Critical Infrastructure Protection Reliability Standard CIP-012-1-Cyber Security-Communications Between Control Centers, 8161-8169 [2020-02173]

Download as PDF Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations impact on a substantial number of small entities.49 The Small Business Administration’s (SBA) Office of Size Standards develops the numerical definition of a small business.50 The SBA revised its size standard for electric utilities (effective January 22, 2014) to a standard based on the number of employees, including affiliates (from the prior standard based on megawatt hour sales).51 37. Reliability Standard TPL–001–5 is expected to impose an additional burden on 214 entities 52 (PCs and TPs). Of the 214 affected entities discussed above, we estimate that approximately 10 percent of the affected entities are small entities. We estimate that each of the 21 small entities to whom the proposed modifications to proposed Reliability Standard TPL–001–5 apply will incur one-time costs of approximately $1,980 per entity to implement the proposed Reliability Standard. We do not consider the estimated costs for these 21 small entities to be a significant economic impact. 38. Accordingly, the Commission certifies that this final rule will not have a significant economic impact on a substantial number of small entities. VI. Document Availability 39. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the internet through FERC’s Home Page (http:// www.ferc.gov) and in FERC’s Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A, Washington, DC 20426. 40. From FERC’s Home Page on the internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number excluding the last three digits of this document in the docket number field. 41. User assistance is available for eLibrary and the FERC’s website during normal business hours from FERC Online Support at (202) 502–6652 (toll free at 1–866–208–3676) or email at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502– 8371, TTY (202)502–8659. Email the Public Reference Room at public.referenceroom@ferc.gov. VII. Effective Date and Congressional Notification 42. These regulations are effective April 13, 2020. The Commission has determined, with the concurrence of the Administrator of the Office of Information and Regulatory Affairs of OMB, that this rule is not a ‘‘major rule’’ as defined in section 351 of the Small Business Regulatory Enforcement Fairness Act of 1996. The rule will be provided to the Senate, House, Government Accountability Office, and the SBA. By the Commission. Issued: January 23, 2020. Kimberly D. Bose, Secretary. Note: The following appendix will not appear in the Code of Federal Regulations. Appendix—List of Commenters Abbreviation Commenter AF&PA ............................................ APS ................................................. BPA ................................................. Carder ............................................. MISO ............................................... NERC .............................................. Pugh ................................................ Trade Associations ......................... American Forest and Paper Association. Arizona Public Service Company. Bonneville Power Administration. William Carder. Midcontinent Independent System Operator, Inc. North American Electric Reliability Corporation. Theresa Pugh. American Public Power Association, Edison Electric Institute, Large Public Power Council, National Rural Electric Cooperative Association. Tri-State Generation and Transmission Association, Inc. Tennessee Valley Authority. Tri-State .......................................... TVA ................................................. ACTION: [FR Doc. 2020–02170 Filed 2–12–20; 8:45 am] Final rule. BILLING CODE 6717–01–P The Federal Energy Regulatory Commission (Commission) approves Reliability Standard CIP–012– 1 (Cyber Security—Communications between Control Centers). The North American Electric Reliability Corporation (NERC), the Commissioncertified Electric Reliability Organization, submitted Reliability Standard CIP–012–1 for Commission approval in response to a Commission directive. In addition, the Commission directs NERC to develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and SUMMARY: DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM18–20–000; ORDER NO. 866] Critical Infrastructure Protection Reliability Standard CIP–012–1—Cyber Security—Communications Between Control Centers jbell on DSKJLSW7X2PROD with RULES 8161 Federal Energy Regulatory Commission. AGENCY: 48 5 U.S.C. 601–612. 52 Public utilities may fall under one of several different categories, each with a size threshold based on the company’s number of employees, including affiliates, the parent company, and 49 Id. 50 13 51 Id. CFR 121.101. 121.201. VerDate Sep<11>2014 17:58 Feb 12, 2020 Jkt 250001 PO 00000 Frm 00031 Fmt 4700 Sfmt 4700 data communicated between bulk electric system Control Centers. DATES: This rule will become effective April 13, 2020. FOR FURTHER INFORMATION CONTACT: Vincent Le, (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502–6204, vincent.le@ ferc.gov Kevin Ryan, (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502–6840, kevin.ryan@ ferc.gov SUPPLEMENTARY INFORMATION: subsidiaries. We are using a 500-employee threshold due to each affected entity falling within the role of Electric Bulk Power Transmission and Control (NAISC Code: 221121). E:\FR\FM\13FER1.SGM 13FER1 8162 Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations 1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA),1 the Commission approves Reliability Standard CIP–012–1 (Cyber Security— Communications between Control Centers). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted Reliability Standard CIP– 012–1 for Commission approval in response to a Commission directive in Order No. 822.2 In Order No. 822, the Commission directed NERC, pursuant to section 215(d)(5) of the FPA, to develop modifications to the Reliability Standards to require responsible entities to implement controls to protect, at a minimum, communications links and sensitive bulk electric system data communicated between bulk electric system Control Centers ‘‘in a manner that is appropriately tailored to address the risks posed to the bulk electric system by the assets being protected (i.e., high, medium, or low impact).’’ 3 2. Consistent with the directive in Order No. 822, Reliability Standard CIP–012–1 improves upon the currently-effective Critical Infrastructure Protection (CIP) Reliability Standards to mitigate cyber security risks associated with communications between bulk electric system Control Centers. Specifically, Reliability Standard CIP– 012–1 supports situational awareness and reliable bulk electric system operations by requiring responsible entities to protect the confidentiality and integrity of Real-time Assessment 4 and Real-time monitoring data transmitted between bulk electric system Control Centers. Accordingly, the Commission approves Reliability Standard CIP–012–1 because it is largely responsive to the Commission’s directive in Order No. 822 and improves the cyber security posture of responsible entities. We also approve the associated violation risk factors and violation 1 16 U.S.C. 824o(d)(2). Critical Infrastructure Protection Reliability Standards, Order No. 822, 154 FERC ¶ 61,037, at P 53, order denying reh’g, Order No. 822–A, 156 FERC ¶ 61,052 (2016). 3 16 U.S.C. 824o(d)(5); Order No. 822, 154 FERC ¶ 61,037 at P 53. 4 The NERC Glossary defines Real-time Assessment as, ‘‘An evaluation of system conditions using Real-time data to assess existing (preContingency) and potential (post-Contingency) operating conditions. The assessment shall reflect applicable inputs including, but not limited to: Load, generation output levels, known Protection System and Special Protection System status or degradation, Transmission outages, generator outages, Interchange, Facility Ratings, and identified phase angle and equipment limitations. (Real-time Assessment may be provided through internal systems or through third-party services.)’’ NERC Glossary of Terms Used in NERC Reliability Standards (July 3, 2018). jbell on DSKJLSW7X2PROD with RULES 2 Revised VerDate Sep<11>2014 17:58 Feb 12, 2020 Jkt 250001 severity levels, implementation plan, and effective date. 3. In addition, pursuant to section 215(d)(5) of the FPA, the Commission directs NERC to develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers. As discussed in the Notice of Proposed Rulemaking (NOPR), Reliability Standard CIP–012–1 does not require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers, as directed in Order No. 822.5 In the NOPR, the Commission indicated that it did not agree with NERC’s assertion that currently-effective Reliability Standards address availability, and we are not persuaded by NOPR comments raising the same argument. Instead, pursuant to section 215(d)(5) of the FPA, we determine that the absence of a requirement that specifically pertains to the availability of communication links and data communicated between bulk electric system Control Centers represents a reliability gap in the CIP Reliability Standards that should be addressed by NERC. 4. The Commission, in the NOPR, also proposed to direct NERC to identify clearly the types of data that must be protected under Reliability Standard CIP–012–1. The NOPR expressed concern that Reliability Standard CIP– 012–1 does not adequately identify the types of data covered by its requirements, due to, among other things, the fact that the term ‘‘Real-time monitoring’’ is not defined in the Reliability Standard or the NERC Glossary. After considering the NOPR comments, however, we determine not to direct the proposed modification based on the explanation of the types of data that must be protected set forth in the NOPR comments. I. Background A. Section 215 and Mandatory Reliability Standards 5. Section 215 of the FPA requires a Commission-certified ERO to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by 5 See Critical Infrastructure Protection Reliability Standard CIP–012–1—Cyber Security— Communication between Control Centers, Notice of Proposed Rulemaking, 167 FERC ¶ 61,055, at P 54 (2019) (NOPR). PO 00000 Frm 00032 Fmt 4700 Sfmt 4700 the Commission independently.6 Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,7 and subsequently certified NERC.8 B. Order No. 822 6. In Order No. 822, the Commission approved seven modified CIP Reliability Standards and directed NERC to develop additional modifications to the CIP Reliability Standards.9 Specifically, the Commission directed that NERC, among other things, develop modifications to the CIP Reliability Standards to require that responsible entities implement controls to protect, at a minimum, communications links and sensitive bulk electric system data communicated between bulk electric system Control Centers ‘‘in a manner that is appropriately tailored to address the risks posed to the bulk electric system by the assets being protected (i.e., high, medium, or low impact).’’ 10 The Commission observed that NERC, as well as other commenters in that proceeding, ‘‘recognize that interControl Center communications play a critical role in maintaining bulk electric system reliability by . . . helping to maintain situational awareness and support reliable operations through timely and accurate communication between Control Centers.’’ 11 7. The Commission explained that Control Centers associated with responsible entities, including reliability coordinators, balancing authorities, and transmission operators, must be capable of receiving and storing a variety of bulk electric system data from their interconnected entities in order to adequately perform their reliability functions. The Commission, therefore, determined that ‘‘additional measures to protect both the integrity and availability of sensitive bulk electric system data are warranted.’’ 12 The Commission cautioned, however, that ‘‘not all communication network components and data pose the same risk to bulk electric system reliability and may not require the same level of 6 16 U.S.C. 824o(e). Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, 114 FERC ¶ 61,104, order on reh’g, Order No. 672–A, 114 FERC ¶ 61,328 (2006). 8 North American Electric Reliability Corp., 116 FERC ¶ 61,062, order on reh’g and compliance, 117 FERC ¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009). 9 Order No. 822, 154 FERC ¶ 61,037 at PP 1, 3. 10 Id. P 53. 11 Id. P 54. 12 Id. 7 Rules E:\FR\FM\13FER1.SGM 13FER1 Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations protection.’’ 13 Therefore, the Commission determined that NERC should develop controls that reflect the risk being addressed in a reasonable manner. C. NERC Petition and Reliability Standard CIP–012–1 8. On September 18, 2018, NERC submitted for Commission approval proposed Reliability Standard CIP–012– 1 and the associated violation risk factors and violation severity levels, implementation plan, and effective date.14 NERC states that the purpose of Reliability Standard CIP–012–1 is to help maintain situational awareness and reliable bulk electric system operations by protecting the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between Control Centers. 9. NERC states that Reliability Standard CIP–012–1 ‘‘requires Responsible Entities to develop and implement a plan to address the risks posed by unauthorized disclosure (confidentiality) and unauthorized modification (integrity) of Real-time Assessment and Real-time monitoring data while being transmitted between applicable Control Centers.’’ 15 According to NERC, the required plan must include the following: (1) Identification of security protections; (2) identification of where the protections are applied; and (3) identification of the responsibilities of each entity in case a Control Center is owned or operated by different responsible entities.16 10. As noted above, the types of data within the scope of Reliability Standard CIP–012–1 consist of Real-time Assessment and Real-time monitoring data exchanged between Control Centers. NERC states that it is critical that this information is accurate since responsible entities operate and monitor the bulk electric system based on this Real-time information. NERC explains that Reliability Standard CIP–012–1 ‘‘excludes other data typically transferred between Control Centers, such as Operational Planning Analysis data, that is not used by the Reliability Coordinator, Balancing Authority, and Transmission Operator in Real-time.’’ 17 11. NERC also indicates that data at rest and oral communications fall outside the scope of Reliability Standard jbell on DSKJLSW7X2PROD with RULES 13 Id. P 56. Standard CIP–012–1 is not attached to this final rule. The Reliability Standard is available on the Commission’s eLibrary document retrieval system in Docket No. RM18–20–000 and on the NERC website, www.nerc.com. 15 NERC Petition at 10. 