. The NERC petition proposes that Reliability Standard CIP-014-1 
become effective the ``first day of the first calendar quarter that is 
six months beyond the date that this standard is approved by applicable 
regulatory authorities'' (i.e., the effective date of a final rule in 
this proceeding approving the proposed Reliability Standard).\88\ NERC 
states that the initial risk assessment required under Requirement R1 
must be completed by or before the effective date of the proposed 
Reliability Standard.\89\ As described in the requirements of the 
Reliability Standard, NERC also identifies when Requirements R2, R3, 
R4, R5, and R6 must be complied with following the effective date of 
Reliability Standard CIP-014-1.
---------------------------------------------------------------------------

    \88\ NERC Petition, Exhibit B (Implementation Plan) at 1. 
Exhibit B also delineates the completion timelines for Requirements 
R2 through R6. Parts 2.1, 2.2, and 2.4 of Requirement R2 shall be 
completed within 90 calendar days of the effective date of the 
Reliability Standard. Part 2.3 of Requirement R2 shall be completed 
within 60 calendar days of the completion of performance under 
Requirement R2 part 2.2. Requirement R3 shall be completed within 7 
calendar days of completion of performance under Requirement R2. 
Requirements R4 and R5 shall be completed within 120 calendar days 
of completion of performance under Requirement R2. Parts 6.1, 6.2, 
and 6.4 of Requirement R6 shall be completed within 90 calendar days 
of completion of performance under Requirement R5. Part 6.3 of 
Requirement R6 shall be completed within 60 calendar days of 
Requirement R6 part 6.2.
    \89\ Id.
---------------------------------------------------------------------------

NOPR
    114. The NOPR proposed to approve NERC's implementation plan and 
effective date for Reliability Standard CIP-014-1.
Comments
    115. KCP&L states that the Commission should make it clear if the 
effective date of Reliability Standard CIP-014-1 will be earlier than 
April 2016, which KCP&L states is the effective date of Reliability 
Standard CIP-002-5. KCP&L states that the ``basis for determination of 
criticality in CIP-014-1 references the same applicability as found in 
the CIP-002-5 . . . [and the] potential disconnect in implementation 
dates may impact registered entities adversely in preparations for 
Critical Infrastructure Protection standards or in application of 
physical security improvements given the work required to identify 
critical assets.'' \90\
---------------------------------------------------------------------------

    \90\ KCP&L Comments at 7.
---------------------------------------------------------------------------

Commission Determination
    116. We approve the implementation plan and effective date proposed 
by NERC for Reliability Standard CIP-014-1. In response to KCP&L's 
comment, we understand that, pursuant to the implementation plan and 
effective date proposed by NERC and approved herein, Reliability 
Standard CIP-014-1 will become effective before April 2016.

III. Information Collection Statement

    117. The Paperwork Reduction Act (PRA) \91\ requires each federal 
agency to seek and obtain Office of Management and Budget (OMB) 
approval before undertaking a collection of information directed to ten 
or more persons or contained in a rule of general applicability. OMB 
regulations require approval of certain information collection 
requirements imposed by agency rules.\92\ Upon approval of a 
collection(s) of information, OMB will assign an OMB control number and 
an expiration date. Respondents subject to the filing requirements of 
an agency rule will not be penalized for failing to respond to these 
collections of information unless the collections of information 
display a valid OMB control number.
---------------------------------------------------------------------------

    \91\ 44 U.S.C. 3501-3520.
    \92\ See 5 CFR 1320.10.

---------------------------------------------------------------------------

[[Page 70082]]

Comments

    118. Associations state that developing a security plan will cost 
more than $19,000 per company and ``should include a more realistic 
estimate of costs to comply with the proposed standard because of the 
influence that the Commission's assessment may have on the judgment of 
state utility commission or other regulatory authorities determining 
the prudence of costs incurred to comply with the proposed standard.'' 
\93\ Associations also state ``that it understands that one medium-
sized investor-owned utility anticipates that third-party contract 
support will cost approximately $270,000 for conducting transmission 
studies under R1, third-party verification under R2, analyses of 
threats under R4, and support for security plan development under R5.'' 
\94\ Associations further state that the Commission's estimate did not 
include the cost of implementing the actual security measures included 
in applicable entity security plan. KCP&L states that it supports 
Associations' comments.
---------------------------------------------------------------------------

