Revised Critical Infrastructure Protection Reliability Standard CIP-003-7-Cyber Security-Security Management Controls, 17913-17921 [2018-08610]

Download as PDF Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations purposes of the PRA, a paperwork burden may take the form of either a reporting or a recordkeeping requirement, both referred to as information collections. This rule does not constitute a ‘‘collection of information’’ within the meaning of section 3502(3) and would not increase paperwork requirements under the PRA or regulations of the Office of Management and Budget (OMB). By the National Credit Union Administration Board on April 19, 2018. Gerard S. Poliquin, Secretary of the Board. DEPARTMENT OF ENERGY For the reasons discussed above, the NCUA Board amends 12 CFR part 740 as follows: 18 CFR Part 40 PART 740—ACCURACY OF ADVERTISING AND NOTICE OF INSURED STATUS Executive Order 13132 Executive Order 13132 encourages independent regulatory agencies to consider the impact of their actions on state and local interests. In adherence to fundamental federalism principles, the NCUA, an independent regulatory agency as defined in 44 U.S.C. 3502(5), voluntarily complies with the executive order. The rule will not have substantial direct effect on the states, on the connection between the national government and the states, or on the distribution of power and responsibilities among the various levels of government. The NCUA has determined that this rule does not constitute a policy with federalism implications for purposes of the executive order. Small Business Regulatory Enforcement Fairness Act The Small Business Regulatory Enforcement Fairness Act of 1996 (Pub. L. 104–121) (SBREFA) provides generally for congressional review of agency rules. A reporting requirement is triggered in instances where the NCUA issues a final rule as defined in Section 551 of the Administrative Procedure Act. The NCUA does not believe this final rule is a ‘‘major rule’’ within the meaning of the relevant sections of SBREFA. As required by SBREFA, the NCUA has filed the appropriate documentation with OMB for review. sradovich on DSK3GMQ082PROD with RULES The Treasury and General Government Appropriations Act of 1999— Assessment of Federal Regulations and Policies on Families The NCUA has determined that this rule will not affect family well-being within the meaning of Section 654 of the Treasury and General Government Appropriations Act, 1999.11 List of Subjects in 12 CFR Part 740 Advertisements, Credit unions, Share insurance, Signs and symbols. 11 Public Law 105–277, 112 Stat. 2681 (1998). VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 17913 1. The authority citation for part 740 continues to read as follows: ■ Authority: 12 U.S.C. 1766, 1781, 1785, and 1789. Federal Energy Regulatory Commission [Docket No. RM17–11–000; Order No. 843] Revised Critical Infrastructure Protection Reliability Standard CIP– 003–7—Cyber Security—Security Management Controls Federal Energy Regulatory Commission. ACTION: Final rule. AGENCY: The Federal Energy Regulatory Commission (Commission) ■ 2. Amend § 740.5 by revising approves Critical Infrastructure paragraphs (a), (b), (c)(7) and (c)(8) to Protection (CIP) Reliability Standard read as follows: CIP–003–7 (Cyber Security—Security Management Controls), submitted by the § 740.5 Requirements for the official North American Electric Reliability advertising statement. Corporation (NERC). Reliability (a) Each insured credit union must Standard CIP–003–7 clarifies the include the official advertising obligations pertaining to electronic statement, prescribed in paragraph (b) of access control for low impact BES Cyber this section, in all of its advertisements, Systems; requires mandatory security including on its main internet page, controls for transient electronic devices except as provided in paragraph (c) of (e.g., thumb drives, laptop computers, and other portable devices frequently this section. connected to and disconnected from (b)(1) The official advertising systems) used at low impact BES Cyber statement is in substance one of the Systems; and requires responsible following: entities to have a policy for declaring (i) This credit union is federally and responding to CIP Exceptional insured by the National Credit Union Circumstances related to low impact Administration; BES Cyber Systems. In addition, the Commission directs NERC to develop (ii) Federally insured by NCUA; modifications to the CIP Reliability (iii) Insured by NCUA; or Standards to mitigate the risk of (iv) A reproduction of the official sign malicious code that could result from as described in § 740.4(b) may be used third-party transient electronic devices. in lieu of the other statements included DATES: This rule will become effective in this section. If the official sign is used June 25, 2018. as the official advertising statement, an FOR FURTHER INFORMATION CONTACT: insured credit union may alter the font Matthew Dale (Technical Information), size to ensure its legibility as provided Office of Electric Reliability, Federal in § 740.4(b)(2). Energy Regulatory Commission, 888 First Street NE, Washington, DC (2) The official advertising statement 20426, (202) 502–6826, must be in a size and print that is clearly matthew.dale@ferc.gov legible and may be no smaller than the smallest font size used in other portions Kevin Ryan (Legal Information), Office of the General Counsel, Federal of the advertisement intended to convey Energy Regulatory Commission, 888 information to the consumer. First Street NE, Washington, DC (c) * * * 20426, (202) 502–6840 kevin.ryan@ (7) Advertisements by radio which do ferc.gov not exceed thirty (30) seconds in time; SUPPLEMENTARY INFORMATION: Before Commissioners: Kevin J. McIntyre, (8) Advertisements by television, Chairman; Cheryl A. LaFleur, Neil other than display advertisements, Chatterjee, Robert F. Powelson, and which do not exceed thirty (30) seconds Richard Glick. in time; 1. Pursuant to section 215 of the * * * * * Federal Power Act (FPA),1 the SUMMARY: [FR Doc. 2018–08557 Filed 4–24–18; 8:45 am] BILLING CODE 7535–01–P PO 00000 Frm 00013 Fmt 4700 1 16 Sfmt 4700 E:\FR\FM\25APR1.SGM U.S.C. 824o (2012). 25APR1 17914 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES Commission approves Reliability Standard CIP–003–7 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. Reliability Standard CIP–003–7 addresses the Commission’s directives from Order No. 822 and is an improvement over the current Commission-approved CIP Reliability Standards.2 Specifically, Reliability Standard CIP–003–7 improves upon the existing Reliability Standards by: (1) Clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; 3 (2) adopting mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems; and (3) requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. We also approve NERC’s proposed implementation plan and violation risk factor and violation severity level assignments. Finally, we approve NERC’s proposed revised definitions for inclusion in the NERC Glossary. 2. In the NOPR, the Commission proposed to direct that NERC modify Reliability Standard CIP–003–7 to: (1) Provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems; and (2) address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices.4 The Commission adopts the NOPR proposal regarding third-party transient electronic devices but does not adopt the proposal regarding criteria for electronic access controls for low impact BES Cyber Systems. 3. As discussed below, in view of the comments from NERC and others, we are persuaded that Reliability Standard CIP–003–7 provides a clear security objective that establishes compliance 2 Revised Critical Infrastructure Protection Reliability Standards, Order No. 822, 154 FERC ¶ 61,037, reh’g denied, Order No. 822–A, 156 FERC ¶ 61,052 (2016). 3 BES Cyber System is defined by NERC as ‘‘[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.’’ Glossary of Terms Used in NERC Reliability Standards (NERC Glossary). The acronym BES refers to the bulk electric system. Reliability Standard CIP–002–5.1a (Cyber Security System Categorization) provides a ‘‘tiered’’ approach to cybersecurity requirements, based on classifications of high, medium and low impact BES Cyber Systems. 4 Revised Critical Infrastructure Protection Reliability Standard CIP–003–7—Cyber Security— Security Management Controls, Notice of Proposed Rulemaking, 82 FR 49541 (Oct. 26, 2017), 161 FERC ¶ 61,047 (2017) (NOPR). VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 expectations. Accordingly, we do not adopt the proposed directive relating to electronic access controls for low impact BES Cyber Systems. Instead, as suggested in the comments, we direct NERC to conduct a study to assess the implementation of Reliability Standard CIP–003–7 to determine whether the electronic access controls adopted by responsible entities provide adequate security. NERC must submit the directed study within eighteen months of the effective date of Reliability Standard CIP–003–7. 4. With regard to the second issue discussed in the NOPR, we remain concerned that the proposed Reliability Standard lacks a clear requirement to mitigate the risk of malicious code that could result from third-party transient electronic devices. Accordingly, we direct NERC to develop a modification to the Reliability Standard to provide the needed clarity. Such modification will better ensure that registered entities clearly understand their mitigation obligations and, thus, improve individual entity mitigation plans and collectively improve the cybersecurity posture of the electric grid. I. Background A. Section 215 and Mandatory Reliability Standards 5. Section 215 of the FPA requires a Commission-certified Electric Reliability Organization (ERO) to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently.5 Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,6 and subsequently certified NERC.7 B. Order No. 822 6. The Commission approved the ‘‘Version 1’’ CIP Reliability Standards in January 2008, and subsequently acted on revised versions of the CIP Reliability Standards.8 On January 21, 5 16 U.S.C. 824o(e). Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ¶ 31,204, order on reh’g, Order No. 672–A, FERC Stats. & Regs. ¶ 31,212 (2006). 7 North American Electric Reliability Corp., 116 FERC ¶ 61,062, order on reh’g and compliance, 117 FERC ¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (DC Cir. 2009). 8 Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ¶ 61,040, order on reh’g, Order No. 706–A, 123 FERC ¶ 61,174 (2008), order on clarification, Order No. 706–B, 126 FERC ¶ 61,229 (2009), order on 6 Rules PO 00000 Frm 00014 Fmt 4700 Sfmt 4700 2016, in Order No. 822, the Commission approved seven CIP Reliability Standards: CIP–003–6 (Security Management Controls), CIP–004–6 (Personnel and Training), CIP–006–6 (Physical Security of BES Cyber Systems), CIP–007–6 (Systems Security Management), CIP–009–6 (Recovery Plans for BES Cyber Systems), CIP–010– 2 (Configuration Change Management and Vulnerability Assessments), and CIP–011–2 (Information Protection). The Commission determined that the Reliability Standards under consideration at that time were an improvement over the prior iteration of the CIP Reliability Standards and addressed the directives in Order No. 791 by, among other things, addressing in an equally effective and efficient manner the need for a NERC Glossary definition for the term ‘‘communication networks’’ and providing controls to address the risks posed by transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at high and medium impact BES Cyber Systems.9 7. In addition, in Order No. 822, pursuant to section 215(d)(5) of the FPA, the Commission directed NERC, inter alia, to: (1) Develop modifications to the Low Impact External Routable Connectivity (LERC) definition to eliminate ambiguity surrounding the term ‘‘direct’’ as it is used in the LERC definition; and (2) develop modifications to the CIP Reliability Standards to provide mandatory protection for transient electronic devices used at low impact BES Cyber Systems.10 C. NERC Petition 8. On March 3, 2017, NERC submitted a petition seeking approval of Reliability Standard CIP–003–7 and the associated violation risk factors and violation severity levels, implementation plan and effective date. NERC states that Reliability Standard CIP–003–7 satisfies the criteria set forth in Order No. 672 that the Commission applies when reviewing a proposed Reliability Standard.11 NERC also sought approval of revisions to NERC Glossary definitions for the terms Removable clarification, Order No. 706–C, 127 FERC ¶ 61,273 (2009); Version 5 Critical Infrastructure Protection Reliability Standards, Order No. 791, 145 FERC ¶ 61,160 (2013), order on clarification and reh’g, Order No. 791–A, 146 FERC ¶ 61,188 (2014). 9 Order No. 822, 154 FERC ¶ 61,037 at P 17. 10 Id. P 18. 11 See NERC Petition at 2 (citing Order No. 672, FERC Stats. & Regs. ¶ 31,204 at PP 262, 321–337); id., Exhibit D (Order No. 672 Criteria). E:\FR\FM\25APR1.SGM 25APR1 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES Media and Transient Cyber Asset, as well as the retirement of the NERC Glossary definitions of LERC and Low Impact BES Cyber System Access Point (LEAP). In addition, NERC proposed the retirement of Commission-approved Reliability Standard CIP–003–6.12 9. NERC states that Reliability Standard CIP–003–7 improves upon the existing protections that apply to low impact BES Cyber Systems. NERC avers that the proposed modifications address the Commission’s directives from Order No. 822 by: (1) Clarifying electronic access control requirements applicable to low impact BES Cyber Systems; and (2) adding requirements for the protection of transient electronic devices used for low impact BES Cyber Systems. In addition, while not required by Order No. 822, NERC proposes a CIP Exceptional Circumstances policy for low impact BES Cyber Systems. 10. In response to the Commission’s directive to develop modifications to eliminate ambiguity surrounding the term ‘‘direct’’ as it is used in the LERC definition, NERC proposes to: (1) Retire the terms LERC and LEAP from the NERC Glossary; and (2) modify Section 3 of Attachment 1 to Reliability Standard CIP–003–7 ‘‘to more clearly delineate the circumstances under which Responsible Entities must establish access controls for low impact BES Cyber Systems.’’ 13 NERC states that the proposed revisions are designed to simplify the electronic access control requirements associated with low impact BES Cyber Systems to avoid ambiguities associated with the term ‘‘direct.’’ NERC explains that it recognized the ‘‘added layer of unnecessary complexity’’ introduced by distinguishing between ‘‘direct’’ and ‘‘indirect’’ access within the LERC definition and asserts that the proposed revisions will ‘‘help ensure that Responsible Entities implement the required security controls effectively.’’ 