16 Id. at 3. 17 Id. at 12. CIP–012–1. Regarding data at rest, NERC states that the standard drafting team determined that since data at rest resides within BES Cyber Systems,18 it is already protected by the controls mandated by Reliability Standards CIP– 003–6 through CIP–011–2. According to NERC, oral communications are out of scope of Reliability Standard CIP–012– 1 ‘‘because operators have the ability to terminate the call and initiate a new one via trusted means if they suspect a problem with, or compromise of, the communication channel.’’ 19 NERC notes that Reliability Standard COM– 001–3 requires reliability coordinators, balancing authorities, and transmission operators to have alternative interpersonal communication capability, which could be used if there is a suspected compromise of oral communication on one channel. D. Notice of Proposed Rulemaking 12. On April 18, 2019, the Commission issued a NOPR proposing to approve Reliability Standard CIP– 012–1 as just, reasonable, not unduly discriminatory or preferential, and in the public interest.20 The NOPR stated that Reliability Standard CIP–012–1 is largely responsive to the Commission’s directive in Order No. 822 and improves the cyber security posture of the bulk electric system by requiring responsible entities to protect the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between bulk electric system Control Centers, which supports situational awareness and reliable bulk electric system operations. 13. While proposing to approve Reliability Standard CIP–012–1, the Commission also proposed to direct NERC to develop modifications to the CIP Reliability Standards to address potential reliability gaps. First, the NOPR stated that Reliability Standard CIP–012–1 does not require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers as directed in Order No. 822. The NOPR explained that the Commission was not persuaded by NERC’s explanation that certain currently-effective Reliability Standards address the issue of availability. Second, the NOPR raised a concern that Reliability Standard CIP–012–1 does not adequately identify the types of data 14 Reliability VerDate Sep<11>2014 17:58 Feb 12, 2020 Jkt 250001 18 BES Cyber System is defined as ‘‘[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.’’ NERC Glossary. The acronym BES refers to the bulk electric system. 19 NERC Petition at 14. 20 NOPR, 167 FERC ¶ 61,055 at P 1. PO 00000 Frm 00033 Fmt 4700 Sfmt 4700 8163 covered by its requirements, due to, among other things, the fact that Realtime monitoring is not defined in the proposed Reliability Standard or the NERC Glossary.21 14. In response to the NOPR, eight entities submitted comments. A list of commenters appears in Appendix A. The discussion below addresses the proposals in the NOPR as well as the NOPR comments. II. Discussion 15. Pursuant to section 215(d)(2) of the FPA, the Commission approves Reliability Standard CIP–012–1 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. Reliability Standard CIP–012–1 largely addresses the Commission’s directive in Order No. 822 because it will enhance existing protections for bulk electric system reliability by augmenting the currently-effective CIP Reliability Standards to mitigate cyber security risks associated with communications between bulk electric system Control Centers. Reliability Standard CIP–012–1 achieves this by requiring responsible entities to protect the confidentiality and integrity of Realtime Assessment and Real-time monitoring data transmitted between bulk electric system Control Centers, thereby supporting situational awareness and reliable bulk electric system operations. 16. While the Commission approves Reliability Standard CIP–012–1, we also determine that the reliability risks identified in Order No. 822 will not be fully addressed with the implementation of the Reliability Standard. As discussed below, a significant cyber security risk associated with the protection of communications links and sensitive bulk electric system data communicated between bulk electric system Control Centers remains because Reliability Standard CIP–012–1 does not address the availability of communication links and data communicated between bulk electric system Control Centers. To address this gap, the Commission directs NERC, pursuant to section 215(d)(5) of the FPA, to develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers. 17. Below, we discuss the following issues: (A) Availability of bulk electric system communication links and data; and (B) scope of bulk electric system data that must be protected. 21 Id. E:\FR\FM\13FER1.SGM P 16. 13FER1 8164 Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations A. Availability of Bulk Electric System Communication Links and Data 1. NOPR 18. The NOPR stated that Reliability Standard CIP–012–1 does not address the availability component of the Commission’s directive in Order No. 822. The NOPR identified this as a gap because ensuring timely and reliable access to and use of data is essential to the reliable operation of the bulk electric system. The NOPR indicated that the existing Reliability Standards cited in NERC’s petition do not require responsible entities to protect the availability of sensitive bulk electric system data in a manner consistent with Order No. 822.22 In particular, the NOPR stated that the cited Reliability Standards either do not apply to communications between individual Control Centers or, while their effect may be to support availability, the Reliability Standards do not create an obligation to protect availability.23 jbell on DSKJLSW7X2PROD with RULES 2. Comments 19. NERC, Trade Associations, TriState and IRC do not support a directive that addresses the availability of communication links and data communicated between bulk electric system Control Centers. Reclamation, Appelbaum, and Liu express support for the directive, while Bonneville offers qualified support. 20. Comments opposing the proposed directive largely reiterate the petition’s assertion that currently-effective Reliability Standards adequately protect the availability of communication links and data communicated between bulk electric system Control Centers. For example, NERC contends that ‘‘[w]hile IRO–002–5 and TOP–001–4 cover infrastructure within Control Centers, not between Control Centers, the requirements help protect the availability of data to be exchanged between Control Centers . . . [because] the data exchange infrastructure in scope of these requirements facilitates sending and receiving data between Control Centers.’’ 24 NERC explains that if ‘‘an applicable entity lost capability of some of this data exchange infrastructure, the applicable entity could continue to send and receive data between Control Centers because of the redundant data exchange infrastructure within its Control Center.25 In addition, NERC states that Reliability Standards 22 Id. P 24. 23 Id. 24 NERC Comments at 5. 25 Id.; see also Trade Associations Comments at 6–8, Tri-state Comments at 3. VerDate Sep<11>2014 17:58 Feb 12, 2020 Jkt 250001 IRO–010–2 and TOP–003–3 require applicable entities to use a mutually agreeable security protocol between Control Centers. NERC explains that this supports availability by helping to ensure that conflicting protocols do not impede receipt of data between Control Centers. 21. NERC also contends that Reliability Standard EOP–008–2 helps support the availability of communication links between Control Centers by requiring reliability coordinators to have backup Control Center facilities, or backup Control Center functionality for balancing authorities and transmission operators, in addition to their primary Control Centers. NERC explains that ‘‘[t]hese backup facilities supply redundancy of some communication links and data exchange infrastructure and capabilities at the backup Control Center.’’ 26 NERC further explains that entities with geographically diverse primary and backup Control Centers may have communication links that are physically separate from one another. NERC concludes that although ‘‘geographic diversity alone will not always provide redundancy of communication links, having backup Control Centers with different paths to communicate with other Control Centers helps support availability of communication links.’’ 27 22. In addition, comments opposing the directive maintain that it is premature to require protections for the availability of the communication links and data at issue. NERC states that it recognizes that ‘‘there may be additional controls that could help address’’ risks to the availability of data and communication links and commits to ‘‘study the risks to availability of data and communication links between Control Centers and the current controls that support availability.’’ 28 Trade Associations, similarly, ‘‘encourage[s] the Commission to consider directing NERC to study the issue [of telecommunications security] to identify specific availability vulnerabilities and potential mitigation methods.’’ 29 23. IRC, while not supporting the proposed directive, ‘‘acknowledges that [the Commission] could require additional actions by responsible entities to promote the availability of [bulk electric system] communication links to the extent possible through contracts with telecommunications 26 NERC Comments at 7; see also Trade Associations Comments at 9–10. 27 NERC Comments at 7. 28 Id. at 8–9. 29 Trade Associations Comments at 12. PO 00000 Frm 00034 Fmt 4700 Sfmt 4700 providers.’’ 30 IRC recommends a best efforts approach similar to how supply chain risks are addressed under Reliability Standard CIP–013–1. Specifically, IRC suggests that ‘‘NERC could adopt a standard that would require responsible entities, when negotiating these service contacts, to take reasonable steps or use best efforts to maximize the availability of communication links.’’ 31 24. Reclamation, in support of the Commission proposal, states that the availability of communication networks should encompass links between Control Centers owned by the same entity as well as Control Centers owned by different entities. Reclamation maintains that the requirements for electronic communications be parallel to the following requirements for oral communication contained in Reliability Standard COM–001–3: (1) Have electronic communication capability; (2) designate alternative electronic communication capability in the event of a failure of the primary communication capability; (3) test the alternate method of electronic communication; (4) notify the entity on the other end of the communication path if a failure is detected; and (5) establish mutually agreeable action to restore the electronic communication capability. 25. As an initial matter, Bonneville recommends delaying approval of Reliability Standard CIP–012–1 until NERC conducts a pilot project to study the most effective way to encrypt data while ensuring the data is available to responsible entities. However, if the Commission approves the Reliability Standard, Bonneville ‘‘agrees with the Commission’s proposal to address the availability of communication links and data communicated between Control Centers.’’ 32 Bonneville explains that maintaining the availability of the communication links includes addressing both redundancy and recovery. Therefore, Bonneville recommends that, if Reliability Standard CIP–012–1 is approved, ‘‘the Commission order NERC to adopt modifications requiring Responsible Entities to have incident recovery plans/ continuity of operation plans addressing planning for recovery time, capability, and capacity.’’ 33 Similarly, Appelbaum supports the proposed directive and contends that ‘‘a requirement for a continuing operations plan for loss of critical data resulting for the loss of 30 IRC Comments at 3 (emphasis in original). 31 Id. 32 Bonneville 33 Id. E:\FR\FM\13FER1.SGM at 6. 13FER1 Comments at 5. Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations Control Center functionality should be directed.’’ 34 jbell on DSKJLSW7X2PROD with RULES 3. Commission Determination 26. We determine that modifications to the CIP Reliability Standards to address the availability of communication links and data communicated between bulk electric system control centers will enhance bulk electric system reliability. As the Commission stated in Order No. 822, bulk electric system Control Centers ‘‘must be capable of receiving and storing a variety of sensitive bulk electric system data from interconnected entities.’’ 35 We are not persuaded by the contention in the petition and comments that currently-effective Reliability Standards adequately address the directive in Order No. 822 regarding availability. Instead, we determine that the Reliability Standards cited by NERC either do not apply to communications between Control Centers or do not create an obligation to protect the availability of data between Control Centers. Accordingly, the directed modifications to the CIP Reliability Standards are not duplicative of existing Reliability Standards. 27. As the Commission explained in the NOPR, the existing Reliability Standards cited by NERC are not responsive to the availability directive in Order No. 822.36 Reliability Standards IRO–002–5 and TOP–001–4 require responsible entities to have redundant and diversely routed data exchange infrastructure within the Control Center environment, but they do not address communications between individual Control Centers, which was the subject of the Commission’s directive in Order No. 822.37 While it is true that the infrastructure associated with communications within Control Centers may be useful to data exchange between Control Centers, nothing in the cited Reliability Standards creates an obligation to maintain data availability between Control Centers. Similarly, Reliability Standards IRO–010–2 and TOP–003–3 require responsible entities to have mutually agreeable security protocols for exchange of Real-time data, which may have the effect of contributing to greater availability; however, these requirements do not create an obligation, as directed in Order No. 822, to protect the availability of those communication capabilities and Comments at 7. No. 822, 154 FERC ¶ 61,037 at P 54. 36 NOPR, 167 FERC ¶ 61,055 at P 24. 37 NOPR, 167 FERC ¶ 61,055 at P 24; NERC Comments at 5 (‘‘IRO–002–5 and TOP–011–4 cover infrastructure within Control Centers, not between Control Centers’’). associated data by applying appropriate security controls. 28. As the NOPR explained, creating an obligation to protect availability, while affording flexibility in terms of what data is protected and how, is distinct from relying on currentlyeffective Reliability Standards whose effect may be to support availability.38 The comments do not offer a new or persuasive reason to alter this view. For example, the Trade Associations repeat the line of reasoning in the NERC petition by ‘‘encourag[ing] the Commission to focus holistically on the broad requirements contained with [the] IRO and TOP standards, which focus on the performance requirements necessary to support Real-time monitoring and Real-time Assessments.’’ 