    \93\ Associations Comments at 19.
    \94\ Id. at 19 n.19.
---------------------------------------------------------------------------

Commission Determination

    119. We adopt the Information Collection Statement estimates 
contained in the NOPR. As we have previously stated, the estimates 
provided in an Information Collection Statement are meant to quantify 
the paperwork burden imposed by a final rule.\95\ The Information 
Collection Statement is not intended to estimate the cost of compliance 
with the requirements of a Reliability Standard approved in a final 
rule.\96\ Associations has not explained why it believes the 
Commission's paperwork burden estimate is not ``realistic'' or what 
would be a ``realistic'' figure other than to relate, in a footnote, 
that it understands that an unidentified medium-sized utility 
anticipates that compliance with requirements of Reliability Standard 
CIP-014-1, rather than the paperwork burden imposed by a final rule 
approving the Reliability Standard, will cost approximately $270,000. 
Associations' comments do not provide any creditable evidence or 
analysis to cause us to reevaluate the paperwork burden estimate 
contained in the NOPR. Accordingly, as set forth below, we adopt the 
NOPR's Information Collection Statement burden and cost estimates.
---------------------------------------------------------------------------

    \95\ As defined in the PRA, ``the term ``burden'' means time, 
effort, or financial resources expended by persons to generate, 
maintain, or provide information to or for a Federal agency, 
including the resources expended for--(A) reviewing instructions; 
(B) acquiring, installing, and utilizing technology and systems; (C) 
adjusting the existing ways to comply with any previously applicable 
instructions and requirements; (D) searching data sources; (E) 
completing and reviewing the collection of information; and (F) 
transmitting, or otherwise disclosing the information.''
    \96\ Version 5 Critical Infrastructure Protection Reliability 
Standards, Order No. 791, 78 FR 72,755 (Dec. 3, 2013), 145 FERC ] 
61,160, at P 235 (2013), order granting clarification in part and 
denying rehearing, Order No. 791-A, 146 FERC ] 61,188 (2014).
---------------------------------------------------------------------------

    120. The Commission based its estimates on the number of 
respondents on the NERC compliance registry as of May 28, 2014. 
According to the registry, there are 357 transmission owners (TOs) and 
197 transmission operators (TOPs). The NERC compliance registry also 
shows that there are only 19 transmission operators that are not also 
registered as a transmission owner.
    121. The burden associated with the final rule is included in FERC-
725U (Mandatory Reliability Standards: Reliability Standard CIP-014, 
OMB Control Number 1902-0274).\97\ The following table shows the 
Commission's burden and cost estimates, broken down by requirement and 
year:
---------------------------------------------------------------------------

    \97\ The requirement for NERC to make the informational filing 
is part of the responsibilities related to being the nation-wide 
Electric Reliability Organization. The burden related to that filing 
is part of FERC-725 (OMB Control Number 1902-0225).
    \98\ The estimates for cost per response are derived using the 
following formula: Average Burden Hours per Response * XX per Hour = 
Average Cost per Response.
    The hourly cost figures are based on data for wages plus 
benefits from the Bureau of Labor Statistics (as of September 4, 
2014) at http://www.bls.gov/oes/current/naics3_221000.htm and http://www.bls.gov/news.release/ecec.nr0.htm. The figures are rounded for 
the purposes of calculations in this table and are:
     For electrical engineers: $60.87/hr., rounded to $61/
hr.
     for attorneys: $128/hr.
     for administrative staff: $31.86/hr., rounded to $32/
hr.

                                                                        FERC-725U
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                  Number of                           Average burden      Total burden
Requirements in reliability standard CIP-    Number and type of respondents     responses per     Total number of     hours and cost    hours and total
                014-1 over                                                        respondent         responses      per response \98\         cost
years 1-3                                  (1)..............................                (2)        (1)*(2)=(3)                (4)            (3)*(4)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Year 1:
    R1...................................  357 TOs..........................                  1                357                 20              7,140
                                                                                                                               $1,220           $435,540
    R2...................................  357 TOs..........................                  1                357                 34             12,138
                                                                                                                               $2,342           $836,094
    R3...................................  2 TOPs...........................                  1                  2                  1                  2
                                                                                                                                 $128               $256
    R4...................................  30 TOs...........................                  1                 32                 80              2,560
                                           2 TOPs...........................  .................  .................             $4,880           $156,160
    R5...................................  30 TOs...........................                  1                 32                320             10,240
                                           2 TOPs...........................  .................  .................            $19,520           $624,640
    R6...................................  30 TOs...........................                  1                 32                304              9,728
                                           2 TOPs...........................  .................  .................            $18,812           $601,984
Record Retention.........................  357 TOs..........................                  1                359                  2                718
                                           2 TOPs...........................  .................  .................                $64            $22,976
Year 2:
    Record Retention.....................  357 TOs..........................                  1                359                  2                718
                                           2 TOPs...........................  .................  .................                $64            $22,976
Year 3:
    R1...................................  30 TOs...........................                  1                 30                 20                600
                                           .................................  .................  .................             $1,220            $36,600
    R2...................................  30 TOs...........................                  1                 30                 34              1,029