14 11. With regard to the Commission’s directive that NERC develop modifications to the CIP Reliability Standards to provide mandatory protection for transient electronic devices used at low impact BES Cyber Systems, NERC proposes to add a new section to Attachment 1 of Reliability Standard CIP–003–7 that requires responsible entities to include controls 12 Reliability Standard CIP–003–7 is not attached to this Final Rule. The Reliability Standard is available on the Commission’s eLibrary document retrieval system in Docket No. RM17–11–000 and is posted on the NERC website, http:// www.nerc.com. 13 NERC Petition at 16. 14 Id. at 16. VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 in their cyber security plans to mitigate the risk of the introduction of malicious code to low impact BES Cyber Systems that could result from the use of ‘‘Transient Cyber Assets or Removable Media.’’ Specifically, proposed Section 5 of Attachment 1 lists controls to be applied to Transient Cyber Assets and Removable Media that NERC contends ‘‘will provide enhanced protections against the propagation of malware from transient devices.’’ 15 12. NERC also proposes a modification that was not directed by the Commission in Order No. 822. Namely, NERC proposes revisions in Requirement R1 of Reliability Standard CIP–003–7 to require responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems.16 NERC states that a number of requirements in the existing CIP Reliability Standards specify that responsible entities do not have to implement or continue implementing these requirements to avoid hindering the entities’ ability to timely and effectively respond to the CIP Exceptional Circumstance. NERC proposes to add a requirement for responsible entities to have a CIP Exceptional Circumstances policy that applies to low impact BES Cyber Systems since the proposed requirements relating to transient electronic devices used at low impact BES Cyber Systems include an exception for CIP Exceptional Circumstances.17 13. NERC requests that Reliability Standard CIP–003–7 and the revised definitions of Transient Cyber Asset and Removable Media become effective the first day of the first calendar quarter that is eighteen months after the effective date of the Commission’s order approving the Reliability Standard. D. Notice of Proposed Rulemaking 14. On October 19, 2017, the Commission issued a NOPR that proposed to approve Reliability Standard CIP–003–7. The NOPR proposed to determine that Reliability Standard CIP–003–7 is just, reasonable, not unduly discriminatory or 15 Id. at 26–27. CIP Exceptional Circumstance is defined in the NERC Glossary as a situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or bulk electric system reliability: A risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; A Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability. 17 NERC Petition at 31–32. 16 A PO 00000 Frm 00015 Fmt 4700 Sfmt 4700 17915 preferential, and in the public interest and addresses the directives in Order No. 822 by: (1) Clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; and (2) adopting mandatory security controls for transient electronic devices used at low impact BES Cyber Systems. In addition, the NOPR observed that, by requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances for low impact BES Cyber Systems, Reliability Standard CIP–003–7 would align the treatment of low impact BES Cyber Systems with that of high and medium impact BES Cyber Systems, which currently include a requirement for declaring and responding to CIP Exceptional Circumstances. Therefore, the Commission proposed to approve Reliability Standard CIP–003–7 because the proposed modifications improve the base-line cybersecurity posture of responsible entities compared to the current Commission-approved CIP Reliability Standards. 15. In addition, the Commission proposed to direct that NERC develop modifications to Reliability Standard CIP–003–7 to addressed two issues: (1) Provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems; and (2) address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices. The Commission explained that modifications directed at these two concerns will address potential gaps and improve the cyber security posture of responsible entities that must comply with the CIP Reliability Standards. 16. The Commission received comments in response to the NOPR from Jonathan Appelbaum (Appelbaum), Electric Consumers Resource Council (ELCON), North American Electric Reliability Corporation (NERC), Transmission Access Policy Study Group (TAPS), and Trade Associations.18 We address below the issues raised in the NOPR and comments. II. Discussion 17. Pursuant to section 215(d)(2) of the FPA, we approve Reliability Standard CIP–003–7 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. Reliability Standard CIP–003–7 addresses the directives in Order No. 822 and is an improvement over the currently-effective, Commission18 Trade Associations represent American Public Power Association, Edison Electric Institute, and National Rural Electric Cooperative Association. E:\FR\FM\25APR1.SGM 25APR1 17916 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations approved CIP Reliability Standards. Specifically, Reliability Standard CIP– 003–7 improves upon the existing CIP Reliability Standards by: (1) Clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; (2) adopting mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems; and (3) requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. We also approve NERC’s proposed implementation plan and violation risk factor and violation severity level assignments. Finally, we approve NERC’s proposed revised definitions for inclusion in the NERC Glossary. 18. In addition, as discussed below, pursuant to section 215(d)(5) of the FPA, we adopt the NOPR proposal and direct NERC to develop modifications to the CIP Reliability Standards to mitigate the risk of malicious code that could result from third-party transient electronic devices. However, for the reasons discussed below, we determine not to adopt the NOPR proposal to direct NERC to develop criteria for electronic access controls for low impact BES Cyber Systems at this time. 19. Below, we discuss the following matters: (A) Criteria for electronic access controls for low impact BES Cyber Systems; (B) mitigation of the risk of malicious code associated with thirdparty transient electronic devices; and (C) implementation plan and effective date. sradovich on DSK3GMQ082PROD with RULES A. Criteria for Electronic Access Controls for Low Impact BES Cyber Systems 1. NOPR 20. In the NOPR, the Commission proposed to direct NERC to develop modifications to Section 3 of Attachment 1 to Reliability Standard CIP–003–7 to provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems.19 Specifically, the proposed directive addressed the concern that Reliability Standard CIP–003–7 may not provide adequate electronic access controls for low impact BES Cyber Systems because Reliability Standard CIP–003–7 does not provide clear, objective criteria or measures to assess compliance by independently confirming that the access control strategy adopted by a 19 NOPR, 161 FERC ¶ 61,047 at P 32. VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 responsible entity would reasonably meet the security objective of permitting only ‘‘necessary inbound and outbound electronic access’’ to its low impact BES Cyber Systems.20 The Commission stated that, in order to ensure an objective and consistently-applied requirement, the electronic access control plan required in Attachment 1 should require the responsible entity to articulate its access control strategy for a particular set of low impact BES Cyber Systems and provide a technical rationale rooted in security principles explaining how that strategy will reasonably restrict electronic access. In addition, the Commission stated that Attachment 1 should outline basic security principles in order to provide clear, objective criteria or measures to assist in assessing compliance.21 21. The Commission observed that without clear, objective criteria or measures, auditors will not necessarily have adequate information to assess the reasonableness of the responsible entity’s decision with respect to how the responsible entity identified necessary communications or restricted electronic access to specific low impact BES Cyber Systems. The Commission posited that absent such information, it is possible that an auditor could assess a violation where an entity adequately protected its low impact BES Cyber Systems or fail to recognize a situation where additional protections are necessary to meet the security objective of the Reliability Standard.22 2. Comments 22. NERC acknowledges the NOPR concerns but comments that a directive ‘‘may not be necessary.’’ 23 Specifically, NERC asserts that ‘‘Responsible Entities must provide auditors sufficient information to allow the auditors to properly assess compliance with section 3.1’’ of Reliability Standard CIP–003– 7.24 NERC contends that Section 3.1 ‘‘articulates a clear security objective: permit only necessary inbound and outbound access to low impact BES Cyber Systems.’’ 25 NERC explains that Section 3.1 is not prescriptive due to the wide array of low impact BES Cyber Systems and their lower risk to bulk electric system reliability, but, while Section 3.1 grants responsible entities flexibility, ‘‘a Responsible Entity must demonstrate that its electronic access permissions and controls are consistent with the security objective.’’ 26 Specifically, NERC maintains that a responsible entity ‘‘must document the necessity of its inbound and outbound electronic access permissions and provide justification of the need for such access.’’ 27 NERC states further that ‘‘[i]f a Responsible Entity fails to articulate a reasonable business or operational need for the electronic access permission, the ERO Enterprise would find that the Responsible Entity did not comply with Section 3.1.’’ 28 NERC continues that ‘‘[c]onsistent with the intent of the Commission’s proposed directive, the Responsible Entity would have to articulate its access control strategy for the low impact BES Cyber System and provide a technical rationale rooted in security principles, explaining how that strategy will reasonably restrict electronic access.’’ 29 NERC states that if a responsible entity ‘‘fails to demonstrate that its chosen electronic access controls are properly designed and implemented to meet the security objective, the ERO Enterprise would find that the Responsible Entity did not comply with Section 3.1’’ of Reliability Standard CIP–003–7.30 23. NERC concludes that while the Commission’s proposed directive may not be necessary and could potentially be an inefficient use of NERC and industry resources, ‘‘[a]rticulating objective criteria for electronic access controls for low impact BES Cyber Systems may improve clarity and auditability, and help ensure that entities implement effective electronic access controls.’’ 31 24. Trade Associations, TAPS and ELCON do not support the proposed directive, claiming that the proposal would impose additional burdens on registered entities without a corresponding reliability benefit. Trade Associations and TAPS contend that Section 3 of Attachment 1 to Reliability Standard CIP–003–7 gives responsible entities needed flexibility to develop and implement effective electronic access controls for low impact BES Cyber Systems. TAPS adds that Reliability Standard CIP–003–7 reflects what NERC, through the standard development process, ‘‘determined was a technically appropriate tailoring of electronic access controls requirements to low impact BES cyber systems.’’ 32 Trade Associations recommend, as an 26 Id. 20 Id. P 28. 21 Id. P 29. 22 Id. 23 NERC Comments at 3. 24 Id. (citing NERC Petition at 21–24). 25 Id. PO 00000 Frm 00016 Fmt 4700 Sfmt 4700 27 Id. at 3–4. at 4 (citing NERC Petition at 22). 28 Id. 29 Id. 30 Id. 31 Id. at 5. Comments at 7 (citing 16 U.S.C. 824o(d)). 32 TAPS E:\FR\FM\25APR1.SGM 25APR1 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations sradovich on DSK3GMQ082PROD with RULES alternative to the proposed directive, that the Commission approve the proposed Reliability Standard without modification and monitor its concerns, for example, by directing NERC to conduct a study to assess the implementation by responsible entities of Reliability Standard CIP–003–7 electronic access controls to determine whether there are in fact inadequate controls. According to Trade Associations, a fact-driven assessment would help to inform and demonstrate a reliability and security need for future Commission actions related to the CIP Reliability Standards.33 25. Further, Trade Associations assert that a risk-based approach is essential to allow responsible entities to focus their resources on assets that have a higher impact on bulk electric system reliability. ELCON adds that while it ‘‘appreciates the value establishing more tangible criteria for adequate LowImpact BES Cyber System controls, . . . the additional requirements that the Commission proposes would do nothing to harden a Low-Impact facility against the rapid evolution in cyber warfare.’’ 34 26. Appelbaum supports the proposed directive regarding Section 3 of Attachment 1 to Reliability Standard CIP–003–7. Appelbaum notes that Reliability Standard CIP–003–7 ‘‘leaves the choice of controls to the [responsible entity] and leaves an Auditor with no requirement basis to perform an audit.’’ 35 Appelbaum states that under ‘‘NERC’s proposal that each entity establishes their own security plan and only needs to demonstrate compliance and adherence to its plan then . . . the implementation of security controls will be implemented to various levels of security and differentiated . . . across the NERC Regions.’’ 36 Appelbaum states further that Reliability Standard CIP–003–7 ‘‘will result in different auditor conclusions for similarly situated entities implementing similar protections.’’ 37 Appelbaum concludes that ‘‘[c]lear requirements are needed to establish a common understanding of the necessary security to be achieved.’’ 38 3. Commission Determination 27. We do not to adopt the proposed directive, but rather adopt the Trade Associations’ recommendation for a study and report to be filed with the Commission. We are satisfied with the 33 Trade Associations Comments at 9. Comments at 4. 35 Applebaum Comments at 5. 36 Id. at 6. 37 Id. at 7. 38 Id. 34 ELCON VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 explanation of NERC and other commenters that Section 3 of Attachment 1 to Reliability Standard CIP–003–7 provides a clear security objective that establishes compliance expectations. Specifically, we are persuaded by commenters that Section 3 of Attachment 1 requires responsible entities to adopt security controls to permit only necessary inbound and outbound electronic access to Cyber Assets connected using a routable protocol to low impact BES Cyber Systems. 