39 In this circumstance, we disagree with that approach because, as the Commission observed in Order No. 822, ‘‘NERC and other commenters recognize that interControl Center communications play a critical role in maintaining bulk electric system reliability by, among other things, helping to maintain situational awareness and reliable bulk electric system operations through timely and accurate communication between Control Center.’’ 40 Thus, the holistic view urged by Trade Associations does not address the gap recognized by the Commission in Order No. 822. 29. The contention in NERC’s comments that Reliability Standard EOP–008–2 could also help maintain the availability of communication links between bulk electric system Control Centers, rests on the same reasoning that the ancillary benefits of an existing Reliability Standard addresses the reliability gap identified by the Commission and concomitant availability directive in Order No. 822. While we agree that a requirement to maintain a backup Control Center arguably provides a level of redundancy for a responsible entity’s overall operations, it does not require redundant and diversely routed communication paths between either the primary and backup Control Centers or third-party Control Centers. 30. In addition, we do not agree that it is premature to require protections for the availability of the communication links and data communicated between bulk electric system Control Centers. While NERC and Trade Associations advocate further study of the risks associated with availability, we 34 Appelbaum 35 Order VerDate Sep<11>2014 17:58 Feb 12, 2020 Jkt 250001 38 NOPR, 167 FERC ¶ 61,055 at P 24; NERC Comments at 6–7 (stating that alarms, recovery plans, and the ability to disable data encryption also support data availability). 39 Trade Associations Comments at 8. 40 Order No. 822, 154 FERC ¶ 61,037 at P 54. PO 00000 Frm 00035 Fmt 4700 Sfmt 4700 8165 conclude that the risks associated with losing the availability of either data or communication links between bulk electric system Control Centers is supported by the existing record and warrants a directive to modify the CIP Reliability Standards.41 31. We address several related issues raised in the comments. Commenters raise a concern that directing NERC to address requirements for certain aspects of availability, in particular redundancy and diverse routing, could have significant impacts on responsible entities using third-party telecommunications providers. Specifically, Trade Associations notes that responsible entities ‘‘may not have sufficient control over the design of these networks to ensure that such requirements are met.’’ 42 Without control over these networks, commenters suggest that the only options for addressing availability would be to construct costly private networks or implement less secure internet-based connections.43 32. We are not persuaded by these arguments. Rather, as IRC correctly notes in its discussion of the challenges raised in securing third-party telecommunications networks, while the Commission lacks jurisdiction over telecommunication service providers that may own and operate the communication links between bulk electric system Control Centers, the Commission has the authority to require responsible entities to take actions to promote the availability of communication links through service contracts with network providers.44 For example, entities could enter into service contracts with telecommunication service providers that include an agreed-upon quality of service commitment to maintain the availability of the data exchange capability to minimize the availability risk. Such arrangements would mirror the approach in Reliability Standard CIP–013–1 (Cyber Security—Supply Chain Risk Management), which also involved non-jurisdictional entities.45 NERC should likewise consider allowing responsible entities to contract with telecommunication service providers to minimize the risk of loss of 41 See Appelbaum Comments at 7, Bonneville Comments at 5, IRC Comments at 3, Dr. Liu Comments at 1, Reclamation Comments at 1. 42 Trade Associations Comments at 12. 43 See, e.g., id., Tri-State Comments at 2. 44 IRC Comments at 3. 45 The currently-approved supply chain risk management Reliability Standard exempts communication networks and data links between discrete Electronic Security Perimeters. See NERC Reliability Standard CIP–013–1, Applicability Section 4.2.3.2. E:\FR\FM\13FER1.SGM 13FER1 jbell on DSKJLSW7X2PROD with RULES 8166 Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations availability of communication links and data communicated between bulk electric system Control Centers in cases where communications between Control Centers are managed by a third party. 33. We agree with Reclamation’s comment that protections for the availability of communication links and data communicated between bulk electric system Control Centers should encompass both entity-owned and thirdparty owned Control Centers. The intent of the Commission’s directive is for NERC to address the risks associated with the availability of communication links and data communicated between all bulk electric system Control Centers, which will require coordination between neighboring responsible entities. 34. We reject Bonneville’s recommendation that the Commission delay approval of Reliability Standard CIP–012–1 to allow for a pilot project on encryption. The record in this proceeding does not support a delay, and Bonneville’s request conflicts with the implementation plan proposed by NERC.46 Moreover, the standard drafting team addressed the Commission’s finding on this issue in Order No. 822. In Order No. 822, the Commission stated ‘‘that any lag in communication speed resulting from implementation of protections should only be measurable on the order of milliseconds and, therefore, will not adversely impact Control Center communications . . . [but that] technical issues should be considered by the standard drafting team . . . e.g., by making certain aspects of the revised CIP Standards eligible for Technical Feasibility Exceptions.’’ 47 In response, NERC stated that the standard drafting team ‘‘developed an objective-based rather than prescriptive requirement . . . [that] will allow Responsible Entities flexibility in mitigating the risks posed . . . in a manner suited to each of their respective operational environments.’’ 48 Accordingly, we determine not to delay approval of Reliability Standard CIP–012–1. 35. We agree with Bonneville and Appelbaum that maintaining the availability of communication networks and data should include provisions for incident recovery and continuity of operations in a responsible entity’s compliance plan. We recognize that the redundancy of communication links cannot always be guaranteed; responsible entities should therefore 46 See NERC Petition at Exhibit B. 47 Order No. 822, 154 FERC ¶ 61,037 at P 62. 48 NERC Petition, Exhibit D (Consideration of Issues and Directives) at 7. VerDate Sep<11>2014 17:58 Feb 12, 2020 Jkt 250001 plan for both recovery of compromised communication links and use of backup communication capability should it be needed for redundancy (i.e., satellite or other alternate backup communications). 36. Accordingly, pursuant to section 215(d)(5) of the FPA, we direct that NERC develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers, as discussed above. B. Scope of Bulk Electric System Data That Must Be Protected 1. NOPR 37. The NOPR observed that Reliability Standard CIP–012–1 requires the protection of Real-time Assessment and Real-time monitoring data. The Commission explained that that while Real-time Assessment is defined in the NERC Glossary, Real-time monitoring data is not defined. Accordingly, the NOPR expressed concern that Reliability Standard CIP–012–1 does not clearly indicate the types of data to be protected. To address this, the Commission proposed to direct that NERC develop modifications to the CIP Reliability Standards to clearly identify the types of data that must be protected, including whether a NERC Glossary definition of Real-time monitoring would assist with implementation and compliance. 2. Comments 38. Appelbaum and Reclamation support the development of one or more definitions. Specifically, Reclamation recommends that the Commission direct NERC to develop definitions for the terms: (1) Real-time monitoring data; (2) Real-time data; (3) BES Data; (4) Operational Data; (5) System Planning Data; (6) availability and (7) Real-time monitoring. Appelbaum supports requiring a definition of Real-time monitoring given its importance to triggering alarms that system operators respond to and because it is an input to automatic dispatch. 39. NERC and other commenters maintain that a directive is unnecessary because the terms Real-time Assessment and Real-time monitoring are clear. NERC states that the ‘‘language used in proposed Reliability Standard CIP–012– 1, ‘Real-time Assessment and Real-time monitoring data,’ is sufficient to identify the data as described in TOP–003–3 and IRO–010–2.’’ 49 Specifically, NERC explains that since the IRO and TOP Reliability Standards are the only currently-effective Reliability Standards that use the phrase Real-time monitoring and the term Real-time Assessment, ‘‘[c]ompliance with these standards defines the data that is used in Real-time monitoring and Real-time Assessments.’’ 50 NERC concludes that by ‘‘using this language that is only referenced in the IRO and TOP Reliability Standards families, proposed CIP–012–1 brings the data identified pursuant to TOP–003–3 and IRO–010–2 into scope.’’ 51 40. Trade Associations and IRC concur with NERC that the scope of data subject to the requirements of proposed Reliability Standard CIP–012–1 is adequately clear. According to Trade Associations, responsible Entities and NERC understand that the types of data covered in CIP–012–1 is the data specified for Real-time Assessment and Real-time monitoring under TOP–003 and IRO–010. Similarly, IRC notes that ‘‘all responsible entities must already know the universe of data needed for Real-time Assessment and Real-time monitoring activities in order to comply with NERC Reliability Standards TOP– 003–3 and IRO–010–2.’’ 52 Regarding the concern raised in the NOPR that the term Real-time monitoring is not defined, IRC states that it ‘‘sees no reason that the term should be presumed to mean something different from what it means in other places where it is used in the NERC Reliability Standards.’’53 41. While Bonneville does not take a position on the NOPR proposal, it notes a concern over ‘‘creating a compliance requirement to identify how different types of information are protected.’’ 54 Bonneville states that, generally, the use of the same data exchange infrastructure will result in all data using that infrastructure receiving the same protection regardless of data type. Therefore, Bonneville avers that, if the Commission directs NERC to define the scope of data to be protected, then ‘‘a Responsible Entity should have the option to show that all data types are protected at the highest level using the same security protocols, without having to identify and show how specific types of data are protected.’’ 55 3. Commission Determination 42. In view of the comments, we determine not to adopt the NOPR 50 Id. 51 Id. 52 IRC Comments at 4. 53 Id. 54 Reclamation 49 NERC PO 00000 Comments at 10. Frm 00036 Fmt 4700 55 Id. Sfmt 4700 E:\FR\FM\13FER1.SGM 13FER1 Comments at 6. Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations proposal to direct modifications to define the scope of data covered by Reliability Standard CIP–012–1. NERC, Trade Associations and IRC agree that Reliability Standard CIP–012–1 requires the protection of Real-time Assessment and Real-time monitoring data identified under Reliability Standards TOP–003–3 and IRO–010–2. This point is also confirmed in the Technical Rationale document for Reliability Standard CIP–012–1.56 We are persuaded that responsible entities must know the types of data needed for Realtime Assessment and Real-time monitoring activities in order to comply with Reliability Standards TOP–003–3 and IRO–010–2. 43. With this understanding, we are satisfied that the data protected under Reliability Standard CIP–012–1 is the same data identified under Reliability Standards TOP–003–3 and IRO–010–2. We determine that this clarification addresses the concern in the NOPR that not defining the types of data that must be protected under Reliability Standard CIP–012–1 could result in uneven compliance and enforcement. In addition, we agree with Bonneville that responsible entities may show that all data types are protected at the highest level using the same security protocols, without having to identify and show how specific types of data are protected, so long as the security protocols are reasonable. III. Information Collection Statement 44. The FERC–725B information collection requirements contained in this final rule are subject to review by the Office of Management and Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 1995.57 OMB’s regulations require approval of certain information collection requirements imposed by agency rules.58 Upon approval of a collection of information, OMB will assign an OMB control number and expiration date. Respondents subject to the filing requirements of this rule will not be penalized for failing to respond to the collection of information unless the collection of information displays a valid OMB control number. 45. The Commission received no comments on the validity of the burden and cost estimates in the NOPR. The Commission is updating the burden estimates and labor costs contained in the NOPR. The Commission in this final rule corrected an error from the NOPR in the row ‘‘Identification of Security Protection Application (if not owned by same Responsible Entity) (Requirement 8167 R1.3)’’ where the total number of hours was understated by 100,000, and all calculations based upon this error. 46. The Commission is submitting these reporting and recordkeeping requirements to OMB for its review and approval under section 3507(d) of the PRA. Comments are solicited on the Commission’s need for this information, whether the information will have practical utility, the accuracy of the provided burden estimate, ways to enhance the quality, utility, and clarity of the information to be collected, and any suggested methods for minimizing the respondent’s burden, including the use of automated information techniques. 47. The Commission bases its paperwork burden estimates on the changes in paperwork burden presented by Reliability Standard CIP–012–1. 