[[Page 70083]]

 
                                           .................................  .................  .................             $2,342            $70,260
    R3...................................  2 TOPs...........................                  1                  2                  1                  2
                                           .................................  .................  .................               $128               $256
    R4...................................  30 TOs...........................                  1                 32                 80              2,560
                                           2 TOPs...........................  .................  .................             $4,880           $156,160
    R5...................................  30 TOs...........................                  1                 32                 80              2,560
                                           2 TOPs...........................  .................  .................             $4,880           $156,160
    R6...................................  30 TOs...........................                  1                 32                134              4,288
                                           2 TOPs...........................  .................  .................             $8,442           $270,144
    Record Retention.....................  357 TOs..........................                  1                359                  2                718
                                           2 TOPs...........................  .................  .................                $64            $22,976
                                                                                                                                      ------------------
        Year 1 Total.....................  .................................  .................  .................  .................             42,526
                                           .................................  .................  .................  .................         $2,677,650
        Year 2 Total.....................  .................................  .................  .................  .................                718
                                           .................................  .................  .................  .................            $22,976
        Year 3 Total.....................  .................................  .................  .................  .................             11,748
                                           .................................  .................  .................  .................           $712,556
                                                                                                                                      ------------------
            TOTAL (for Years 1-3)........  .................................  .................  .................  .................             54,992
                                           .................................  .................  .................  .................         $3,413,182
--------------------------------------------------------------------------------------------------------------------------------------------------------

    122. In arriving at the figures in the above table, the Commission 
made the following assumptions:
    a. Requirement R1: We assume that responsible entities will 
complete the required risk assessment at approximately the same time as 
they complete the assessments required under the existing TPL 
Reliability Standards. Accordingly, the burden for Reliability Standard 
CIP-014-1 only represents the documentation required in addition to 
what entities currently prepare. Conservatively, we assume that in the 
first year all transmission owners and transmission operators will 
complete the required risk assessment.\99\ In the third year, we assume 
that only 30 transmission operators will be required to do another risk 
assessment and that the entities with critical facilities after the 
first risk assessment will still have critical facilities after the 
second risk assessment.
---------------------------------------------------------------------------

    \99\ While it is likely that only large transmission owners and 
transmission operators will have critical facilities under 
Requirement R1, the Commission's estimate includes all transmission 
owners and operators because reliable data on what percentage of 
large owners and operators control critical facilities is 
unavailable.
---------------------------------------------------------------------------

    b. Requirement R5: We assume that developing physical security 
plans in the first year will be more time consuming than in later years 
because in later years the plans will likely only need to be updated.
    123. Title: FERC-725U, Mandatory Reliability Standards: Reliability 
Standard CIP-014-1.
    Action: Proposed Collection of Information.
    OMB Control No: 1902-0274.
    Respondents: Business or other for profit, and not for profit 
institutions.
    Frequency of Responses: Ongoing.
    Necessity of the Information: Reliability Standard CIP-014-1 
implements the Congressional mandate of the Energy Policy Act of 2005 
to develop mandatory and enforceable Reliability Standards to better 
ensure the reliability of the nation's Bulk-Power System. Specifically, 
Reliability Standard CIP-014-1 ensures that applicable entities with 
critical Bulk-Power System facilities develop and implement physical 
security plans to address physical security threats and vulnerabilities 
that could result in widespread instability, uncontrolled separation, 
or cascading within an Interconnection.
    Internal review: The Commission has reviewed Reliability Standard 
CIP-014-1 and has determined that the Reliability Standard is necessary 
to ensure the reliability and integrity of the nation's Bulk-Power 
System.
    124. Interested persons may obtain information on the reporting 
requirements by contacting: Federal Energy Regulatory Commission, 888 
First Street NE., Washington, DC 20426 [Attention: Ellen Brown, Office 
of the Executive Director, email: DataClearance@ferc.gov, Phone: (202) 
502-8663, fax: (202) 273-0873]. Comments on the requirements of this 
rule may also be sent to the Office of Information and Regulatory 
Affairs, Office of Management and Budget, Washington, DC 20503 
[Attention: Desk Officer for the Federal Energy Regulatory Commission]. 
For security reasons, comments should be sent by email to OMB at 
oira_submission@omb.eop.gov. Comments submitted to OMB should refer to 
FERC-725U and OMB Control No. 1902-0274.