28. The concern raised in the NOPR focused on the lack of clear, objective criteria or measures to assess compliance with Reliability Standard CIP–003–7. As noted above, however, NERC states in its comments that responsible entities will be required to demonstrate that electronic access permissions and controls associated with low impact BES Cyber Systems are consistent with the stated security objective. NERC also clarifies that responsible entities will be required to ‘‘document the [business or operational] necessity of its inbound and outbound electronic access permissions and provide justification of the need for such access.’’ 39 Given NERC’s statements, we believe that there will be adequate measures to assess compliance with Reliability Standard CIP–003–7. We expect responsible entities to be able to provide a technically sound explanation as to how their electronic access controls meet the security objective. 29. In response to Appelbaum’s comment that auditors will not have a common understanding on which to judge compliance across the ERO enterprise, in view of NERC’s comments, we believe that NERC and the Regional Entities will have the ability to assess the effectiveness of a responsible entity’s electronic access control plan as well as a responsible entity’s adherence to its electronic access control plan. 30. Moreover, to ensure that the security controls are implemented and that Section 3 accomplishes its intended purpose, we adopt Trade Associations’ proposal and direct NERC to conduct a study to assess the implementation of Reliability Standard CIP–003–7.40 The study should address what electronic access controls entities choose to implement and under what circumstances, and whether the electronic access controls adopted by responsible entities provide adequate security, as well as other relevant 39 NERC 40 Trade PO 00000 Comments at 4. Associations Comments at 9. Frm 00017 Fmt 4700 Sfmt 4700 17917 information found by NERC as a result of the study. NERC must file the study within eighteen months of the effective date of Reliability Standard CIP–003–7. We may revisit the need for modifications to Section 3 of Attachment 1 to Reliability Standard CIP–003–7 if warranted by the study determination, or the results of audits or other compliance procedures. B. Mitigation of the Risk of Malicious Code Associated With Third-Party Transient Electronic Devices 1. NOPR 31. In the NOPR, the Commission proposed to direct NERC to develop modifications to proposed Section 5 of Attachment 1 to Reliability Standard CIP–003–7 to mitigate the risk of malicious code that could result from third-party transient electronic devices.41 Specifically, the Commission raised a concern that Reliability Standard CIP–003–7 does not explicitly require mitigation of the introduction of malicious code from third-party managed transient electronic devices, even if the responsible entity determines that the third-party’s policies and procedures are inadequate. The Commission noted NERC’s statement in its petition that a responsible entity’s failure to mitigate this risk ‘‘may not constitute compliance.’’ 42 The Commission stated that NERC’s explanation suggests that, with regard to low impact BES Cyber Systems, the requirement lacks an obligation for a responsible entity to correct any deficiencies that are discovered during a review of thirdparty transient electronic device management practices. 32. The Commission expressed concern that Reliability Standard CIP– 003–7 may contain a reliability gap where a responsible entity contracts with a third-party but fails to mitigate potential deficiencies discovered in the third-party’s malicious code detection and prevention practices prior to a transient electronic device being connected to a low impact BES Cyber System. The Commission explained that the reliability gap would result from the fact that Reliability Standard CIP–003– 7 does not contain: (1) A requirement for the responsible entity to mitigate any malicious code found during the thirdparty review(s); or (2) a requirement that the responsible entity take reasonable steps to mitigate the risks of third party malicious code on its systems, if an arrangement cannot be made for the 41 Id. 42 Id. E:\FR\FM\25APR1.SGM P 41. P 39 (citing NERC Petition at 30). 25APR1 17918 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations third-party to do so. The Commission observed that without such obligations responsible entities could, without compliance consequences, simply accept the risk of deficient third-party transient electronic device management practices.43 33. Therefore, pursuant to section 215(d)(5) of the FPA, the Commission proposed to direct NERC to modify Reliability Standard CIP–003–7 to require responsible entities to implement controls to address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices. sradovich on DSK3GMQ082PROD with RULES 2. Comments 34. NERC states that it ‘‘agrees with the Commission that, should a Responsible Entity find that a third party’s processes and practices for protecting its transient electronic devices inadequate, the Responsible Entity must be required to take mitigating action prior to connecting third-party transient electronic devices to a low impact BES Cyber System.’’ 44 According to NERC, ‘‘failure to take mitigating action in this circumstance[ ] could result in a finding of noncompliance with Section 5 of Attachment 1.’’ 45 NERC, therefore, asserts that ‘‘the proposed directive may not be necessary and may be an inefficient use of NERC and industry resources.’’ 46 NERC observes, however, that ‘‘[m]odifying proposed Section 5 to explicitly include a mitigation requirement for third-part[y] devices may remove any doubt about compliance expectations.’’ 47 35. Trade Associations and ELCON do not support the proposed directive. Trade Associations contend that ‘‘[a]lthough Section 5.2 [of Attachment 1 to CIP–003–7] does not explicitly require the responsible entity to mitigate the introduction of malicious code, risk mitigation is an explicit obligation under Section 5.’’ 48 Trade Associations state that if a responsible entity’s plan does not ‘‘achieve the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems through the use of Transient Cyber Assets . . . then the plan will not comply with Section 5.’’ 49 Trade Associations maintains that the ‘‘intent 43 Id. P 40 (citing Order No. 706, 122 FERC ¶ 61,040 at P 150 (rejecting the concept of acceptance of risk in the CIP Reliability Standards)). 44 NERC Comments at 6 (citing NERC Petition at 29). 45 Id. 46 Id. 47 Id. 48 Trade Associations Comments at 10. 49 Id. at 11. VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 of the requirement is made clear in the Supplemental Material for Section 5 and 5.2, which both require the responsible entities to document how they will mitigate the introduction of malicious code.’’ 50 Trade Associations note in a footnote that: Although the Supplemental Material does not create binding obligations on responsible entities, the text of the Supplemental Material in the Proposed Standard further clarifies and reinforces that the binding requirements found in CIP–003–7, Attachment 1, Section 5 include the obligation to take additional steps if a thirdparty’s practices do not meet the security objective.51 Trade Associations conclude that the Commission should approve Reliability Standard CIP–003–7 without modification. 36. ELCON states that ‘‘the requirement for a Low-Impact BES Cyber System owner or operator to actively mitigate deficiencies in third party’s anti-virus security programs does exist in [Section 5 of Attachment 1 to Reliability Standard CIP–003–7].’’ 52 ELCON states that the opening paragraph of Section 5, which requires responsible entities to implement one or more plans to ‘‘achieve the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems through the use of Transient Cyber Assets or Removable Media,’’ establishes an obligation to mitigate any identified deficiencies. ELCON contends that the objective of mitigating the risk ‘‘cannot be reached if the Responsible Entity allows a third party to connect an insufficiently evaluated [Transient Cyber Asset] to a Low-Impact BES Cyber System.’’ 53 ELCON argues that the ‘‘positioning of the requirement in the opening paragraph of Section 5 assures that mitigating actions must be taken to address deficiencies detected’’ with responsible entity-owned Transient Cyber Assets, vendor-owned Transient Cyber Assets, and Removable Media.54 3. Commission Determination 37. We adopt the NOPR proposal and, pursuant to section 215(d)(5) of the FPA, direct that NERC develop modifications to Reliability Standard CIP–003–7 to address our concern and ensure that responsible entities implement controls to mitigate the risk of malicious code that could result from third-party transient electronic devices. 50 Id. 51 Id. 52 ELCON Comments at 4 (emphasis in original). at 4–5. 54 Id. at 5. 53 Id. PO 00000 Frm 00018 Fmt 4700 Sfmt 4700 NERC could satisfactorily address the identified concern, for example, by modifying Section 5 of Attachment 1 to CIP–003–7 to clarify that responsible entities must implement controls to mitigate the risk of malicious code that could result from the use of third-party transient electronic devices. 38. The directed modification will improve the security posture of responsible entities by clarifying compliance expectations. While commenters claim that the provision is sufficiently clear and ask the Commission not to adopt the proposal, all commenters agree that there is not an explicit requirement to mitigate the threat of malicious code that could result from third-party transient electronic devices. While Trade Associations state that Section 5.2 of Attachment 1 does not explicitly require the mitigation of malicious code, Trade Associations and ELCON suggest that Section 5 generally requires risk mitigation. While commenters agree that, at least implicitly, the mitigation of malicious code is an obligation, the lack of a clear requirement could lead to confusion in both the development of a compliance plan and in the implementation of a compliance plan. In addition, although NERC contends that the proposed directive may not be necessary, NERC agrees that modifying Reliability Standard CIP–003–7 to address the mitigation of malicious code explicitly could clarify compliance obligations. 39. Therefore, pursuant to FPA section 215(d)(5), we direct NERC to develop and submit modifications to Reliability Standard CIP–003–7 to include an explicit requirement that responsible entities implement controls to mitigate the risk of malicious code that could result from third-party transient electronic devices. C. Implementation Plan and Effective Date NERC Petition 40. In its petition, NERC requests an effective date for Reliability Standard CIP–003–7 and the revised definitions of Transient Cyber Asset and Removable Media on the first day of the first calendar quarter that is eighteen months after the effective date of the Commission’s order approving the Reliability Standard. NERC explains that the implementation plan does not alter the previously-approved compliance dates for Reliability Standard CIP–003–6 other than the compliance date for Reliability Standard CIP–003–6, Requirement R2, Attachment 1, Sections 2 and 3, which E:\FR\FM\25APR1.SGM 25APR1 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations would be replaced with the effective date for Reliability Standard CIP–003–7. NERC also proposes that the retirement of Reliability Standard CIP–003–6 and the associated definitions become effective on the effective date of Reliability Standard CIP–003–7.55 41. The NOPR proposed to approve NERC’s implementation plan and effective date for Reliability Standard CIP–003–7. The Commission did not receive any comments regarding this aspect of the NOPR. Accordingly, we approve NERC’s proposed implementation plan and effective date. III. Information Collection Statement 42. The FERC–725B information collection requirements contained in this Final Rule are subject to review by the Office of Management and Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 1995.56 OMB’s regulations require approval of certain information collection requirements imposed by agency rules.57 Upon approval of a collection of information, OMB will assign an OMB control number and expiration date. Respondents subject to the filing requirements of this rule will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number. The Commission solicits comments on the Commission’s need for this information, whether the information will have practical utility, the accuracy of the burden estimates, ways to enhance the quality, utility, and clarity of the information to be collected or retained, and any suggested methods for minimizing respondents’ burden, including the use of automated information techniques. 43. The Commission bases its paperwork burden estimates on the changes in paperwork burden presented by the proposed revision to CIP Reliability Standard CIP–003–7 as compared to the current Commissionapproved Reliability Standard CIP–003– 6. The Commission has already addressed the burden of implementing Reliability Standard CIP–003–6.58 As discussed above, the immediate rulemaking addresses three areas of 17919 modification to the CIP Reliability Standards: (1) Clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; (2) adopting mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems; and (3) requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. 44. The NERC Compliance Registry, as of September 2017, identifies approximately 1,320 U.S. entities that are subject to mandatory compliance with Reliability Standards. Of this total, we estimate that 1,100 entities will face an increased paperwork burden under Reliability Standard CIP–003–7, estimating that a majority of these entities will have one or more low impact BES Cyber Systems. Based on these assumptions, we estimate the following reporting burden: RM17–11–000 FINAL RULE [Mandatory Reliability Standards for critical infrastructure protection Reliability Standards] Number of respondents Total (ongoing) 61 ....................... Total number of responses Average burden and cost per response 59 Total annual burden hours and total annual cost Cost per respondent ($) (1) Create low impact TCA assets plan (one-time). 60 Updates and reviews of low impact TCA assets (ongoing). 61 Update/modify documentation to remove LERC and LEAP (onetime). 60 Update paperwork for access control implementation in Section 2 64 and Section 3 65 (ongoing). 