48. The NERC Compliance Registry, as of December 2019, identifies approximately 1,482 unique U.S. entities that are subject to mandatory compliance with Reliability Standards. Of this total, we estimate that 719 entities will face an increased paperwork burden under proposed Reliability Standard CIP–012–1. Based on these assumptions, we estimate the following reporting burden: FERC–725B—MODIFICATIONS DUE TO THE FINAL RULE IN DOCKET NO. RM18–20–000 Number of respondents Number of responses 59 per respondent Total number of responses Avg. burden hrs. & cost per response 60 Total annual burden hours & total annual cost (1) (2) (1) × (2) = (3) (4) (3) × (4) = 5 Implementation of Documented Plan(s) (Requirement R1) 61. Document Identification of Security Protection (Requirement R1.1) 61. Identification of Security Protection Application (if owned by same Responsible Entity) (Requirement R1.2) 61. Identification of Security Protection Application (if not owned by same Responsible Entity) (Requirement R1.3) 61. Maintaining Compliance (ongoing, starting in Year 2). jbell on DSKJLSW7X2PROD with RULES Total (one-time, in Year 1) .............. Total (ongoing, starting in Year 2) .. 719 1 719 128 hrs.; $11,776 .. 92,032 hrs.; $8,466,944. 719 1 719 40 hrs.; $3,680 ...... 28,560 hrs.; $2,645,920. 719 1 719 20 hrs.; $1,840 ...... 14,280 hrs.; $1,322,960. 719 1 719 160 hrs.; $14,720 .. 14,240 hrs.; $10,583,680. 719 1 719 83 hrs.; $7,636 ...... 59,677 hrs.; $5,490,284. ........................ ........................ ........................ ........................ 2,876 719 ................................ ................................ 250,212 hrs.; $23,019,504. 59,677 hrs.; $5,490,284. 56 NERC Petition, Exhibit F (Technical Rationale) at 1–2. 57 44 U.S.C. 3507(d). 58 5 CFR 1320. 59 We consider the filing of an application to be a ‘‘response.’’ 60 The hourly cost for wages plus benefits is based on the average of the occupational categories for 2018 found on the Bureau of Labor Statistics VerDate Sep<11>2014 17:58 Feb 12, 2020 Jkt 250001 website (http://www.bls.gov/oes/current/naics2_ 22.htm): Information Security Analysts (Occupation Code: 15–1122): $61.494 Computer and Mathematical (Occupation Code: 15–0000): $63.54 Legal (Occupation Code: 23–0000): $142.86 Computer and Information Systems Managers (Occupation Code: 11–3021): $98.81. PO 00000 Frm 00037 Fmt 4700 Sfmt 4700 These various occupational categories’ wage figures are averaged as follows: $61.494/hour + $63.54/hour + $142.86/hour + $98.81/hour) ÷ 4 = $91.70/hour. The resulting wage figure is rounded to $92.00/hour for use in calculating wage figures in the final rule in Docket No. RM18–20–000. 61 This includes the record retention costs for the one-time and the on-going reporting documents. E:\FR\FM\13FER1.SGM 13FER1 jbell on DSKJLSW7X2PROD with RULES 8168 Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations 49. The one-time burden (in Year 1) for the FERC–725B information collection will be averaged over three years: • 250,212 hours ÷ 3 = 83,404 hours/year over Years 1–3 • The number of one-time responses for the FERC–725B information collection is also averaged over Years 1–3: 2,876 responses ÷ 3 = 959 responses/year 50. The average annual number (for Years 1–3) of responses and burden for one-time and ongoing burden will total: • 1,678 responses [959 responses (onetime) + 719 responses (ongoing)] • 143,081 burden hours [83,404 hours (one-time) + 59,677 hours (ongoing)] hours (ongoing)] 51. Title: Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards. Action: Revisions to FERC–725B information collection. OMB Control No.: 1902–0248. Respondents: Businesses or other forprofit institutions; not-for-profit institutions. Frequency of Responses: One-time and Ongoing. Necessity of the Information: This final rule approves the requested modifications to Reliability Standards pertaining to critical infrastructure protection. As discussed above, the Commission approves NERC’s proposed Reliability Standard CIP–012–1 pursuant to section 215(d)(2) of the FPA because they improve upon the currently-effective suite of cyber security Reliability Standards. Internal Review: The Commission has reviewed the proposed Reliability Standard and made a determination that its action is necessary to implement section 215 of the FPA. 52. Interested persons may obtain information on the reporting requirements by contacting the following: Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426 [Attention: Ellen Brown, Office of the Executive Director, email: DataClearance@ferc.gov, phone: (202) 502–8663, fax: (202) 273–0873]. 53. Please send comments concerning the collection of information and the associated burden estimate to the Commission, and to the Office of Management and Budget, Office of Information and Regulatory Affairs, 725 17th Street NW, Washington, DC 20503, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission]. For security reasons, comments to OMB should be submitted by email to: oira_ submission@omb.eop.gov. Comments VerDate Sep<11>2014 17:58 Feb 12, 2020 Jkt 250001 submitted to OMB should include FERC–725B (OMB Control No. 1902– 0248). IV. Environmental Analysis 54. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.62 The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.63 The actions proposed herein fall within this categorical exclusion in the Commission’s regulations. V. Regulatory Flexibility Act Analysis 55. The Regulatory Flexibility Act of 1980 (RFA) generally requires a description and analysis of proposed and final rules that will have significant economic impact on a substantial number of small entities.64 The Small Business Administration’s (SBA) Office of Size Standards develops the numerical definition of a small business.65 The SBA revised its size standard for electric utilities (effective January 22, 2014) to a standard based on the number of employees, including affiliates (from the prior standard based on megawatt hour sales).66 56. Reliability Standard CIP–012–1 is expected to impose an additional burden on 719 entities 67 (reliability coordinators [RC], generator operators [GOP], generator owners [GO], transmission operators [TOP], balancing authorities [BA], and transmission owners [TO]). 62 Regulations Implementing the National Environmental Policy Act of 1969, Order No. 486, FERC Stats. & Regs. ¶ 30,783 (1987). 63 18 CFR 380.4(a)(2)(ii). 64 5 U.S.C. 601–12. 65 13 CFR 121.101. 66 13 CFR 121.201, Subsection 221. 67 Public utilities may fall under one of several different categories, each with a size threshold based on the company’s number of employees, including affiliates, the parent company, and subsidiaries. These entities may be included in the SBA categories for: Hydroelectric Power Generation, Fossil Fuel Electric Power Generation, Nuclear Electric Power Generation, Solar Electric Power Generation, Wind Electric Power Generation Geothermal Electric Power Generation, Biomass Electric Power Generation, Other Electric Power Generation, Biomass Electric Power Generation, or Electric Bulk Power Transmission and Control. These categories have thresholds for small entities varying from 250–750 employees. For the analysis in this final rule, we are using a conservative threshold of 750 employees. PO 00000 Frm 00038 Fmt 4700 Sfmt 4700 57. Of the 719 affected entities discussed above, we estimate that approximately 82% percent of the affected entities are small entities. We estimate that each of the 590 small entities to whom the modifications to Reliability Standard CIP–012–1 apply will incur one-time, non-paperwork cost in Year 1 of approximately $17,051, plus paperwork cost in Year 1 of $32,016, giving a total cost in Year 1 of $49,067. In Year 2 and Year 3, each entity will incur only the ongoing annual paperwork cost of $7,594. We do not consider the estimated costs for these 590 small entities to be a significant economic impact. 58. Accordingly, we certify that Reliability Standard CIP–012–1 will not have a significant economic impact on a substantial number of small entities. VI. Effective Date and Congressional Notification 59. This final rule is effective April 13, 2020. The Commission has determined, with the concurrence of the Administrator of the Office of Information and Regulatory Affairs of OMB, that this rule is not a ‘‘major rule’’ as defined in section 351 of the Small Business Regulatory Enforcement Fairness Act of 1996. This final rule is being submitted to the Senate, House, and Government Accountability Office. VII. Document Availability 60. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the internet through the Commission’s Home Page (http:// www.ferc.gov) and in the Commission’s Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A, Washington, DC 20426. 61. From the Commission’s Home Page on the internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number of this document, excluding the last three digits, in the docket number field. 62. User assistance is available for eLibrary and the Commission’s website during normal business hours from the Commission’s Online Support at (202)502–6652 (toll free at 1–866–208– 3676) or email at ferconlinesupport@ ferc.gov, or the Public Reference Room at (202) 502–8371, TTY (202) 502–8659. Email the Public Reference Room at public.referenceroom@ferc.gov. E:\FR\FM\13FER1.SGM 13FER1 Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations By the Commission. 8169 Issued: January 23, 2020. Kimberly D. Bose, Secretary. Note: The following Appendix will not appear in the Code of Federal Regulations. APPENDIX—COMMENTERS Abbreviation Commenter Appelbaum ................................................................................................ Bonneville ................................................................................................. IRC ............................................................................................................ Dr. Liu ....................................................................................................... NERC ........................................................................................................ Reclamation .............................................................................................. Trade Associations ................................................................................... Jonathan Appelbaum. Bonneville Power Administration. ISO/RTO Council. Dr. Chen-Ching Liu. North American Electric Reliability Corporation. Bureau of Reclamation. American Public Power Association, Edison Electric Institute, National Rural Electric Cooperative Association. Tri-State Generation and Transmission Association, Inc. Tri-State .................................................................................................... [FR Doc. 2020–02173 Filed 2–12–20; 8:45 am] Table of Contents for Preamble III. Basis and Purpose BILLING CODE 6717–01–P I. Abbreviations II. Regulatory History III. Basis and Purpose IV. Discussion of Rule V. Regulatory Analyses A. Regulatory Planning and Review B. Impact on Small Entities C. Assistance for Small Entities D. Collection of Information E. Federalism F. Unfunded Mandates Reform Act G. Taking of Private Property H. Civil Justice Reform I. Protection of Children J. Indian Tribal Governments K. Energy Effects L. Technical Standards M. Environment This rulemaking project was identified as part of the Coast Guard’s Regulatory Reform Task Force Initiative. These field regulation changes were identified as part of the deregulation identification process required by Executive Order 13771 (Reducing Regulation and Controlling Regulatory Costs), Executive Order 13777 (Enforcing the Regulatory Reform Agenda Deregulatory Process), and associated guidance issued in 2017. This rule makes technical and editorial corrections in Title 33 of the Code of Federal Regulations (CFR). Specifically, the rule removes safety zones, security zones, and special local regulations where the event is no longer held. This rule also removes special anchorage areas that are no longer used, and redesignates certain special anchorage areas in the Hawaiian Islands and Guam so they are grouped in the CFR as District 14 anchorages. Additionally, the rule removes outdated references to penalties in regulations governing certain regulated navigation areas in Florida and Georgia, and updates Captain of the Port (COTP) information in regulations for certain regulated navigation areas and security zones in Kentucky, Ohio, and Missouri. These changes are necessary to correct errors, change addresses, and make other nonsubstantive changes that improve the clarity of the CFR. This rule does not create or change any substantive requirements. The changes to 33 CFR part 1 are authorized under 14 U.S.C. 503, which grants the Secretary of the Department of Homeland Security (DHS) broad authority to promulgate such regulations as are appropriate to carry out the provisions of any law applicable to the Coast Guard. The changes to 33 DEPARTMENT OF HOMELAND SECURITY Coast Guard 33 CFR Parts 1, 100, 110, and 165 [Docket No. USCG–2018–0533] RIN 1625–ZA38 Navigation and Navigable Waters, and Shipping; Technical, Organizational, and Conforming Amendments for U.S. Coast Guard Field Districts 5, 8, 9, 11, 13, 14, and 17 Coast Guard, DHS. Final rule. AGENCY: ACTION: The Coast Guard is issuing non-substantive technical, organizational, and conforming amendments to existing regulations in parts 1, 100, 110, and 165 of Title 33 of the Code of Federal Regulations. These amendments update and clarify general regulations in part 1, and update regulations for Field Districts 5, 8, 9, 11, 13, 14, and 17 to reflect the current status of regulated navigation areas, special local regulations, anchorages, safety zones, and security zones. This rule will have no substantive effect on the regulated public. DATES: This final rule is effective March 16, 2020. FOR FURTHER INFORMATION CONTACT: For information about this document call or email Dominique Christianson, Coast Guard; telephone 202–372–3856, email Dominique.Christianson@uscg.mil. SUPPLEMENTARY INFORMATION: jbell on DSKJLSW7X2PROD with RULES SUMMARY: VerDate Sep<11>2014 17:58 Feb 12, 2020 Jkt 250001 I. Abbreviations CFR Code of Federal Regulations CG–LRA Office of Regulations and Administrative Law COTP Captain of the Port DHS Department of Homeland Security FR Federal Register OMB Office of Management and Budget § Section U.S.C. United States Code II. Regulatory History We did not publish a notice of proposed rulemaking for this rule. Under Title 5 of the United States Code (U.S.C.), section 553(b)(A), the Coast Guard finds that this rule is exempt from notice and public comment rulemaking requirements because these changes involve rules of agency organization, procedure, or practice. In addition, the Coast Guard finds that notice and comment procedures are unnecessary under 5 U.S.C. 553(b)(B), as this rule consists only of technical and editorial corrections, and these changes will have no substantive effect on the public. PO 00000 Frm 00039 Fmt 4700 Sfmt 4700 E:\FR\FM\13FER1.SGM 13FER1