IV. Environmental Analysis

    125. The Commission is required to prepare an Environmental 
Assessment or an Environmental Impact Statement for any action that may 
have a significant adverse effect on the human environment.\100\ The 
Commission has categorically excluded certain actions from this 
requirement as not having a significant effect on the human 
environment. Included in the exclusion are rules that are clarifying, 
corrective, or procedural or that do not substantially change the 
effect of the regulations being amended.\101\ The actions here fall 
within this categorical exclusion in the Commission's regulations.
---------------------------------------------------------------------------

    \100\ Order No. 486, Regulations Implementing the National 
Environmental Policy Act of 1969, 52 FR 47897 (Dec. 17, 1987), FERC 
Stats. & Regs. Regulations Preambles 1986-1990 ] 30,783 (1987).
    \101\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------

V. Regulatory Flexibility Act

    126. The Regulatory Flexibility Act of 1980 (RFA) \102\ generally 
requires a description and analysis of proposed

[[Page 70084]]

rules that will have significant economic impact on a substantial 
number of small entities.
---------------------------------------------------------------------------

    \102\ 5 U.S.C. 601-612.
---------------------------------------------------------------------------

    127. The Small Business Administration (SBA) revised its size 
standard (effective January 22, 2014) for electric utilities from a 
standard based on megawatt hours to a standard based on the number of 
employees, including affiliates.\103\ Under SBA's new size standards, 
transmission owners and transmission operators likely come under the 
following category and associated size threshold: Electric bulk power 
transmission and control, at 500 employees.\104\
---------------------------------------------------------------------------

    \103\ SBA Final Rule on ``Small Business Size Standards: 
Utilities,'' 78 FR 77,343 (Dec. 23, 2013).
    \104\ 13 CFR 121.201, Sector 22, Utilities.
---------------------------------------------------------------------------

    128. The NOPR stated that, based on U.S. economic census data, the 
approximate percentage of small firms in this category is 57 
percent.\105\ The NOPR also stated that the Commission did not have 
information concerning how the economic census data compares with 
entities registered with NERC and is unable to estimate the number of 
small transmission owners and transmission operators using the new SBA 
definition. However, the NOPR stated that Reliability Standard CIP-014-
1 only applies to transmission owners and transmission operators that 
own and/or operate certain critical Bulk-Power System facilities. In 
the NOPR, the Commission stated that it believes that Reliability 
Standard CIP-014-1 will be applicable to a relatively small group of 
large entities. No comments were received addressing the Commission's 
proposed certification.\106\
---------------------------------------------------------------------------

    \105\ NOPR, 148 FERC ] 61,040 at P 70. Data and further 
information are available on the SBA Web site. See SBA Firm Size 
Data, available at http://www.sba.gov/advocacy/849/12162. Since 
issuance of the NOPR, the Commission has obtained data that enables 
us to estimate more closely the number of small entities affected by 
this final rule. We now estimate that 28 percent (or 103 out of the 
359 entities) are small entities.
    \106\ To the extent that Associations' comments, which we 
addressed above in the Information Collection Statement section, 
were also directed to the Commission's proposed certification 
regarding the Regulatory Flexibility Act, Associations' comments do 
not dispute any of the assumptions underlying the proposed 
certification or contest the proposed certification itself.
---------------------------------------------------------------------------

    129. Accordingly, the Commission certifies that Reliability 
Standard CIP-014-1 will not have a significant impact on a substantial 
number of small entities. Accordingly, no regulatory flexibility 
analysis is required.