61 Total (one-time) 60 ..................... Annual number of responses per respondent (2) (1) * (2) = (3) (4) (3) * (4) = (5) (5) ÷ (1) 20 hrs.; $1,680 ........... 6,875 hrs.; $1,848,000 .............. $1,680 63 1.5 hrs.; $126 ......... 495,000 hrs.; $41,580,000 ........ 37,800 1,100 1 1,100 1,100 62 300 330,000 1,100 1 1,100 20 hrs.; $1,680 ........... 6,875 hrs.; $1,848,000 .............. 1,680 1,100 1 1,100 20 hrs.; $1,680 ........... 6,875 hrs.; $1,848,000 .............. 1,680 ........................ ........................ 2,200 ..................................... 13,750 hrs.; $3,696,000 ............ ........................ ........................ ........................ 331,100 ..................................... 501,875 hrs.; $43,428,000 ........ ........................ 45. The following shows the annual cost burden for each group, based on the burden hours in the table above: • Year 1: $3,696,000. • Years 2 and 3: $43,428,000. 55 Id., Exhibit C (Implementation Plan). U.S.C. 3507(d) (2012). 57 5 CFR 1320.11 (2017). 58 See Order No. 822, 154 FERC ¶ 61,037 at PP 84–88. 59 The loaded hourly wage figure (includes benefits) is based on the average of three occupational categories for 2016 found on the Bureau of Labor Statistics website (http:// www.bls.gov/oes/current/naics2_22.htm): Legal (Occupation Code: 23–0000): $143.68 sradovich on DSK3GMQ082PROD with RULES 56 44 VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 • The paperwork burden estimate includes costs associated with the initial development of a policy to address requirements relating to: (1) Clarifying the obligations pertaining to electronic access control for low impact BES Cyber Electrical Engineer (Occupation Code: 17–2071): $68.12 Office and Administrative Support (Occupation Code: 43–0000): $40.89 ($143.68 + $68.12 + $40.89) ÷ 3 = $84.23. The figure is rounded to $84.00 for use in calculating wage figures in this NOPR. 60 This one-time burden applies in Year One only. 61 This ongoing burden applies in Year 2 and beyond. 62 We estimate that each entity will perform 25 updates per month. 25 updates *12 months = 300 updates (i.e. responses) per year. PO 00000 Frm 00019 Fmt 4700 Sfmt 4700 Systems; (2) adopting mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low 63 The 1.5 hours of burden per response is comprised of three sub-categories: Updates to managed low TCA assets: 15 minutes (0.25 hours) per response Updates to unmanaged low TCA assets: 60 minutes (1 hour) per response Reviews of low TCA applicable controls: 15 minutes (0.25 hours) per response. 64 Physical Security Controls. 65 Electronic Access Controls. E:\FR\FM\25APR1.SGM 25APR1 sradovich on DSK3GMQ082PROD with RULES 17920 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations impact BES Cyber Systems; and (3) requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. Further, the estimate reflects the assumption that costs incurred in year 1 will pertain to policy development, while costs in years 2 and 3 will reflect the burden associated with maintaining logs and other records to demonstrate ongoing compliance. 46. Title: Mandatory Reliability Standards, Revised Critical Infrastructure Protection Reliability Standards. Action: Revision to FERC–725B information collection. OMB Control No.: 1902–0248. Respondents: Businesses or other forprofit institutions; not-for-profit institutions. Frequency of Responses: On Occasion. Necessity of the Information: This Final Rule approves the requested modifications to Reliability Standards pertaining to critical infrastructure protection. As discussed above, the Commission approves NERC’s revised CIP Reliability Standard CIP–003–7 pursuant to section 215(d)(2) of the FPA because it improves upon the currentlyeffective suite of cyber security CIP Reliability Standards. Internal Review: The Commission has reviewed the Reliability Standard and made a determination that its action is necessary to implement section 215 of the FPA. 47. Interested persons may obtain information on the reporting requirements by contacting the following: Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426 [Attention: Ellen Brown, Office of the Executive Director, email: DataClearance@ferc.gov, phone: (202) 502–8663, fax: (202) 273–0873]. 48. For submitting comments concerning the collection(s) of information and the associated burden estimate(s), please send your comments to the Commission, and to the Office of Information and Regulatory Affairs, Office of Management and Budget, 725 17th Street NW, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission, phone: (202) 395–4638, fax: (202) 395–7285]. For security reasons, comments to OMB should be submitted by email to: oira_ submission@omb.eop.gov. Comments submitted to OMB should include Docket Number RM17–11–000 and OMB Control Number 1902–0248. VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 IV. Regulatory Flexibility Act Analysis 49. The Regulatory Flexibility Act of 1980 (RFA) generally requires a description and analysis of Final Rules that will have significant economic impact on a substantial number of small entities.66 The Small Business Administration’s (SBA) Office of Size Standards develops the numerical definition of a small business.67 The SBA revised its size standard for electric utilities (effective January 22, 2014) to a standard based on the number of employees, including affiliates (from the prior standard based on megawatt hour sales).68 Reliability Standard CIP–003–7 is expected to impose an additional burden on 1,100 entities 69 (reliability coordinators, generator operators, generator owners, interchange coordinators or authorities, transmission operators, balancing authorities, transmission owners, and certain distribution providers). 50. Of the 1,100 affected entities discussed above, we estimate that approximately 857 or 78 percent 70 of the affected entities are small. As discussed above, Reliability Standard CIP–003–7 enhances reliability by providing criteria against which NERC and the Commission can evaluate the sufficiency of an entity’s electronic access controls for low impact BES Cyber systems, as well as improved security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems). We estimate that each of the 857 small entities to whom the modifications to Reliability Standard CIP–003–7 applies will incur one-time costs of approximately $3,360 per entity to implement this standard, as well as the ongoing paperwork burden reflected in the Information Collection Statement (approximately $39,480 per year per entity). We do not consider the estimated costs for these 857 small entities to be a significant economic impact. 51. Based on the above analysis, we certify that the approved Reliability Standard will not have a significant 66 5 U.S.C. 601–12 (2012). CFR 121.101 (2017). 68 SBA Final Rule on ‘‘Small Business Size Standards: Utilities,’’ 78 FR 77343 (Dec. 23, 2013). 69 Public utilities may fall under one of several different categories, each with a size threshold based on the company’s number of employees, including affiliates, the parent company, and subsidiaries. For the analysis in this Final Rule, we are using a 500 employee threshold due to each affected entity falling within the role of Electric Bulk Power Transmission and Control (NAISC Code: 221121). 70 77.95 percent. 67 13 PO 00000 Frm 00020 Fmt 4700 Sfmt 4700 economic impact on a substantial number of small entities. V. Environmental Analysis 52. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.71 The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.72 The actions proposed herein fall within this categorical exclusion in the Commission’s regulations. VI. Document Availability 53. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the internet through the Commission’s Home Page (http:// www.ferc.gov) and in the Commission’s Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A, Washington, DC 20426. 54. From the Commission’s Home Page on the internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number of this document, excluding the last three digits, in the docket number field. User assistance is available for eLibrary and the Commission’s website during normal business hours from the Commission’s Online Support at (202) 502–6652 (toll free at 1–866–208–3676) or email at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502–8371, TTY (202) 502–8659. Email the Public Reference Room at public.referenceroom@ferc.gov. VII. Effective Date and Congressional Notification 55. The Final Rule is effective June 25, 2018. The Commission has determined, with the concurrence of the Administrator of the Office of Information and Regulatory Affairs of OMB, that this rule is not a ‘‘major rule’’ as defined in section 351 of the Small 71 Regulations Implementing the National Environmental Policy Act of 1969, Order No. 486, FERC Stats. & Regs. ¶ 30,783 (1987). 72 18 CFR 380.4(a)(2)(ii) (2017). E:\FR\FM\25APR1.SGM 25APR1 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations DEPARTMENT OF DEFENSE With the finalization of the DoD-level FOIA rule at 32 CFR part 286, the Department is eliminating the need for this separate DoD-level FOIA rule and reducing costs to the public as explained in the preamble of the revised DoD-level FOIA rule at 32 CFR part 286 published at 83 FR 5196–5197. This rule is not significant under Executive Order (E.O.) 12866, ‘‘Regulatory Planning and Review,’’ therefore, E.O. 13771, ‘‘Reducing Regulation and Controlling Regulatory Costs’’ does not apply. Office of the Secretary List of Subjects in 32 CFR Part 285 Business Regulatory Enforcement Fairness Act of 1996. This Final Rule is being submitted to the Senate, House, and Government Accountability Office. By the Commission. Issued: April 19, 2018. Nathaniel J. Davis, Sr., Deputy Secretary. [FR Doc. 2018–08610 Filed 4–24–18; 8:45 am] BILLING CODE 6717–01–P Freedom of information. 32 CFR Part 285 PART 285—[REMOVED] [Docket ID: DOD–2017–OS–0028] Accordingly, by the authority of 5 U.S.C. 301, 32 CFR part 285 is removed. ■ RIN 0790–AI51 DoD Freedom of Information Act (FOIA) Program Dated: April 20, 2018. Aaron T. Siegel, Alternate OSD Federal Register Liaison Officer, Department of Defense. Office of the Secretary, DoD. Final rule. AGENCY: ACTION: This final rule removes one of the Department’s two DoD-level regulations concerning the implementation of and assignment of responsibilities for the DoD Freedom of Information Act (FOIA) program. Any content required to be in an agency’s FOIA rule from this part was incorporated into the Department’s other DoD-level regulation concerning the DoD FOIA program, which was recently revised and for which a final rule published on February 6, 2018. Therefore, this part can now be removed from the CFR. Additionally, the revised DoD-level FOIA rule now includes DoD component FOIA program information, which eliminated the requirement for component supplementary rules. Accordingly, all of the department’s necessary FOIA public guidance has been incorporated into a single part. DATES: This rule is effective on April 25, 2018. FOR FURTHER INFORMATION CONTACT: James Hogan at 571–372–0462. SUPPLEMENTARY INFORMATION: It has been determined that publication of this CFR part removal for public comment is impracticable, unnecessary, and contrary to public interest because any public-facing guidance from this part was incorporated into another CFR part for which public comment has already been taken. Any internal guidance from this part will continue to be published in DoD Directive 5400.07 available at http://www.esd.whs.mil/Portals/54/ Documents/DD/issuances/dodd/ 540007p.pdf. sradovich on DSK3GMQ082PROD with RULES SUMMARY: VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 [FR Doc. 2018–08663 Filed 4–24–18; 8:45 am] BILLING CODE 5001–06–P DEPARTMENT OF HOMELAND SECURITY Coast Guard 33 CFR Part 117 [Docket No. USCG–2018–0325] Drawbridge Operation Regulation; Upper Mississippi River, Rock Island, IL Coast Guard, DHS. Notice of deviation from drawbridge regulation. AGENCY: ACTION: The Coast Guard has issued a temporary deviation from the operating schedule that governs the Rock Island Railroad and Highway Drawbridge across the Upper Mississippi River, mile 482.9, at Rock Island, Illinois. The deviation is necessary to facilitate the Quad City Heart Walk. This deviation allows the bridge to remain in the closed-to-navigation position for approximately two and a half (2.5) hours on one day until the race is completed. SUMMARY: Click on Open Docket Folder on the line associated with this deviation. FOR FURTHER INFORMATION CONTACT: If you have questions on this temporary deviation, call or email Mr. Eric A. Washburn, Bridge Administrator, Western Rivers, Coast Guard; telephone 314–269–2378, email Eric.Washburn@ uscg.mil. SUPPLEMENTARY INFORMATION: The U.S. Army Rock Island Arsenal, owner and operator of the Rock Island Railroad and Highway Drawbridge, across the Upper Mississippi River, mile 482.9, at Rock Island, Illinois, requested a temporary deviation from the current operating schedule to accommodate the Quad City Heart Walk. The bridge has a vertical clearance of 23.8 feet above normal pool in the closed-to-navigation position. This bridge is governed by 33 CFR 117.5. This deviation allows the bridge to remain in the closed-to-navigation position from 8:30 a.m. through 11 a.m. on May 19, 2018. Navigation on the waterway consists primarily of commercial tows and recreational watercraft. This temporary deviation has been coordinated with waterway users. No objections were received. Vessels able to pass through the bridge in the closed position may do so at any time. The bridge will not be able to open for emergencies and there are no alternate routes for vessels transiting this section of the Upper Mississippi River. The Coast Guard will inform users of the waterways through our Local and Broadcast Notices to Mariners of the change in operating schedule for the bridge so the vessel operators can arrange their transits to minimize any impact caused by this temporary deviation. In accordance with 33 CFR 117.35(e), the drawbridge must return to its regular operating schedule immediately at the end of the effective period of this temporary deviation. This deviation from the operating regulations is authorized under 33 CFR 117.35. Dated: April 19, 2018. Eric A. Washburn, Bridge Administrator, Western Rivers. [FR Doc. 2018–08625 Filed 4–24–18; 8:45 am] BILLING CODE 9110–04–P This deviation is effective from 8:30 a.m. through 11 a.m. on May 19, 2018. POSTAL SERVICE The docket for this deviation, [USCG–2018–0325] is available at http://www.regulations.gov. Type the docket number in the ‘‘SEARCH’’ box and click ‘‘SEARCH.’’ International Mail Manual; Incorporation by Reference DATES: ADDRESSES: PO 00000 Frm 00021 Fmt 4700 Sfmt 4700 17921 39 CFR Part 20 Postal ServiceTM. Final rule. AGENCY: ACTION: E:\FR\FM\25APR1.SGM 25APR1