Agencies

[Federal Register Volume 85, Number 30 (Thursday, February 13, 2020)]
[Rules and Regulations]
[Pages 8161-8169]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-02173]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM18-20-000; ORDER NO. 866]


Critical Infrastructure Protection Reliability Standard CIP-012-
1--Cyber Security--Communications Between Control Centers

AGENCY: Federal Energy Regulatory Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Energy Regulatory Commission (Commission) approves 
Reliability Standard CIP-012-1 (Cyber Security--Communications between 
Control Centers). The North American Electric Reliability Corporation 
(NERC), the Commission-certified Electric Reliability Organization, 
submitted Reliability Standard CIP-012-1 for Commission approval in 
response to a Commission directive. In addition, the Commission directs 
NERC to develop modifications to the CIP Reliability Standards to 
require protections regarding the availability of communication links 
and data communicated between bulk electric system Control Centers.

DATES: This rule will become effective April 13, 2020.

FOR FURTHER INFORMATION CONTACT:
Vincent Le, (Technical Information), Office of Electric Reliability, 
Federal Energy Regulatory Commission, 888 First Street NE, Washington, 
DC 20426, (202) 502-6204, [email protected]
Kevin Ryan, (Legal Information), Office of the General Counsel, Federal 
Energy Regulatory Commission, 888 First Street NE, Washington, DC 
20426, (202) 502-6840, [email protected]

SUPPLEMENTARY INFORMATION: 

[[Page 8162]]

    1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA),\1\ 
the Commission approves Reliability Standard CIP-012-1 (Cyber 
Security--Communications between Control Centers). The North American 
Electric Reliability Corporation (NERC), the Commission-certified 
Electric Reliability Organization (ERO), submitted Reliability Standard 
CIP-012-1 for Commission approval in response to a Commission directive 
in Order No. 822.\2\ In Order No. 822, the Commission directed NERC, 
pursuant to section 215(d)(5) of the FPA, to develop modifications to 
the Reliability Standards to require responsible entities to implement 
controls to protect, at a minimum, communications links and sensitive 
bulk electric system data communicated between bulk electric system 
Control Centers ``in a manner that is appropriately tailored to address 
the risks posed to the bulk electric system by the assets being 
protected (i.e., high, medium, or low impact).'' \3\
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824o(d)(2).
    \2\ Revised Critical Infrastructure Protection Reliability 
Standards, Order No. 822, 154 FERC ] 61,037, at P 53, order denying 
reh'g, Order No. 822-A, 156 FERC ] 61,052 (2016).
    \3\ 16 U.S.C. 824o(d)(5); Order No. 822, 154 FERC ] 61,037 at P 
53.
---------------------------------------------------------------------------

    2. Consistent with the directive in Order No. 822, Reliability 
Standard CIP-012-1 improves upon the currently-effective Critical 
Infrastructure Protection (CIP) Reliability Standards to mitigate cyber 
security risks associated with communications between bulk electric 
system Control Centers. Specifically, Reliability Standard CIP-012-1 
supports situational awareness and reliable bulk electric system 
operations by requiring responsible entities to protect the 
confidentiality and integrity of Real-time Assessment \4\ and Real-time 
monitoring data transmitted between bulk electric system Control 
Centers. Accordingly, the Commission approves Reliability Standard CIP-
012-1 because it is largely responsive to the Commission's directive in 
Order No. 822 and improves the cyber security posture of responsible 
entities. We also approve the associated violation risk factors and 
violation severity levels, implementation plan, and effective date.
---------------------------------------------------------------------------

    \4\ The NERC Glossary defines Real-time Assessment as, ``An 
evaluation of system conditions using Real-time data to assess 
existing (pre-Contingency) and potential (post-Contingency) 
operating conditions. The assessment shall reflect applicable inputs 
including, but not limited to: Load, generation output levels, known 
Protection System and Special Protection System status or 
degradation, Transmission outages, generator outages, Interchange, 
Facility Ratings, and identified phase angle and equipment 
limitations. (Real-time Assessment may be provided through internal 
systems or through third-party services.)'' NERC Glossary of Terms 
Used in NERC Reliability Standards (July 3, 2018).
---------------------------------------------------------------------------

    3. In addition, pursuant to section 215(d)(5) of the FPA, the 
Commission directs NERC to develop modifications to the CIP Reliability 
Standards to require protections regarding the availability of 
communication links and data communicated between bulk electric system 
Control Centers. As discussed in the Notice of Proposed Rulemaking 
(NOPR), Reliability Standard CIP-012-1 does not require protections 
regarding the availability of communication links and data communicated 
between bulk electric system Control Centers, as directed in Order No. 
822.\5\ In the NOPR, the Commission indicated that it did not agree 
with NERC's assertion that currently-effective Reliability Standards 
address availability, and we are not persuaded by NOPR comments raising 
the same argument. Instead, pursuant to section 215(d)(5) of the FPA, 
we determine that the absence of a requirement that specifically 
pertains to the availability of communication links and data 
communicated between bulk electric system Control Centers represents a 
reliability gap in the CIP Reliability Standards that should be 
addressed by NERC.
---------------------------------------------------------------------------

    \5\ See Critical Infrastructure Protection Reliability Standard 
CIP-012-1--Cyber Security--Communication between Control Centers, 
Notice of Proposed Rulemaking, 167 FERC ] 61,055, at P 54 (2019) 
(NOPR).
---------------------------------------------------------------------------

    4. The Commission, in the NOPR, also proposed to direct NERC to 
identify clearly the types of data that must be protected under 
Reliability Standard CIP-012-1. The NOPR expressed concern that 
Reliability Standard CIP-012-1 does not adequately identify the types 
of data covered by its requirements, due to, among other things, the 
fact that the term ``Real-time monitoring'' is not defined in the 
Reliability Standard or the NERC Glossary. After considering the NOPR 
comments, however, we determine not to direct the proposed modification 
based on the explanation of the types of data that must be protected 
set forth in the NOPR comments.