VI. Document Availability

    130. In addition to publishing the full text of this document in 
the Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
Internet through the Commission's Home Page (http://www.ferc.gov) and 
in the Commission's Public Reference Room during normal business hours 
(8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A, 
Washington DC 20426.
    131. From the Commission's Home Page on the Internet, this 
information is available on eLibrary. The full text of this document is 
available on eLibrary in PDF and Microsoft Word format for viewing, 
printing, and/or downloading. To access this document in eLibrary, type 
the docket number excluding the last three digits of this document in 
the docket number field.
    132. User assistance is available for eLibrary and the Commission's 
Web site during normal business hours from the Commission's Online 
Support at 202-502-6652 (toll free at 1-866-208-3676) or email at 
ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at 
public.referenceroom@ferc.gov.

VII. Effective Date and Congressional Notification

    133. This final rule is effective January 26, 2015. The Commission 
has determined, with the concurrence of the Administrator of the Office 
of Information and Regulatory Affairs of OMB, that this rule is not a 
``major rule'' as defined in section 351 of the Small Business 
Regulatory Enforcement Fairness Act of 1996.\107\ This final rule is 
being submitted to the Senate, House, and Government Accountability 
Office.
---------------------------------------------------------------------------

    \107\ 5 U.S.C. 804(2).

    By the Commission.
Nathaniel J. Davis, Sr.,
Deputy Secretary.

    Note:  This appendix will not appear in the Code of Federal 
Regulations.

Appendix

------------------------------------------------------------------------
           Abbreviation                           Commenter
------------------------------------------------------------------------
                           Initial Commenters
------------------------------------------------------------------------
APS...............................  Arizona Public Service Company.
Associations......................  Edison Electric Institute, Electric
                                     Power Supply Association,
                                     Electricity Consumers Resource
                                     Council.
BPA...............................  Bonneville Power Administration.
CEA...............................  Canadian Electricity Association.
Duke..............................   Duke Energy Corporation.
Entergy...........................  Entergy.
Foundation........................  Foundation for Resilient Societies.
GridWise..........................  GridWise Alliance.
G&T Cooperatives..................  Associated Electric Cooperative,
                                     Inc., Basin Electric Power
                                     Cooperative, and Tri-State
                                     Generation and Transmission
                                     Association, Inc.
Idaho Power.......................  Idaho Power Company.
ITC...............................  International Transmission Company.
KCP&L.............................  Kansas City Power & Light Company
                                     and KCP&L Greater Missouri
                                     Operations Company.
MISO..............................  Midcontinent Independent System
                                     Operator, Inc.
NARUC.............................  National Association of Regulatory
                                     Utility Commissioners.
NEMA..............................  National Electrical Manufactures
                                     Association.
NERC..............................  North American Electric Reliability
                                     Corporation.
NU................................  Utilities Northeast Utilities
                                     System.
NYPSC.............................  New York Public Service Commission.
Ohio PUC..........................  Public Utilities Commission of Ohio.
Oncor.............................  Oncor Electric Delivery Company LLC.
Pa PUC............................  Pennsylvania Public Utility
                                     Commission.
Paschall..........................  Roger Paschall.
Pepco.............................  Pepco Holdings, Inc.
Reclamation.......................  U.S. Department of Interior, Bureau
                                     of Reclamation.
Seattle...........................  City of Seattle.

[[Page 70085]]

 
SCE...............................  Southern California Edison.
SDG&E.............................  San Diego Gas & Electric.
SIA...............................  Security Industry Association.
Southern..........................  Southern Company Services, Inc.
TAPS..............................  Transmission Access Policy Study
                                     Group.
TVA...............................  Tennessee Valley Authority.
Trade Associations................  American Public Power Association,
                                     Large Public Power Council,
                                     National Rural Electric Cooperative
                                     Association.
Xcel..............................  Xcel Energy Services Inc.
------------------------------------------------------------------------
                            Reply Commenters
------------------------------------------------------------------------
Foundation........................  Foundation for Resilient Societies.
ITC...............................  International Transmission Company.
NIPSCO............................  Northern Indiana Public Service
                                     Company.
SmartSenseCom.....................  SmartSenseCom, Inc.
SWTDUG............................  Southwest Transmission Dependent
                                     Utility Group.
Tallahassee.......................  City of Tallahassee.
------------------------------------------------------------------------

[FR Doc. 2014-27908 Filed 11-24-14; 8:45 am]
BILLING CODE 6717-01-P