Agencies

[Federal Register Volume 83, Number 80 (Wednesday, April 25, 2018)]
[Rules and Regulations]
[Pages 17913-17921]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-08610]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM17-11-000; Order No. 843]


Revised Critical Infrastructure Protection Reliability Standard 
CIP-003-7--Cyber Security--Security Management Controls

AGENCY: Federal Energy Regulatory Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Energy Regulatory Commission (Commission) approves 
Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 
(Cyber Security--Security Management Controls), submitted by the North 
American Electric Reliability Corporation (NERC). Reliability Standard 
CIP-003-7 clarifies the obligations pertaining to electronic access 
control for low impact BES Cyber Systems; requires mandatory security 
controls for transient electronic devices (e.g., thumb drives, laptop 
computers, and other portable devices frequently connected to and 
disconnected from systems) used at low impact BES Cyber Systems; and 
requires responsible entities to have a policy for declaring and 
responding to CIP Exceptional Circumstances related to low impact BES 
Cyber Systems. In addition, the Commission directs NERC to develop 
modifications to the CIP Reliability Standards to mitigate the risk of 
malicious code that could result from third-party transient electronic 
devices.

DATES: This rule will become effective June 25, 2018.

FOR FURTHER INFORMATION CONTACT: 
Matthew Dale (Technical Information), Office of Electric Reliability, 
Federal Energy Regulatory Commission, 888 First Street NE, Washington, 
DC 20426, (202) 502-6826, [email protected]
Kevin Ryan (Legal Information), Office of the General Counsel, Federal 
Energy Regulatory Commission, 888 First Street NE, Washington, DC 
20426, (202) 502-6840 [email protected]

SUPPLEMENTARY INFORMATION: 
Before Commissioners: Kevin J. McIntyre, Chairman; Cheryl A. 
LaFleur, Neil Chatterjee, Robert F. Powelson, and Richard Glick.

    1. Pursuant to section 215 of the Federal Power Act (FPA),\1\ the

[[Page 17914]]

Commission approves Reliability Standard CIP-003-7 as just, reasonable, 
not unduly discriminatory or preferential, and in the public interest. 
Reliability Standard CIP-003-7 addresses the Commission's directives 
from Order No. 822 and is an improvement over the current Commission-
approved CIP Reliability Standards.\2\ Specifically, Reliability 
Standard CIP-003-7 improves upon the existing Reliability Standards by: 
(1) Clarifying the obligations pertaining to electronic access control 
for low impact BES Cyber Systems; \3\ (2) adopting mandatory security 
controls for transient electronic devices (e.g., thumb drives, laptop 
computers, and other portable devices frequently connected to and 
disconnected from systems) used at low impact BES Cyber Systems; and 
(3) requiring responsible entities to have a policy for declaring and 
responding to CIP Exceptional Circumstances related to low impact BES 
Cyber Systems. We also approve NERC's proposed implementation plan and 
violation risk factor and violation severity level assignments. 
Finally, we approve NERC's proposed revised definitions for inclusion 
in the NERC Glossary.
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824o (2012).
    \2\ Revised Critical Infrastructure Protection Reliability 
Standards, Order No. 822, 154 FERC ] 61,037, reh'g denied, Order No. 
822-A, 156 FERC ] 61,052 (2016).
    \3\ BES Cyber System is defined by NERC as ``[o]ne or more BES 
Cyber Assets logically grouped by a responsible entity to perform 
one or more reliability tasks for a functional entity.'' Glossary of 
Terms Used in NERC Reliability Standards (NERC Glossary). The 
acronym BES refers to the bulk electric system. Reliability Standard 
CIP-002-5.1a (Cyber Security System Categorization) provides a 
``tiered'' approach to cybersecurity requirements, based on 
classifications of high, medium and low impact BES Cyber Systems.
---------------------------------------------------------------------------

    2. In the NOPR, the Commission proposed to direct that NERC modify 
Reliability Standard CIP-003-7 to: (1) Provide clear, objective 
criteria for electronic access controls for low impact BES Cyber 
Systems; and (2) address the need to mitigate the risk of malicious 
code that could result from third-party transient electronic 
devices.\4\ The Commission adopts the NOPR proposal regarding third-
party transient electronic devices but does not adopt the proposal 
regarding criteria for electronic access controls for low impact BES 
Cyber Systems.
---------------------------------------------------------------------------

    \4\ Revised Critical Infrastructure Protection Reliability 
Standard CIP-003-7--Cyber Security--Security Management Controls, 
Notice of Proposed Rulemaking, 82 FR 49541 (Oct. 26, 2017), 161 FERC 
] 61,047 (2017) (NOPR).
---------------------------------------------------------------------------

    3. As discussed below, in view of the comments from NERC and 
others, we are persuaded that Reliability Standard CIP-003-7 provides a 
clear security objective that establishes compliance expectations. 
Accordingly, we do not adopt the proposed directive relating to 
electronic access controls for low impact BES Cyber Systems. Instead, 
as suggested in the comments, we direct NERC to conduct a study to 
assess the implementation of Reliability Standard CIP-003-7 to 
determine whether the electronic access controls adopted by responsible 
entities provide adequate security. NERC must submit the directed study 
within eighteen months of the effective date of Reliability Standard 
CIP-003-7.
    4. With regard to the second issue discussed in the NOPR, we remain 
concerned that the proposed Reliability Standard lacks a clear 
requirement to mitigate the risk of malicious code that could result 
from third-party transient electronic devices. Accordingly, we direct 
NERC to develop a modification to the Reliability Standard to provide 
the needed clarity. Such modification will better ensure that 
registered entities clearly understand their mitigation obligations 
and, thus, improve individual entity mitigation plans and collectively 
improve the cybersecurity posture of the electric grid.

I. Background

A. Section 215 and Mandatory Reliability Standards

    5. Section 215 of the FPA requires a Commission-certified Electric 
Reliability Organization (ERO) to develop mandatory and enforceable 
Reliability Standards, subject to Commission review and approval. 
Reliability Standards may be enforced by the ERO, subject to Commission 
oversight, or by the Commission independently.\5\ Pursuant to section 
215 of the FPA, the Commission established a process to select and 
certify an ERO,\6\ and subsequently certified NERC.\7\
---------------------------------------------------------------------------

    \5\ 16 U.S.C. 824o(e).
    \6\ Rules Concerning Certification of the Electric Reliability 
Organization; and Procedures for the Establishment, Approval, and 
Enforcement of Electric Reliability Standards, Order No. 672, FERC 
Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC 
Stats. & Regs. ] 31,212 (2006).
    \7\ North American Electric Reliability Corp., 116 FERC ] 
61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), 
aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (DC Cir. 2009).
---------------------------------------------------------------------------

B. Order No. 822

    6. The Commission approved the ``Version 1'' CIP Reliability 
Standards in January 2008, and subsequently acted on revised versions 
of the CIP Reliability Standards.\8\ On January 21, 2016, in Order No. 
822, the Commission approved seven CIP Reliability Standards: CIP-003-6 
(Security Management Controls), CIP-004-6 (Personnel and Training), 
CIP-006-6 (Physical Security of BES Cyber Systems), CIP-007-6 (Systems 
Security Management), CIP-009-6 (Recovery Plans for BES Cyber Systems), 
CIP-010-2 (Configuration Change Management and Vulnerability 
Assessments), and CIP-011-2 (Information Protection). The Commission 
determined that the Reliability Standards under consideration at that 
time were an improvement over the prior iteration of the CIP 
Reliability Standards and addressed the directives in Order No. 791 by, 
among other things, addressing in an equally effective and efficient 
manner the need for a NERC Glossary definition for the term 
``communication networks'' and providing controls to address the risks 
posed by transient electronic devices (e.g., thumb drives, laptop 
computers, and other portable devices frequently connected to and 
disconnected from systems) used at high and medium impact BES Cyber 
Systems.\9\
---------------------------------------------------------------------------

    \8\ Mandatory Reliability Standards for Critical Infrastructure 
Protection, Order No. 706, 122 FERC ] 61,040, order on reh'g, Order 
No. 706-A, 123 FERC ] 61,174 (2008), order on clarification, Order 
No. 706-B, 126 FERC ] 61,229 (2009), order on clarification, Order 
No. 706-C, 127 FERC ] 61,273 (2009); Version 5 Critical 
Infrastructure Protection Reliability Standards, Order No. 791, 145 
FERC ] 61,160 (2013), order on clarification and reh'g, Order No. 
791-A, 146 FERC ] 61,188 (2014).
    \9\ Order No. 822, 154 FERC ] 61,037 at P 17.
---------------------------------------------------------------------------

    7. In addition, in Order No. 822, pursuant to section 215(d)(5) of 
the FPA, the Commission directed NERC, inter alia, to: (1) Develop 
modifications to the Low Impact External Routable Connectivity (LERC) 
definition to eliminate ambiguity surrounding the term ``direct'' as it 
is used in the LERC definition; and (2) develop modifications to the 
CIP Reliability Standards to provide mandatory protection for transient 
electronic devices used at low impact BES Cyber Systems.\10\
---------------------------------------------------------------------------

    \10\ Id. P 18.
---------------------------------------------------------------------------

C. NERC Petition

    8. On March 3, 2017, NERC submitted a petition seeking approval of 
Reliability Standard CIP-003-7 and the associated violation risk 
factors and violation severity levels, implementation plan and 
effective date. NERC states that Reliability Standard CIP-003-7 
satisfies the criteria set forth in Order No. 672 that the Commission 
applies when reviewing a proposed Reliability Standard.\11\ NERC also 
sought approval of revisions to NERC Glossary definitions for the terms 
Removable

[[Page 17915]]

Media and Transient Cyber Asset, as well as the retirement of the NERC 
Glossary definitions of LERC and Low Impact BES Cyber System Access 
Point (LEAP). In addition, NERC proposed the retirement of Commission-
approved Reliability Standard CIP-003-6.\12\
---------------------------------------------------------------------------

    \11\ See NERC Petition at 2 (citing Order No. 672, FERC Stats. & 
Regs. ] 31,204 at PP 262, 321-337); id., Exhibit D (Order No. 672 
Criteria).
    \12\ Reliability Standard CIP-003-7 is not attached to this 
Final Rule. The Reliability Standard is available on the 
Commission's eLibrary document retrieval system in Docket No. RM17-
11-000 and is posted on the NERC website, http://www.nerc.com.
---------------------------------------------------------------------------

    9. NERC states that Reliability Standard CIP-003-7 improves upon 
the existing protections that apply to low impact BES Cyber Systems. 
NERC avers that the proposed modifications address the Commission's 
directives from Order No. 822 by: (1) Clarifying electronic access 
control requirements applicable to low impact BES Cyber Systems; and 
(2) adding requirements for the protection of transient electronic 
devices used for low impact BES Cyber Systems. In addition, while not 
required by Order No. 822, NERC proposes a CIP Exceptional 
Circumstances policy for low impact BES Cyber Systems.
    10. In response to the Commission's directive to develop 
modifications to eliminate ambiguity surrounding the term ``direct'' as 
it is used in the LERC definition, NERC proposes to: (1) Retire the 
terms LERC and LEAP from the NERC Glossary; and (2) modify Section 3 of 
Attachment 1 to Reliability Standard CIP-003-7 ``to more clearly 
delineate the circumstances under which Responsible Entities must 
establish access controls for low impact BES Cyber Systems.'' \13\ NERC 
states that the proposed revisions are designed to simplify the 
electronic access control requirements associated with low impact BES 
Cyber Systems to avoid ambiguities associated with the term ``direct.'' 
NERC explains that it recognized the ``added layer of unnecessary 
complexity'' introduced by distinguishing between ``direct'' and 
``indirect'' access within the LERC definition and asserts that the 
proposed revisions will ``help ensure that Responsible Entities 
implement the required security controls effectively.'' \14\
---------------------------------------------------------------------------

    \13\ NERC Petition at 16.
    \14\ Id. at 16.
---------------------------------------------------------------------------