I. Background

A. Section 215 and Mandatory Reliability Standards

    5. Section 215 of the FPA requires a Commission-certified ERO to 
develop mandatory and enforceable Reliability Standards, subject to 
Commission review and approval. Reliability Standards may be enforced 
by the ERO, subject to Commission oversight, or by the Commission 
independently.\6\ Pursuant to section 215 of the FPA, the Commission 
established a process to select and certify an ERO,\7\ and subsequently 
certified NERC.\8\
---------------------------------------------------------------------------

    \6\ 16 U.S.C. 824o(e).
    \7\ Rules Concerning Certification of the Electric Reliability 
Organization; and Procedures for the Establishment, Approval, and 
Enforcement of Electric Reliability Standards, Order No. 672, 114 
FERC ] 61,104, order on reh'g, Order No. 672-A, 114 FERC ] 61,328 
(2006).
    \8\ North American Electric Reliability Corp., 116 FERC ] 
61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), 
aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
---------------------------------------------------------------------------

B. Order No. 822

    6. In Order No. 822, the Commission approved seven modified CIP 
Reliability Standards and directed NERC to develop additional 
modifications to the CIP Reliability Standards.\9\ Specifically, the 
Commission directed that NERC, among other things, develop 
modifications to the CIP Reliability Standards to require that 
responsible entities implement controls to protect, at a minimum, 
communications links and sensitive bulk electric system data 
communicated between bulk electric system Control Centers ``in a manner 
that is appropriately tailored to address the risks posed to the bulk 
electric system by the assets being protected (i.e., high, medium, or 
low impact).'' \10\ The Commission observed that NERC, as well as other 
commenters in that proceeding, ``recognize that inter-Control Center 
communications play a critical role in maintaining bulk electric system 
reliability by . . . helping to maintain situational awareness and 
support reliable operations through timely and accurate communication 
between Control Centers.'' \11\
---------------------------------------------------------------------------

    \9\ Order No. 822, 154 FERC ] 61,037 at PP 1, 3.
    \10\ Id. P 53.
    \11\ Id. P 54.
---------------------------------------------------------------------------

    7. The Commission explained that Control Centers associated with 
responsible entities, including reliability coordinators, balancing 
authorities, and transmission operators, must be capable of receiving 
and storing a variety of bulk electric system data from their 
interconnected entities in order to adequately perform their 
reliability functions. The Commission, therefore, determined that 
``additional measures to protect both the integrity and availability of 
sensitive bulk electric system data are warranted.'' \12\
---------------------------------------------------------------------------

    \12\ Id.
---------------------------------------------------------------------------

    The Commission cautioned, however, that ``not all communication 
network components and data pose the same risk to bulk electric system 
reliability and may not require the same level of

[[Page 8163]]

protection.'' \13\ Therefore, the Commission determined that NERC 
should develop controls that reflect the risk being addressed in a 
reasonable manner.
---------------------------------------------------------------------------

    \13\ Id. P 56.
---------------------------------------------------------------------------

C. NERC Petition and Reliability Standard CIP-012-1

    8. On September 18, 2018, NERC submitted for Commission approval 
proposed Reliability Standard CIP-012-1 and the associated violation 
risk factors and violation severity levels, implementation plan, and 
effective date.\14\ NERC states that the purpose of Reliability 
Standard CIP-012-1 is to help maintain situational awareness and 
reliable bulk electric system operations by protecting the 
confidentiality and integrity of Real-time Assessment and Real-time 
monitoring data transmitted between Control Centers.
---------------------------------------------------------------------------

    \14\ Reliability Standard CIP-012-1 is not attached to this 
final rule. The Reliability Standard is available on the 
Commission's eLibrary document retrieval system in Docket No. RM18-
20-000 and on the NERC website, www.nerc.com.
---------------------------------------------------------------------------

    9. NERC states that Reliability Standard CIP-012-1 ``requires 
Responsible Entities to develop and implement a plan to address the 
risks posed by unauthorized disclosure (confidentiality) and 
unauthorized modification (integrity) of Real-time Assessment and Real-
time monitoring data while being transmitted between applicable Control 
Centers.'' \15\ According to NERC, the required plan must include the 
following: (1) Identification of security protections; (2) 
identification of where the protections are applied; and (3) 
identification of the responsibilities of each entity in case a Control 
Center is owned or operated by different responsible entities.\16\
---------------------------------------------------------------------------

    \15\ NERC Petition at 10.
    \16\ Id. at 3.
---------------------------------------------------------------------------

    10. As noted above, the types of data within the scope of 
Reliability Standard CIP-012-1 consist of Real-time Assessment and 
Real-time monitoring data exchanged between Control Centers. NERC 
states that it is critical that this information is accurate since 
responsible entities operate and monitor the bulk electric system based 
on this Real-time information. NERC explains that Reliability Standard 
CIP-012-1 ``excludes other data typically transferred between Control 
Centers, such as Operational Planning Analysis data, that is not used 
by the Reliability Coordinator, Balancing Authority, and Transmission 
Operator in Real-time.'' \17\
---------------------------------------------------------------------------

    \17\ Id. at 12.
---------------------------------------------------------------------------

    11. NERC also indicates that data at rest and oral communications 
fall outside the scope of Reliability Standard CIP-012-1. Regarding 
data at rest, NERC states that the standard drafting team determined 
that since data at rest resides within BES Cyber Systems,\18\ it is 
already protected by the controls mandated by Reliability Standards 
CIP-003-6 through CIP-011-2. According to NERC, oral communications are 
out of scope of Reliability Standard CIP-012-1 ``because operators have 
the ability to terminate the call and initiate a new one via trusted 
means if they suspect a problem with, or compromise of, the 
communication channel.'' \19\ NERC notes that Reliability Standard COM-
001-3 requires reliability coordinators, balancing authorities, and 
transmission operators to have alternative interpersonal communication 
capability, which could be used if there is a suspected compromise of 
oral communication on one channel.
---------------------------------------------------------------------------

    \18\ BES Cyber System is defined as ``[o]ne or more BES Cyber 
Assets logically grouped by a responsible entity to perform one or 
more reliability tasks for a functional entity.'' NERC Glossary. The 
acronym BES refers to the bulk electric system.
    \19\ NERC Petition at 14.
---------------------------------------------------------------------------

D. Notice of Proposed Rulemaking

    12. On April 18, 2019, the Commission issued a NOPR proposing to 
approve Reliability Standard CIP-012-1 as just, reasonable, not unduly 
discriminatory or preferential, and in the public interest.\20\ The 
NOPR stated that Reliability Standard CIP-012-1 is largely responsive 
to the Commission's directive in Order No. 822 and improves the cyber 
security posture of the bulk electric system by requiring responsible 
entities to protect the confidentiality and integrity of Real-time 
Assessment and Real-time monitoring data transmitted between bulk 
electric system Control Centers, which supports situational awareness 
and reliable bulk electric system operations.
---------------------------------------------------------------------------

    \20\ NOPR, 167 FERC ] 61,055 at P 1.
---------------------------------------------------------------------------

    13. While proposing to approve Reliability Standard CIP-012-1, the 
Commission also proposed to direct NERC to develop modifications to the 
CIP Reliability Standards to address potential reliability gaps. First, 
the NOPR stated that Reliability Standard CIP-012-1 does not require 
protections regarding the availability of communication links and data 
communicated between bulk electric system Control Centers as directed 
in Order No. 822. The NOPR explained that the Commission was not 
persuaded by NERC's explanation that certain currently-effective 
Reliability Standards address the issue of availability. Second, the 
NOPR raised a concern that Reliability Standard CIP-012-1 does not 
adequately identify the types of data covered by its requirements, due 
to, among other things, the fact that Real-time monitoring is not 
defined in the proposed Reliability Standard or the NERC Glossary.\21\
---------------------------------------------------------------------------

    \21\ Id. P 16.
---------------------------------------------------------------------------

    14. In response to the NOPR, eight entities submitted comments. A 
list of commenters appears in Appendix A. The discussion below 
addresses the proposals in the NOPR as well as the NOPR comments.

II. Discussion

    15. Pursuant to section 215(d)(2) of the FPA, the Commission 
approves Reliability Standard CIP-012-1 as just, reasonable, not unduly 
discriminatory or preferential, and in the public interest. Reliability 
Standard CIP-012-1 largely addresses the Commission's directive in 
Order No. 822 because it will enhance existing protections for bulk 
electric system reliability by augmenting the currently-effective CIP 
Reliability Standards to mitigate cyber security risks associated with 
communications between bulk electric system Control Centers. 
Reliability Standard CIP-012-1 achieves this by requiring responsible 
entities to protect the confidentiality and integrity of Real-time 
Assessment and Real-time monitoring data transmitted between bulk 
electric system Control Centers, thereby supporting situational 
awareness and reliable bulk electric system operations.
    16. While the Commission approves Reliability Standard CIP-012-1, 
we also determine that the reliability risks identified in Order No. 
822 will not be fully addressed with the implementation of the 
Reliability Standard. As discussed below, a significant cyber security 
risk associated with the protection of communications links and 
sensitive bulk electric system data communicated between bulk electric 
system Control Centers remains because Reliability Standard CIP-012-1 
does not address the availability of communication links and data 
communicated between bulk electric system Control Centers. To address 
this gap, the Commission directs NERC, pursuant to section 215(d)(5) of 
the FPA, to develop modifications to the CIP Reliability Standards to 
require protections regarding the availability of communication links 
and data communicated between bulk electric system Control Centers.
    17. Below, we discuss the following issues: (A) Availability of 
bulk electric system communication links and data; and (B) scope of 
bulk electric system data that must be protected.