    11. With regard to the Commission's directive that NERC develop 
modifications to the CIP Reliability Standards to provide mandatory 
protection for transient electronic devices used at low impact BES 
Cyber Systems, NERC proposes to add a new section to Attachment 1 of 
Reliability Standard CIP-003-7 that requires responsible entities to 
include controls in their cyber security plans to mitigate the risk of 
the introduction of malicious code to low impact BES Cyber Systems that 
could result from the use of ``Transient Cyber Assets or Removable 
Media.'' Specifically, proposed Section 5 of Attachment 1 lists 
controls to be applied to Transient Cyber Assets and Removable Media 
that NERC contends ``will provide enhanced protections against the 
propagation of malware from transient devices.'' \15\
---------------------------------------------------------------------------

    \15\ Id. at 26-27.
---------------------------------------------------------------------------

    12. NERC also proposes a modification that was not directed by the 
Commission in Order No. 822. Namely, NERC proposes revisions in 
Requirement R1 of Reliability Standard CIP-003-7 to require responsible 
entities to have a policy for declaring and responding to CIP 
Exceptional Circumstances related to low impact BES Cyber Systems.\16\ 
NERC states that a number of requirements in the existing CIP 
Reliability Standards specify that responsible entities do not have to 
implement or continue implementing these requirements to avoid 
hindering the entities' ability to timely and effectively respond to 
the CIP Exceptional Circumstance. NERC proposes to add a requirement 
for responsible entities to have a CIP Exceptional Circumstances policy 
that applies to low impact BES Cyber Systems since the proposed 
requirements relating to transient electronic devices used at low 
impact BES Cyber Systems include an exception for CIP Exceptional 
Circumstances.\17\
---------------------------------------------------------------------------

    \16\ A CIP Exceptional Circumstance is defined in the NERC 
Glossary as a situation that involves or threatens to involve one or 
more of the following, or similar, conditions that impact safety or 
bulk electric system reliability: A risk of injury or death; a 
natural disaster; civil unrest; an imminent or existing hardware, 
software, or equipment failure; A Cyber Security Incident requiring 
emergency assistance; a response by emergency services; the 
enactment of a mutual assistance agreement; or an impediment of 
large scale workforce availability.
    \17\ NERC Petition at 31-32.
---------------------------------------------------------------------------

    13. NERC requests that Reliability Standard CIP-003-7 and the 
revised definitions of Transient Cyber Asset and Removable Media become 
effective the first day of the first calendar quarter that is eighteen 
months after the effective date of the Commission's order approving the 
Reliability Standard.

D. Notice of Proposed Rulemaking

    14. On October 19, 2017, the Commission issued a NOPR that proposed 
to approve Reliability Standard CIP-003-7. The NOPR proposed to 
determine that Reliability Standard CIP-003-7 is just, reasonable, not 
unduly discriminatory or preferential, and in the public interest and 
addresses the directives in Order No. 822 by: (1) Clarifying the 
obligations pertaining to electronic access control for low impact BES 
Cyber Systems; and (2) adopting mandatory security controls for 
transient electronic devices used at low impact BES Cyber Systems. In 
addition, the NOPR observed that, by requiring responsible entities to 
have a policy for declaring and responding to CIP Exceptional 
Circumstances for low impact BES Cyber Systems, Reliability Standard 
CIP-003-7 would align the treatment of low impact BES Cyber Systems 
with that of high and medium impact BES Cyber Systems, which currently 
include a requirement for declaring and responding to CIP Exceptional 
Circumstances. Therefore, the Commission proposed to approve 
Reliability Standard CIP-003-7 because the proposed modifications 
improve the base-line cybersecurity posture of responsible entities 
compared to the current Commission-approved CIP Reliability Standards.
    15. In addition, the Commission proposed to direct that NERC 
develop modifications to Reliability Standard CIP-003-7 to addressed 
two issues: (1) Provide clear, objective criteria for electronic access 
controls for low impact BES Cyber Systems; and (2) address the need to 
mitigate the risk of malicious code that could result from third-party 
transient electronic devices. The Commission explained that 
modifications directed at these two concerns will address potential 
gaps and improve the cyber security posture of responsible entities 
that must comply with the CIP Reliability Standards.
    16. The Commission received comments in response to the NOPR from 
Jonathan Appelbaum (Appelbaum), Electric Consumers Resource Council 
(ELCON), North American Electric Reliability Corporation (NERC), 
Transmission Access Policy Study Group (TAPS), and Trade 
Associations.\18\ We address below the issues raised in the NOPR and 
comments.
---------------------------------------------------------------------------

    \18\ Trade Associations represent American Public Power 
Association, Edison Electric Institute, and National Rural Electric 
Cooperative Association.
---------------------------------------------------------------------------

II. Discussion

    17. Pursuant to section 215(d)(2) of the FPA, we approve 
Reliability Standard CIP-003-7 as just, reasonable, not unduly 
discriminatory or preferential, and in the public interest. Reliability 
Standard CIP-003-7 addresses the directives in Order No. 822 and is an 
improvement over the currently-effective, Commission-

[[Page 17916]]

approved CIP Reliability Standards. Specifically, Reliability Standard 
CIP-003-7 improves upon the existing CIP Reliability Standards by: (1) 
Clarifying the obligations pertaining to electronic access control for 
low impact BES Cyber Systems; (2) adopting mandatory security controls 
for transient electronic devices (e.g., thumb drives, laptop computers, 
and other portable devices frequently connected to and disconnected 
from systems) used at low impact BES Cyber Systems; and (3) requiring 
responsible entities to have a policy for declaring and responding to 
CIP Exceptional Circumstances related to low impact BES Cyber Systems. 
We also approve NERC's proposed implementation plan and violation risk 
factor and violation severity level assignments. Finally, we approve 
NERC's proposed revised definitions for inclusion in the NERC Glossary.
    18. In addition, as discussed below, pursuant to section 215(d)(5) 
of the FPA, we adopt the NOPR proposal and direct NERC to develop 
modifications to the CIP Reliability Standards to mitigate the risk of 
malicious code that could result from third-party transient electronic 
devices. However, for the reasons discussed below, we determine not to 
adopt the NOPR proposal to direct NERC to develop criteria for 
electronic access controls for low impact BES Cyber Systems at this 
time.
    19. Below, we discuss the following matters: (A) Criteria for 
electronic access controls for low impact BES Cyber Systems; (B) 
mitigation of the risk of malicious code associated with third-party 
transient electronic devices; and (C) implementation plan and effective 
date.

A. Criteria for Electronic Access Controls for Low Impact BES Cyber 
Systems

1. NOPR
    20. In the NOPR, the Commission proposed to direct NERC to develop 
modifications to Section 3 of Attachment 1 to Reliability Standard CIP-
003-7 to provide clear, objective criteria for electronic access 
controls for low impact BES Cyber Systems.\19\ Specifically, the 
proposed directive addressed the concern that Reliability Standard CIP-
003-7 may not provide adequate electronic access controls for low 
impact BES Cyber Systems because Reliability Standard CIP-003-7 does 
not provide clear, objective criteria or measures to assess compliance 
by independently confirming that the access control strategy adopted by 
a responsible entity would reasonably meet the security objective of 
permitting only ``necessary inbound and outbound electronic access'' to 
its low impact BES Cyber Systems.\20\ The Commission stated that, in 
order to ensure an objective and consistently-applied requirement, the 
electronic access control plan required in Attachment 1 should require 
the responsible entity to articulate its access control strategy for a 
particular set of low impact BES Cyber Systems and provide a technical 
rationale rooted in security principles explaining how that strategy 
will reasonably restrict electronic access. In addition, the Commission 
stated that Attachment 1 should outline basic security principles in 
order to provide clear, objective criteria or measures to assist in 
assessing compliance.\21\
---------------------------------------------------------------------------

    \19\ NOPR, 161 FERC ] 61,047 at P 32.
    \20\ Id. P 28.
    \21\ Id. P 29.
---------------------------------------------------------------------------

    21. The Commission observed that without clear, objective criteria 
or measures, auditors will not necessarily have adequate information to 
assess the reasonableness of the responsible entity's decision with 
respect to how the responsible entity identified necessary 
communications or restricted electronic access to specific low impact 
BES Cyber Systems. The Commission posited that absent such information, 
it is possible that an auditor could assess a violation where an entity 
adequately protected its low impact BES Cyber Systems or fail to 
recognize a situation where additional protections are necessary to 
meet the security objective of the Reliability Standard.\22\
---------------------------------------------------------------------------

    \22\ Id.
---------------------------------------------------------------------------

2. Comments
    22. NERC acknowledges the NOPR concerns but comments that a 
directive ``may not be necessary.'' \23\ Specifically, NERC asserts 
that ``Responsible Entities must provide auditors sufficient 
information to allow the auditors to properly assess compliance with 
section 3.1'' of Reliability Standard CIP-003-7.\24\ NERC contends that 
Section 3.1 ``articulates a clear security objective: permit only 
necessary inbound and outbound access to low impact BES Cyber 
Systems.'' \25\ NERC explains that Section 3.1 is not prescriptive due 
to the wide array of low impact BES Cyber Systems and their lower risk 
to bulk electric system reliability, but, while Section 3.1 grants 
responsible entities flexibility, ``a Responsible Entity must 
demonstrate that its electronic access permissions and controls are 
consistent with the security objective.'' \26\ Specifically, NERC 
maintains that a responsible entity ``must document the necessity of 
its inbound and outbound electronic access permissions and provide 
justification of the need for such access.'' \27\ NERC states further 
that ``[i]f a Responsible Entity fails to articulate a reasonable 
business or operational need for the electronic access permission, the 
ERO Enterprise would find that the Responsible Entity did not comply 
with Section 3.1.'' \28\ NERC continues that ``[c]onsistent with the 
intent of the Commission's proposed directive, the Responsible Entity 
would have to articulate its access control strategy for the low impact 
BES Cyber System and provide a technical rationale rooted in security 
principles, explaining how that strategy will reasonably restrict 
electronic access.'' \29\ NERC states that if a responsible entity 
``fails to demonstrate that its chosen electronic access controls are 
properly designed and implemented to meet the security objective, the 
ERO Enterprise would find that the Responsible Entity did not comply 
with Section 3.1'' of Reliability Standard CIP-003-7.\30\
---------------------------------------------------------------------------

    \23\ NERC Comments at 3.
    \24\ Id. (citing NERC Petition at 21-24).
    \25\ Id.
    \26\ Id. at 3-4.
    \27\ Id. at 4 (citing NERC Petition at 22).
    \28\ Id.
    \29\ Id.
    \30\ Id.
---------------------------------------------------------------------------

    23. NERC concludes that while the Commission's proposed directive 
may not be necessary and could potentially be an inefficient use of 
NERC and industry resources, ``[a]rticulating objective criteria for 
electronic access controls for low impact BES Cyber Systems may improve 
clarity and auditability, and help ensure that entities implement 
effective electronic access controls.'' \31\
---------------------------------------------------------------------------

    \31\ Id. at 5.
---------------------------------------------------------------------------

    24. Trade Associations, TAPS and ELCON do not support the proposed 
directive, claiming that the proposal would impose additional burdens 
on registered entities without a corresponding reliability benefit. 
Trade Associations and TAPS contend that Section 3 of Attachment 1 to 
Reliability Standard CIP-003-7 gives responsible entities needed 
flexibility to develop and implement effective electronic access 
controls for low impact BES Cyber Systems. TAPS adds that Reliability 
Standard CIP-003-7 reflects what NERC, through the standard development 
process, ``determined was a technically appropriate tailoring of 
electronic access controls requirements to low impact BES cyber 
systems.'' \32\ Trade Associations recommend, as an

[[Page 17917]]

alternative to the proposed directive, that the Commission approve the 
proposed Reliability Standard without modification and monitor its 
concerns, for example, by directing NERC to conduct a study to assess 
the implementation by responsible entities of Reliability Standard CIP-
003-7 electronic access controls to determine whether there are in fact 
inadequate controls. According to Trade Associations, a fact-driven 
assessment would help to inform and demonstrate a reliability and 
security need for future Commission actions related to the CIP 
Reliability Standards.\33\
---------------------------------------------------------------------------

    \32\ TAPS Comments at 7 (citing 16 U.S.C. 824o(d)).
    \33\ Trade Associations Comments at 9.
---------------------------------------------------------------------------

    25. Further, Trade Associations assert that a risk-based approach 
is essential to allow responsible entities to focus their resources on 
assets that have a higher impact on bulk electric system reliability. 
ELCON adds that while it ``appreciates the value establishing more 
tangible criteria for adequate Low-Impact BES Cyber System controls, . 
. . the additional requirements that the Commission proposes would do 
nothing to harden a Low-Impact facility against the rapid evolution in 
cyber warfare.'' \34\
---------------------------------------------------------------------------

    \34\ ELCON Comments at 4.
---------------------------------------------------------------------------

    26. Appelbaum supports the proposed directive regarding Section 3 
of Attachment 1 to Reliability Standard CIP-003-7. Appelbaum notes that 
Reliability Standard CIP-003-7 ``leaves the choice of controls to the 
[responsible entity] and leaves an Auditor with no requirement basis to 
perform an audit.'' \35\ Appelbaum states that under ``NERC's proposal 
that each entity establishes their own security plan and only needs to 
demonstrate compliance and adherence to its plan then . . . the 
implementation of security controls will be implemented to various 
levels of security and differentiated . . . across the NERC Regions.'' 
\36\ Appelbaum states further that Reliability Standard CIP-003-7 
``will result in different auditor conclusions for similarly situated 
entities implementing similar protections.'' \37\ Appelbaum concludes 
that ``[c]lear requirements are needed to establish a common 
understanding of the necessary security to be achieved.'' \38\
---------------------------------------------------------------------------

    \35\ Applebaum Comments at 5.
    \36\ Id. at 6.
    \37\ Id. at 7.
    \38\ Id.
---------------------------------------------------------------------------

3. Commission Determination
    27. We do not to adopt the proposed directive, but rather adopt the 
Trade Associations' recommendation for a study and report to be filed 
with the Commission. We are satisfied with the explanation of NERC and 
other commenters that Section 3 of Attachment 1 to Reliability Standard 
CIP-003-7 provides a clear security objective that establishes 
compliance expectations. Specifically, we are persuaded by commenters 
that Section 3 of Attachment 1 requires responsible entities to adopt 
security controls to permit only necessary inbound and outbound 
electronic access to Cyber Assets connected using a routable protocol 
to low impact BES Cyber Systems.
    28. The concern raised in the NOPR focused on the lack of clear, 
objective criteria or measures to assess compliance with Reliability 
Standard CIP-003-7. As noted above, however, NERC states in its 
comments that responsible entities will be required to demonstrate that 
electronic access permissions and controls associated with low impact 
BES Cyber Systems are consistent with the stated security objective. 
NERC also clarifies that responsible entities will be required to 
``document the [business or operational] necessity of its inbound and 
outbound electronic access permissions and provide justification of the 
need for such access.'' \39\ Given NERC's statements, we believe that 
there will be adequate measures to assess compliance with Reliability 
Standard CIP-003-7. We expect responsible entities to be able to 
provide a technically sound explanation as to how their electronic 
access controls meet the security objective.
---------------------------------------------------------------------------

    \39\ NERC Comments at 4.
---------------------------------------------------------------------------

    29. In response to Appelbaum's comment that auditors will not have 
a common understanding on which to judge compliance across the ERO 
enterprise, in view of NERC's comments, we believe that NERC and the 
Regional Entities will have the ability to assess the effectiveness of 
a responsible entity's electronic access control plan as well as a 
responsible entity's adherence to its electronic access control plan.
    30. Moreover, to ensure that the security controls are implemented 
and that Section 3 accomplishes its intended purpose, we adopt Trade 
Associations' proposal and direct NERC to conduct a study to assess the 
implementation of Reliability Standard CIP-003-7.\40\ The study should 
address what electronic access controls entities choose to implement 
and under what circumstances, and whether the electronic access 
controls adopted by responsible entities provide adequate security, as 
well as other relevant information found by NERC as a result of the 
study. NERC must file the study within eighteen months of the effective 
date of Reliability Standard CIP-003-7. We may revisit the need for 
modifications to Section 3 of Attachment 1 to Reliability Standard CIP-
003-7 if warranted by the study determination, or the results of audits 
or other compliance procedures.
---------------------------------------------------------------------------

    \40\ Trade Associations Comments at 9.
---------------------------------------------------------------------------

B. Mitigation of the Risk of Malicious Code Associated With Third-Party 
Transient Electronic Devices

1. NOPR
    31. In the NOPR, the Commission proposed to direct NERC to develop 
modifications to proposed Section 5 of Attachment 1 to Reliability 
Standard CIP-003-7 to mitigate the risk of malicious code that could 
result from third-party transient electronic devices.\41\ Specifically, 
the Commission raised a concern that Reliability Standard CIP-003-7 
does not explicitly require mitigation of the introduction of malicious 
code from third-party managed transient electronic devices, even if the 
responsible entity determines that the third-party's policies and 
procedures are inadequate. The Commission noted NERC's statement in its 
petition that a responsible entity's failure to mitigate this risk 
``may not constitute compliance.'' \42\ The Commission stated that 
NERC's explanation suggests that, with regard to low impact BES Cyber 
Systems, the requirement lacks an obligation for a responsible entity 
to correct any deficiencies that are discovered during a review of 
third-party transient electronic device management practices.
---------------------------------------------------------------------------

    \41\ Id. P 41.
    \42\ Id. P 39 (citing NERC Petition at 30).
---------------------------------------------------------------------------

    32. The Commission expressed concern that Reliability Standard CIP-
003-7 may contain a reliability gap where a responsible entity 
contracts with a third-party but fails to mitigate potential 
deficiencies discovered in the third-party's malicious code detection 
and prevention practices prior to a transient electronic device being 
connected to a low impact BES Cyber System. The Commission explained 
that the reliability gap would result from the fact that Reliability 
Standard CIP-003-7 does not contain: (1) A requirement for the 
responsible entity to mitigate any malicious code found during the 
third-party review(s); or (2) a requirement that the responsible entity 
take reasonable steps to mitigate the risks of third party malicious 
code on its systems, if an arrangement cannot be made for the

[[Page 17918]]

third-party to do so. The Commission observed that without such 
obligations responsible entities could, without compliance 
consequences, simply accept the risk of deficient third-party transient 
electronic device management practices.\43\
---------------------------------------------------------------------------

    \43\ Id. P 40 (citing Order No. 706, 122 FERC ] 61,040 at P 150 
(rejecting the concept of acceptance of risk in the CIP Reliability 
Standards)).
---------------------------------------------------------------------------

    33. Therefore, pursuant to section 215(d)(5) of the FPA, the 
Commission proposed to direct NERC to modify Reliability Standard CIP-
003-7 to require responsible entities to implement controls to address 
the need to mitigate the risk of malicious code that could result from 
third-party transient electronic devices.
2. Comments
    34. NERC states that it ``agrees with the Commission that, should a 
Responsible Entity find that a third party's processes and practices 
for protecting its transient electronic devices inadequate, the 
Responsible Entity must be required to take mitigating action prior to 
connecting third-party transient electronic devices to a low impact BES 
Cyber System.'' \44\ According to NERC, ``failure to take mitigating 
action in this circumstance[ ] could result in a finding of 
noncompliance with Section 5 of Attachment 1.'' \45\ NERC, therefore, 
asserts that ``the proposed directive may not be necessary and may be 
an inefficient use of NERC and industry resources.'' \46\ NERC 
observes, however, that ``[m]odifying proposed Section 5 to explicitly 
include a mitigation requirement for third-part[y] devices may remove 
any doubt about compliance expectations.'' \47\
---------------------------------------------------------------------------

    \44\ NERC Comments at 6 (citing NERC Petition at 29).
    \45\ Id.
    \46\ Id.
    \47\ Id.
---------------------------------------------------------------------------

    35. Trade Associations and ELCON do not support the proposed 
directive. Trade Associations contend that ``[a]lthough Section 5.2 [of 
Attachment 1 to CIP-003-7] does not explicitly require the responsible 
entity to mitigate the introduction of malicious code, risk mitigation 
is an explicit obligation under Section 5.'' \48\ Trade Associations 
state that if a responsible entity's plan does not ``achieve the 
objective of mitigating the risk of the introduction of malicious code 
to low impact BES Cyber Systems through the use of Transient Cyber 
Assets . . . then the plan will not comply with Section 5.'' \49\ Trade 
Associations maintains that the ``intent of the requirement is made 
clear in the Supplemental Material for Section 5 and 5.2, which both 
require the responsible entities to document how they will mitigate the 
introduction of malicious code.'' \50\ Trade Associations note in a 
footnote that:
---------------------------------------------------------------------------

    \48\ Trade Associations Comments at 10.
    \49\ Id. at 11.
    \50\ Id.

    Although the Supplemental Material does not create binding 
obligations on responsible entities, the text of the Supplemental 
Material in the Proposed Standard further clarifies and reinforces 
that the binding requirements found in CIP-003-7, Attachment 1, 
Section 5 include the obligation to take additional steps if a 
---------------------------------------------------------------------------
third-party's practices do not meet the security objective.\51\

    \51\ Id.
---------------------------------------------------------------------------

Trade Associations conclude that the Commission should approve 
Reliability Standard CIP-003-7 without modification.
    36. ELCON states that ``the requirement for a Low-Impact BES Cyber 
System owner or operator to actively mitigate deficiencies in third 
party's anti-virus security programs does exist in [Section 5 of 
Attachment 1 to Reliability Standard CIP-003-7].'' \52\ ELCON states 
that the opening paragraph of Section 5, which requires responsible 
entities to implement one or more plans to ``achieve the objective of 
mitigating the risk of the introduction of malicious code to low impact 
BES Cyber Systems through the use of Transient Cyber Assets or 
Removable Media,'' establishes an obligation to mitigate any identified 
deficiencies. ELCON contends that the objective of mitigating the risk 
``cannot be reached if the Responsible Entity allows a third party to 
connect an insufficiently evaluated [Transient Cyber Asset] to a Low-
Impact BES Cyber System.'' \53\ ELCON argues that the ``positioning of 
the requirement in the opening paragraph of Section 5 assures that 
mitigating actions must be taken to address deficiencies detected'' 
with responsible entity-owned Transient Cyber Assets, vendor-owned 
Transient Cyber Assets, and Removable Media.\54\
---------------------------------------------------------------------------

    \52\ ELCON Comments at 4 (emphasis in original).
    \53\ Id. at 4-5.
    \54\ Id. at 5.
---------------------------------------------------------------------------

3. Commission Determination
    37. We adopt the NOPR proposal and, pursuant to section 215(d)(5) 
of the FPA, direct that NERC develop modifications to Reliability 
Standard CIP-003-7 to address our concern and ensure that responsible 
entities implement controls to mitigate the risk of malicious code that 
could result from third-party transient electronic devices. NERC could 
satisfactorily address the identified concern, for example, by 
modifying Section 5 of Attachment 1 to CIP-003-7 to clarify that 
responsible entities must implement controls to mitigate the risk of 
malicious code that could result from the use of third-party transient 
electronic devices.
    38. The directed modification will improve the security posture of 
responsible entities by clarifying compliance expectations. While 
commenters claim that the provision is sufficiently clear and ask the 
Commission not to adopt the proposal, all commenters agree that there 
is not an explicit requirement to mitigate the threat of malicious code 
that could result from third-party transient electronic devices. While 
Trade Associations state that Section 5.2 of Attachment 1 does not 
explicitly require the mitigation of malicious code, Trade Associations 
and ELCON suggest that Section 5 generally requires risk mitigation. 
While commenters agree that, at least implicitly, the mitigation of 
malicious code is an obligation, the lack of a clear requirement could 
lead to confusion in both the development of a compliance plan and in 
the implementation of a compliance plan. In addition, although NERC 
contends that the proposed directive may not be necessary, NERC agrees 
that modifying Reliability Standard CIP-003-7 to address the mitigation 
of malicious code explicitly could clarify compliance obligations.
    39. Therefore, pursuant to FPA section 215(d)(5), we direct NERC to 
develop and submit modifications to Reliability Standard CIP-003-7 to 
include an explicit requirement that responsible entities implement 
controls to mitigate the risk of malicious code that could result from 
third-party transient electronic devices.

C. Implementation Plan and Effective Date

NERC Petition
    40. In its petition, NERC requests an effective date for 
Reliability Standard CIP-003-7 and the revised definitions of Transient 
Cyber Asset and Removable Media on the first day of the first calendar 
quarter that is eighteen months after the effective date of the 
Commission's order approving the Reliability Standard. NERC explains 
that the implementation plan does not alter the previously-approved 
compliance dates for Reliability Standard CIP-003-6 other than the 
compliance date for Reliability Standard CIP-003-6, Requirement R2, 
Attachment 1, Sections 2 and 3, which

[[Page 17919]]

would be replaced with the effective date for Reliability Standard CIP-
003-7. NERC also proposes that the retirement of Reliability Standard 
CIP-003-6 and the associated definitions become effective on the 
effective date of Reliability Standard CIP-003-7.\55\
---------------------------------------------------------------------------

    \55\ Id., Exhibit C (Implementation Plan).
---------------------------------------------------------------------------

    41. The NOPR proposed to approve NERC's implementation plan and 
effective date for Reliability Standard CIP-003-7. The Commission did 
not receive any comments regarding this aspect of the NOPR. 
Accordingly, we approve NERC's proposed implementation plan and 
effective date.