[[Page 8164]]

A. Availability of Bulk Electric System Communication Links and Data

1. NOPR
    18. The NOPR stated that Reliability Standard CIP-012-1 does not 
address the availability component of the Commission's directive in 
Order No. 822. The NOPR identified this as a gap because ensuring 
timely and reliable access to and use of data is essential to the 
reliable operation of the bulk electric system. The NOPR indicated that 
the existing Reliability Standards cited in NERC's petition do not 
require responsible entities to protect the availability of sensitive 
bulk electric system data in a manner consistent with Order No. 
822.\22\ In particular, the NOPR stated that the cited Reliability 
Standards either do not apply to communications between individual 
Control Centers or, while their effect may be to support availability, 
the Reliability Standards do not create an obligation to protect 
availability.\23\
---------------------------------------------------------------------------

    \22\ Id. P 24.
    \23\ Id.
---------------------------------------------------------------------------

2. Comments
    19. NERC, Trade Associations, Tri-State and IRC do not support a 
directive that addresses the availability of communication links and 
data communicated between bulk electric system Control Centers. 
Reclamation, Appelbaum, and Liu express support for the directive, 
while Bonneville offers qualified support.
    20. Comments opposing the proposed directive largely reiterate the 
petition's assertion that currently-effective Reliability Standards 
adequately protect the availability of communication links and data 
communicated between bulk electric system Control Centers. For example, 
NERC contends that ``[w]hile IRO-002-5 and TOP-001-4 cover 
infrastructure within Control Centers, not between Control Centers, the 
requirements help protect the availability of data to be exchanged 
between Control Centers . . . [because] the data exchange 
infrastructure in scope of these requirements facilitates sending and 
receiving data between Control Centers.'' \24\ NERC explains that if 
``an applicable entity lost capability of some of this data exchange 
infrastructure, the applicable entity could continue to send and 
receive data between Control Centers because of the redundant data 
exchange infrastructure within its Control Center.\25\ In addition, 
NERC states that Reliability Standards IRO-010-2 and TOP-003-3 require 
applicable entities to use a mutually agreeable security protocol 
between Control Centers. NERC explains that this supports availability 
by helping to ensure that conflicting protocols do not impede receipt 
of data between Control Centers.
---------------------------------------------------------------------------

    \24\ NERC Comments at 5.
    \25\ Id.; see also Trade Associations Comments at 6-8, Tri-state 
Comments at 3.
---------------------------------------------------------------------------

    21. NERC also contends that Reliability Standard EOP-008-2 helps 
support the availability of communication links between Control Centers 
by requiring reliability coordinators to have backup Control Center 
facilities, or backup Control Center functionality for balancing 
authorities and transmission operators, in addition to their primary 
Control Centers. NERC explains that ``[t]hese backup facilities supply 
redundancy of some communication links and data exchange infrastructure 
and capabilities at the backup Control Center.'' \26\ NERC further 
explains that entities with geographically diverse primary and backup 
Control Centers may have communication links that are physically 
separate from one another. NERC concludes that although ``geographic 
diversity alone will not always provide redundancy of communication 
links, having backup Control Centers with different paths to 
communicate with other Control Centers helps support availability of 
communication links.'' \27\
---------------------------------------------------------------------------

    \26\ NERC Comments at 7; see also Trade Associations Comments at 
9-10.
    \27\ NERC Comments at 7.
---------------------------------------------------------------------------

    22. In addition, comments opposing the directive maintain that it 
is premature to require protections for the availability of the 
communication links and data at issue. NERC states that it recognizes 
that ``there may be additional controls that could help address'' risks 
to the availability of data and communication links and commits to 
``study the risks to availability of data and communication links 
between Control Centers and the current controls that support 
availability.'' \28\ Trade Associations, similarly, ``encourage[s] the 
Commission to consider directing NERC to study the issue [of 
telecommunications security] to identify specific availability 
vulnerabilities and potential mitigation methods.'' \29\
---------------------------------------------------------------------------

    \28\ Id. at 8-9.
    \29\ Trade Associations Comments at 12.
---------------------------------------------------------------------------

    23. IRC, while not supporting the proposed directive, 
``acknowledges that [the Commission] could require additional actions 
by responsible entities to promote the availability of [bulk electric 
system] communication links to the extent possible through contracts 
with telecommunications providers.'' \30\ IRC recommends a best efforts 
approach similar to how supply chain risks are addressed under 
Reliability Standard CIP-013-1. Specifically, IRC suggests that ``NERC 
could adopt a standard that would require responsible entities, when 
negotiating these service contacts, to take reasonable steps or use 
best efforts to maximize the availability of communication links.'' 
\31\
---------------------------------------------------------------------------

    \30\ IRC Comments at 3 (emphasis in original).
    \31\ Id.
---------------------------------------------------------------------------

    24. Reclamation, in support of the Commission proposal, states that 
the availability of communication networks should encompass links 
between Control Centers owned by the same entity as well as Control 
Centers owned by different entities. Reclamation maintains that the 
requirements for electronic communications be parallel to the following 
requirements for oral communication contained in Reliability Standard 
COM-001-3: (1) Have electronic communication capability; (2) designate 
alternative electronic communication capability in the event of a 
failure of the primary communication capability; (3) test the alternate 
method of electronic communication; (4) notify the entity on the other 
end of the communication path if a failure is detected; and (5) 
establish mutually agreeable action to restore the electronic 
communication capability.
    25. As an initial matter, Bonneville recommends delaying approval 
of Reliability Standard CIP-012-1 until NERC conducts a pilot project 
to study the most effective way to encrypt data while ensuring the data 
is available to responsible entities. However, if the Commission 
approves the Reliability Standard, Bonneville ``agrees with the 
Commission's proposal to address the availability of communication 
links and data communicated between Control Centers.'' \32\ Bonneville 
explains that maintaining the availability of the communication links 
includes addressing both redundancy and recovery. Therefore, Bonneville 
recommends that, if Reliability Standard CIP-012-1 is approved, ``the 
Commission order NERC to adopt modifications requiring Responsible 
Entities to have incident recovery plans/continuity of operation plans 
addressing planning for recovery time, capability, and capacity.'' \33\ 
Similarly, Appelbaum supports the proposed directive and contends that 
``a requirement for a continuing operations plan for loss of critical 
data resulting for the loss of

[[Page 8165]]

Control Center functionality should be directed.'' \34\
---------------------------------------------------------------------------

    \32\ Bonneville Comments at 5.
    \33\ Id. at 6.
    \34\ Appelbaum Comments at 7.
---------------------------------------------------------------------------

3. Commission Determination
    26. We determine that modifications to the CIP Reliability 
Standards to address the availability of communication links and data 
communicated between bulk electric system control centers will enhance 
bulk electric system reliability. As the Commission stated in Order No. 
822, bulk electric system Control Centers ``must be capable of 
receiving and storing a variety of sensitive bulk electric system data 
from interconnected entities.'' \35\ We are not persuaded by the 
contention in the petition and comments that currently-effective 
Reliability Standards adequately address the directive in Order No. 822 
regarding availability. Instead, we determine that the Reliability 
Standards cited by NERC either do not apply to communications between 
Control Centers or do not create an obligation to protect the 
availability of data between Control Centers. Accordingly, the directed 
modifications to the CIP Reliability Standards are not duplicative of 
existing Reliability Standards.
---------------------------------------------------------------------------

    \35\ Order No. 822, 154 FERC ] 61,037 at P 54.
---------------------------------------------------------------------------

    27. As the Commission explained in the NOPR, the existing 
Reliability Standards cited by NERC are not responsive to the 
availability directive in Order No. 822.\36\ Reliability Standards IRO-
002-5 and TOP-001-4 require responsible entities to have redundant and 
diversely routed data exchange infrastructure within the Control Center 
environment, but they do not address communications between individual 
Control Centers, which was the subject of the Commission's directive in 
Order No. 822.\37\ While it is true that the infrastructure associated 
with communications within Control Centers may be useful to data 
exchange between Control Centers, nothing in the cited Reliability 
Standards creates an obligation to maintain data availability between 
Control Centers. Similarly, Reliability Standards IRO-010-2 and TOP-
003-3 require responsible entities to have mutually agreeable security 
protocols for exchange of Real-time data, which may have the effect of 
contributing to greater availability; however, these requirements do 
not create an obligation, as directed in Order No. 822, to protect the 
availability of those communication capabilities and associated data by 
applying appropriate security controls.
---------------------------------------------------------------------------

    \36\ NOPR, 167 FERC ] 61,055 at P 24.
    \37\ NOPR, 167 FERC ] 61,055 at P 24; NERC Comments at 5 (``IRO-
002-5 and TOP-011-4 cover infrastructure within Control Centers, not 
between Control Centers'').
---------------------------------------------------------------------------

    28. As the NOPR explained, creating an obligation to protect 
availability, while affording flexibility in terms of what data is 
protected and how, is distinct from relying on currently-effective 
Reliability Standards whose effect may be to support availability.\38\ 
The comments do not offer a new or persuasive reason to alter this 
view. For example, the Trade Associations repeat the line of reasoning 
in the NERC petition by ``encourag[ing] the Commission to focus 
holistically on the broad requirements contained with [the] IRO and TOP 
standards, which focus on the performance requirements necessary to 
support Real-time monitoring and Real-time Assessments.'' \39\ In this 
circumstance, we disagree with that approach because, as the Commission 
observed in Order No. 822, ``NERC and other commenters recognize that 
inter-Control Center communications play a critical role in maintaining 
bulk electric system reliability by, among other things, helping to 
maintain situational awareness and reliable bulk electric system 
operations through timely and accurate communication between Control 
Center.'' \40\ Thus, the holistic view urged by Trade Associations does 
not address the gap recognized by the Commission in Order No. 822.
---------------------------------------------------------------------------

    \38\ NOPR, 167 FERC ] 61,055 at P 24; NERC Comments at 6-7 
(stating that alarms, recovery plans, and the ability to disable 
data encryption also support data availability).
    \39\ Trade Associations Comments at 8.
    \40\ Order No. 822, 154 FERC ] 61,037 at P 54.
---------------------------------------------------------------------------

    29. The contention in NERC's comments that Reliability Standard 
EOP-008-2 could also help maintain the availability of communication 
links between bulk electric system Control Centers, rests on the same 
reasoning that the ancillary benefits of an existing Reliability 
Standard addresses the reliability gap identified by the Commission and 
concomitant availability directive in Order No. 822. While we agree 
that a requirement to maintain a backup Control Center arguably 
provides a level of redundancy for a responsible entity's overall 
operations, it does not require redundant and diversely routed 
communication paths between either the primary and backup Control 
Centers or third-party Control Centers.
    30. In addition, we do not agree that it is premature to require 
protections for the availability of the communication links and data 
communicated between bulk electric system Control Centers. While NERC 
and Trade Associations advocate further study of the risks associated 
with availability, we conclude that the risks associated with losing 
the availability of either data or communication links between bulk 
electric system Control Centers is supported by the existing record and 
warrants a directive to modify the CIP Reliability Standards.\41\
---------------------------------------------------------------------------