III. Information Collection Statement

    42. The FERC-725B information collection requirements contained in 
this Final Rule are subject to review by the Office of Management and 
Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 
1995.\56\ OMB's regulations require approval of certain information 
collection requirements imposed by agency rules.\57\ Upon approval of a 
collection of information, OMB will assign an OMB control number and 
expiration date. Respondents subject to the filing requirements of this 
rule will not be penalized for failing to respond to these collections 
of information unless the collections of information display a valid 
OMB control number. The Commission solicits comments on the 
Commission's need for this information, whether the information will 
have practical utility, the accuracy of the burden estimates, ways to 
enhance the quality, utility, and clarity of the information to be 
collected or retained, and any suggested methods for minimizing 
respondents' burden, including the use of automated information 
techniques.
---------------------------------------------------------------------------

    \56\ 44 U.S.C. 3507(d) (2012).
    \57\ 5 CFR 1320.11 (2017).
---------------------------------------------------------------------------

    43. The Commission bases its paperwork burden estimates on the 
changes in paperwork burden presented by the proposed revision to CIP 
Reliability Standard CIP-003-7 as compared to the current Commission-
approved Reliability Standard CIP-003-6. The Commission has already 
addressed the burden of implementing Reliability Standard CIP-003-
6.\58\ As discussed above, the immediate rulemaking addresses three 
areas of modification to the CIP Reliability Standards: (1) Clarifying 
the obligations pertaining to electronic access control for low impact 
BES Cyber Systems; (2) adopting mandatory security controls for 
transient electronic devices (e.g., thumb drives, laptop computers, and 
other portable devices frequently connected to and disconnected from 
systems) used at low impact BES Cyber Systems; and (3) requiring 
responsible entities to have a policy for declaring and responding to 
CIP Exceptional Circumstances related to low impact BES Cyber Systems.
---------------------------------------------------------------------------

    \58\ See Order No. 822, 154 FERC ] 61,037 at PP 84-88.
---------------------------------------------------------------------------

    44. The NERC Compliance Registry, as of September 2017, identifies 
approximately 1,320 U.S. entities that are subject to mandatory 
compliance with Reliability Standards. Of this total, we estimate that 
1,100 entities will face an increased paperwork burden under 
Reliability Standard CIP-003-7, estimating that a majority of these 
entities will have one or more low impact BES Cyber Systems. Based on 
these assumptions, we estimate the following reporting burden:

                                                                                     RM17-11-000 Final Rule
                                                 [Mandatory Reliability Standards for critical infrastructure protection Reliability Standards]
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                                                            Annual number
                                              Number of     of responses    Total number    Average burden and cost per response   Total annual burden  hours and total  annual      Cost per
                                             respondents   per respondent   of responses                    \59\                                       cost                       respondent ($)
                                                      (1)             (2)     (1) * (2) =  (4)..................................  (3) * (4) = (5)...............................       (5) / (1)
                                                                                      (3)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Create low impact TCA assets plan (one-             1,100               1           1,100  20 hrs.; $1,680......................  6,875 hrs.; $1,848,000........................          $1,680
 time). \60\
Updates and reviews of low impact TCA               1,100        \62\ 300         330,000  \63\ 1.5 hrs.; $126..................  495,000 hrs.; $41,580,000.....................          37,800
 assets (ongoing). \61\
Update/modify documentation to remove               1,100               1           1,100  20 hrs.; $1,680......................  6,875 hrs.; $1,848,000........................           1,680
 LERC and LEAP (one-time). \60\
Update paperwork for access control                 1,100               1           1,100  20 hrs.; $1,680......................  6,875 hrs.; $1,848,000........................           1,680
 implementation in Section 2 \64\ and
 Section 3 \65\ (ongoing). \61\
    Total (one-time) \60\................  ..............  ..............           2,200  .....................................  13,750 hrs.; $3,696,000.......................  ..............
                                          ------------------------------------------------------------------------------------------------------------------------------------------------------
    Total (ongoing) \61\.................  ..............  ..............         331,100  .....................................  501,875 hrs.; $43,428,000.....................  ..............
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    45. The following shows the annual cost burden for each group, 
based on the burden hours in the table above:
---------------------------------------------------------------------------

    \59\ The loaded hourly wage figure (includes benefits) is based 
on the average of three occupational categories for 2016 found on 
the Bureau of Labor Statistics website (http://www.bls.gov/oes/current/naics2_22.htm):
    Legal (Occupation Code: 23-0000): $143.68
    Electrical Engineer (Occupation Code: 17-2071): $68.12
    Office and Administrative Support (Occupation Code: 43-0000): 
$40.89
    ($143.68 + $68.12 + $40.89) / 3 = $84.23. The figure is rounded 
to $84.00 for use in calculating wage figures in this NOPR.
    \60\ This one-time burden applies in Year One only.
    \61\ This ongoing burden applies in Year 2 and beyond.
    \62\ We estimate that each entity will perform 25 updates per 
month. 25 updates *12 months = 300 updates (i.e. responses) per 
year.
    \63\ The 1.5 hours of burden per response is comprised of three 
sub-categories:
    Updates to managed low TCA assets: 15 minutes (0.25 hours) per 
response
    Updates to unmanaged low TCA assets: 60 minutes (1 hour) per 
response
    Reviews of low TCA applicable controls: 15 minutes (0.25 hours) 
per response.
    \64\ Physical Security Controls.
    \65\ Electronic Access Controls.
---------------------------------------------------------------------------

     Year 1: $3,696,000.
     Years 2 and 3: $43,428,000.
     The paperwork burden estimate includes costs associated 
with the initial development of a policy to address requirements 
relating to: (1) Clarifying the obligations pertaining to electronic 
access control for low impact BES Cyber Systems; (2) adopting mandatory 
security controls for transient electronic devices (e.g., thumb drives, 
laptop computers, and other portable devices frequently connected to 
and disconnected from systems) used at low

[[Page 17920]]

impact BES Cyber Systems; and (3) requiring responsible entities to 
have a policy for declaring and responding to CIP Exceptional 
Circumstances related to low impact BES Cyber Systems. Further, the 
estimate reflects the assumption that costs incurred in year 1 will 
pertain to policy development, while costs in years 2 and 3 will 
reflect the burden associated with maintaining logs and other records 
to demonstrate ongoing compliance.
    46. Title: Mandatory Reliability Standards, Revised Critical 
Infrastructure Protection Reliability Standards.
    Action: Revision to FERC-725B information collection.
    OMB Control No.: 1902-0248.
    Respondents: Businesses or other for-profit institutions; not-for-
profit institutions.
    Frequency of Responses: On Occasion.
    Necessity of the Information: This Final Rule approves the 
requested modifications to Reliability Standards pertaining to critical 
infrastructure protection. As discussed above, the Commission approves 
NERC's revised CIP Reliability Standard CIP-003-7 pursuant to section 
215(d)(2) of the FPA because it improves upon the currently-effective 
suite of cyber security CIP Reliability Standards.
    Internal Review: The Commission has reviewed the Reliability 
Standard and made a determination that its action is necessary to 
implement section 215 of the FPA.
    47. Interested persons may obtain information on the reporting 
requirements by contacting the following: Federal Energy Regulatory 
Commission, 888 First Street NE, Washington, DC 20426 [Attention: Ellen 
Brown, Office of the Executive Director, email: [email protected], 
phone: (202) 502-8663, fax: (202) 273-0873].
    48. For submitting comments concerning the collection(s) of 
information and the associated burden estimate(s), please send your 
comments to the Commission, and to the Office of Information and 
Regulatory Affairs, Office of Management and Budget, 725 17th Street 
NW, Washington, DC 20503 [Attention: Desk Officer for the Federal 
Energy Regulatory Commission, phone: (202) 395-4638, fax: (202) 395-
7285]. For security reasons, comments to OMB should be submitted by 
email to: [email protected]. Comments submitted to OMB should 
include Docket Number RM17-11-000 and OMB Control Number 1902-0248.

IV. Regulatory Flexibility Act Analysis

    49. The Regulatory Flexibility Act of 1980 (RFA) generally requires 
a description and analysis of Final Rules that will have significant 
economic impact on a substantial number of small entities.\66\ The 
Small Business Administration's (SBA) Office of Size Standards develops 
the numerical definition of a small business.\67\ The SBA revised its 
size standard for electric utilities (effective January 22, 2014) to a 
standard based on the number of employees, including affiliates (from 
the prior standard based on megawatt hour sales).\68\ Reliability 
Standard CIP-003-7 is expected to impose an additional burden on 1,100 
entities \69\ (reliability coordinators, generator operators, generator 
owners, interchange coordinators or authorities, transmission 
operators, balancing authorities, transmission owners, and certain 
distribution providers).
---------------------------------------------------------------------------

    \66\ 5 U.S.C. 601-12 (2012).
    \67\ 13 CFR 121.101 (2017).
    \68\ SBA Final Rule on ``Small Business Size Standards: 
Utilities,'' 78 FR 77343 (Dec. 23, 2013).
    \69\ Public utilities may fall under one of several different 
categories, each with a size threshold based on the company's number 
of employees, including affiliates, the parent company, and 
subsidiaries. For the analysis in this Final Rule, we are using a 
500 employee threshold due to each affected entity falling within 
the role of Electric Bulk Power Transmission and Control (NAISC 
Code: 221121).
---------------------------------------------------------------------------

    50. Of the 1,100 affected entities discussed above, we estimate 
that approximately 857 or 78 percent \70\ of the affected entities are 
small. As discussed above, Reliability Standard CIP-003-7 enhances 
reliability by providing criteria against which NERC and the Commission 
can evaluate the sufficiency of an entity's electronic access controls 
for low impact BES Cyber systems, as well as improved security controls 
for transient electronic devices (e.g., thumb drives, laptop computers, 
and other portable devices frequently connected to and disconnected 
from systems). We estimate that each of the 857 small entities to whom 
the modifications to Reliability Standard CIP-003-7 applies will incur 
one-time costs of approximately $3,360 per entity to implement this 
standard, as well as the ongoing paperwork burden reflected in the 
Information Collection Statement (approximately $39,480 per year per 
entity). We do not consider the estimated costs for these 857 small 
entities to be a significant economic impact.
---------------------------------------------------------------------------

    \70\ 77.95 percent.
---------------------------------------------------------------------------

    51. Based on the above analysis, we certify that the approved 
Reliability Standard will not have a significant economic impact on a 
substantial number of small entities.

V. Environmental Analysis

    52. The Commission is required to prepare an Environmental 
Assessment or an Environmental Impact Statement for any action that may 
have a significant adverse effect on the human environment.\71\ The 
Commission has categorically excluded certain actions from this 
requirement as not having a significant effect on the human 
environment. Included in the exclusion are rules that are clarifying, 
corrective, or procedural or that do not substantially change the 
effect of the regulations being amended.\72\ The actions proposed 
herein fall within this categorical exclusion in the Commission's 
regulations.
---------------------------------------------------------------------------

    \71\ Regulations Implementing the National Environmental Policy 
Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987).
    \72\ 18 CFR 380.4(a)(2)(ii) (2017).
---------------------------------------------------------------------------

VI. Document Availability

    53. In addition to publishing the full text of this document in the 
Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
internet through the Commission's Home Page (http://www.ferc.gov) and 
in the Commission's Public Reference Room during normal business hours 
(8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A, 
Washington, DC 20426.
    54. From the Commission's Home Page on the internet, this 
information is available on eLibrary. The full text of this document is 
available on eLibrary in PDF and Microsoft Word format for viewing, 
printing, and/or downloading. To access this document in eLibrary, type 
the docket number of this document, excluding the last three digits, in 
the docket number field. User assistance is available for eLibrary and 
the Commission's website during normal business hours from the 
Commission's Online Support at (202) 502-6652 (toll free at 1-866-208-
3676) or email at [email protected], or the Public Reference 
Room at (202) 502-8371, TTY (202) 502-8659. Email the Public Reference 
Room at [email protected].

VII. Effective Date and Congressional Notification

    55. The Final Rule is effective June 25, 2018. The Commission has 
determined, with the concurrence of the Administrator of the Office of 
Information and Regulatory Affairs of OMB, that this rule is not a 
``major rule'' as defined in section 351 of the Small

[[Page 17921]]

Business Regulatory Enforcement Fairness Act of 1996. This Final Rule 
is being submitted to the Senate, House, and Government Accountability 
Office.

    By the Commission.

    Issued: April 19, 2018.
Nathaniel J. Davis, Sr.,
Deputy Secretary.
[FR Doc. 2018-08610 Filed 4-24-18; 8:45 am]
 BILLING CODE 6717-01-P