    \41\ See Appelbaum Comments at 7, Bonneville Comments at 5, IRC 
Comments at 3, Dr. Liu Comments at 1, Reclamation Comments at 1.
---------------------------------------------------------------------------

    31. We address several related issues raised in the comments. 
Commenters raise a concern that directing NERC to address requirements 
for certain aspects of availability, in particular redundancy and 
diverse routing, could have significant impacts on responsible entities 
using third-party telecommunications providers. Specifically, Trade 
Associations notes that responsible entities ``may not have sufficient 
control over the design of these networks to ensure that such 
requirements are met.'' \42\ Without control over these networks, 
commenters suggest that the only options for addressing availability 
would be to construct costly private networks or implement less secure 
internet-based connections.\43\
---------------------------------------------------------------------------

    \42\ Trade Associations Comments at 12.
    \43\ See, e.g., id., Tri-State Comments at 2.
---------------------------------------------------------------------------

    32. We are not persuaded by these arguments. Rather, as IRC 
correctly notes in its discussion of the challenges raised in securing 
third-party telecommunications networks, while the Commission lacks 
jurisdiction over telecommunication service providers that may own and 
operate the communication links between bulk electric system Control 
Centers, the Commission has the authority to require responsible 
entities to take actions to promote the availability of communication 
links through service contracts with network providers.\44\ For 
example, entities could enter into service contracts with 
telecommunication service providers that include an agreed-upon quality 
of service commitment to maintain the availability of the data exchange 
capability to minimize the availability risk. Such arrangements would 
mirror the approach in Reliability Standard CIP-013-1 (Cyber Security--
Supply Chain Risk Management), which also involved non-jurisdictional 
entities.\45\ NERC should likewise consider allowing responsible 
entities to contract with telecommunication service providers to 
minimize the risk of loss of

[[Page 8166]]

availability of communication links and data communicated between bulk 
electric system Control Centers in cases where communications between 
Control Centers are managed by a third party.
---------------------------------------------------------------------------

    \44\ IRC Comments at 3.
    \45\ The currently-approved supply chain risk management 
Reliability Standard exempts communication networks and data links 
between discrete Electronic Security Perimeters. See NERC 
Reliability Standard CIP-013-1, Applicability Section 4.2.3.2.
---------------------------------------------------------------------------

    33. We agree with Reclamation's comment that protections for the 
availability of communication links and data communicated between bulk 
electric system Control Centers should encompass both entity-owned and 
third-party owned Control Centers. The intent of the Commission's 
directive is for NERC to address the risks associated with the 
availability of communication links and data communicated between all 
bulk electric system Control Centers, which will require coordination 
between neighboring responsible entities.
    34. We reject Bonneville's recommendation that the Commission delay 
approval of Reliability Standard CIP-012-1 to allow for a pilot project 
on encryption. The record in this proceeding does not support a delay, 
and Bonneville's request conflicts with the implementation plan 
proposed by NERC.\46\ Moreover, the standard drafting team addressed 
the Commission's finding on this issue in Order No. 822. In Order No. 
822, the Commission stated ``that any lag in communication speed 
resulting from implementation of protections should only be measurable 
on the order of milliseconds and, therefore, will not adversely impact 
Control Center communications . . . [but that] technical issues should 
be considered by the standard drafting team . . . e.g., by making 
certain aspects of the revised CIP Standards eligible for Technical 
Feasibility Exceptions.'' \47\ In response, NERC stated that the 
standard drafting team ``developed an objective-based rather than 
prescriptive requirement . . . [that] will allow Responsible Entities 
flexibility in mitigating the risks posed . . . in a manner suited to 
each of their respective operational environments.'' \48\ Accordingly, 
we determine not to delay approval of Reliability Standard CIP-012-1.
---------------------------------------------------------------------------

    \46\ See NERC Petition at Exhibit B.
    \47\ Order No. 822, 154 FERC ] 61,037 at P 62.
    \48\ NERC Petition, Exhibit D (Consideration of Issues and 
Directives) at 7.
---------------------------------------------------------------------------

    35. We agree with Bonneville and Appelbaum that maintaining the 
availability of communication networks and data should include 
provisions for incident recovery and continuity of operations in a 
responsible entity's compliance plan. We recognize that the redundancy 
of communication links cannot always be guaranteed; responsible 
entities should therefore plan for both recovery of compromised 
communication links and use of backup communication capability should 
it be needed for redundancy (i.e., satellite or other alternate backup 
communications).
    36. Accordingly, pursuant to section 215(d)(5) of the FPA, we 
direct that NERC develop modifications to the CIP Reliability Standards 
to require protections regarding the availability of communication 
links and data communicated between bulk electric system Control 
Centers, as discussed above.

B. Scope of Bulk Electric System Data That Must Be Protected

1. NOPR
    37. The NOPR observed that Reliability Standard CIP-012-1 requires 
the protection of Real-time Assessment and Real-time monitoring data. 
The Commission explained that that while Real-time Assessment is 
defined in the NERC Glossary, Real-time monitoring data is not defined. 
Accordingly, the NOPR expressed concern that Reliability Standard CIP-
012-1 does not clearly indicate the types of data to be protected. To 
address this, the Commission proposed to direct that NERC develop 
modifications to the CIP Reliability Standards to clearly identify the 
types of data that must be protected, including whether a NERC Glossary 
definition of Real-time monitoring would assist with implementation and 
compliance.
2. Comments
    38. Appelbaum and Reclamation support the development of one or 
more definitions. Specifically, Reclamation recommends that the 
Commission direct NERC to develop definitions for the terms: (1) Real-
time monitoring data; (2) Real-time data; (3) BES Data; (4) Operational 
Data; (5) System Planning Data; (6) availability and (7) Real-time 
monitoring. Appelbaum supports requiring a definition of Real-time 
monitoring given its importance to triggering alarms that system 
operators respond to and because it is an input to automatic dispatch.
    39. NERC and other commenters maintain that a directive is 
unnecessary because the terms Real-time Assessment and Real-time 
monitoring are clear. NERC states that the ``language used in proposed 
Reliability Standard CIP-012-1, `Real-time Assessment and Real-time 
monitoring data,' is sufficient to identify the data as described in 
TOP-003-3 and IRO-010-2.'' \49\ Specifically, NERC explains that since 
the IRO and TOP Reliability Standards are the only currently-effective 
Reliability Standards that use the phrase Real-time monitoring and the 
term Real-time Assessment, ``[c]ompliance with these standards defines 
the data that is used in Real-time monitoring and Real-time 
Assessments.'' \50\ NERC concludes that by ``using this language that 
is only referenced in the IRO and TOP Reliability Standards families, 
proposed CIP-012-1 brings the data identified pursuant to TOP-003-3 and 
IRO-010-2 into scope.'' \51\
---------------------------------------------------------------------------

    \49\ NERC Comments at 10.
    \50\ Id.
    \51\ Id.
---------------------------------------------------------------------------

    40. Trade Associations and IRC concur with NERC that the scope of 
data subject to the requirements of proposed Reliability Standard CIP-
012-1 is adequately clear. According to Trade Associations, responsible 
Entities and NERC understand that the types of data covered in CIP-012-
1 is the data specified for Real-time Assessment and Real-time 
monitoring under TOP-003 and IRO-010. Similarly, IRC notes that ``all 
responsible entities must already know the universe of data needed for 
Real-time Assessment and Real-time monitoring activities in order to 
comply with NERC Reliability Standards TOP-003-3 and IRO-010-2.'' \52\ 
Regarding the concern raised in the NOPR that the term Real-time 
monitoring is not defined, IRC states that it ``sees no reason that the 
term should be presumed to mean something different from what it means 
in other places where it is used in the NERC Reliability 
Standards.''\53\
---------------------------------------------------------------------------

    \52\ IRC Comments at 4.
    \53\ Id.
---------------------------------------------------------------------------

    41. While Bonneville does not take a position on the NOPR proposal, 
it notes a concern over ``creating a compliance requirement to identify 
how different types of information are protected.'' \54\ Bonneville 
states that, generally, the use of the same data exchange 
infrastructure will result in all data using that infrastructure 
receiving the same protection regardless of data type. Therefore, 
Bonneville avers that, if the Commission directs NERC to define the 
scope of data to be protected, then ``a Responsible Entity should have 
the option to show that all data types are protected at the highest 
level using the same security protocols, without having to identify and 
show how specific types of data are protected.'' \55\
---------------------------------------------------------------------------

    \54\ Reclamation Comments at 6.
    \55\ Id.
---------------------------------------------------------------------------

3. Commission Determination
    42. In view of the comments, we determine not to adopt the NOPR

[[Page 8167]]

proposal to direct modifications to define the scope of data covered by 
Reliability Standard CIP-012-1. NERC, Trade Associations and IRC agree 
that Reliability Standard CIP-012-1 requires the protection of Real-
time Assessment and Real-time monitoring data identified under 
Reliability Standards TOP-003-3 and IRO-010-2. This point is also 
confirmed in the Technical Rationale document for Reliability Standard 
CIP-012-1.\56\ We are persuaded that responsible entities must know the 
types of data needed for Real-time Assessment and Real-time monitoring 
activities in order to comply with Reliability Standards TOP-003-3 and 
IRO-010-2.
---------------------------------------------------------------------------

    \56\ NERC Petition, Exhibit F (Technical Rationale) at 1-2.
---------------------------------------------------------------------------

    43. With this understanding, we are satisfied that the data 
protected under Reliability Standard CIP-012-1 is the same data 
identified under Reliability Standards TOP-003-3 and IRO-010-2. We 
determine that this clarification addresses the concern in the NOPR 
that not defining the types of data that must be protected under 
Reliability Standard CIP-012-1 could result in uneven compliance and 
enforcement. In addition, we agree with Bonneville that responsible 
entities may show that all data types are protected at the highest 
level using the same security protocols, without having to identify and 
show how specific types of data are protected, so long as the security 
protocols are reasonable.

III. Information Collection Statement

    44. The FERC-725B information collection requirements contained in 
this final rule are subject to review by the Office of Management and 
Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 
1995.\57\ OMB's regulations require approval of certain information 
collection requirements imposed by agency rules.\58\ Upon approval of a 
collection of information, OMB will assign an OMB control number and 
expiration date. Respondents subject to the filing requirements of this 
rule will not be penalized for failing to respond to the collection of 
information unless the collection of information displays a valid OMB 
control number.
---------------------------------------------------------------------------

    \57\ 44 U.S.C. 3507(d).
    \58\ 5 CFR 1320.
---------------------------------------------------------------------------

    45. The Commission received no comments on the validity of the 
burden and cost estimates in the NOPR. The Commission is updating the 
burden estimates and labor costs contained in the NOPR. The Commission 
in this final rule corrected an error from the NOPR in the row 
``Identification of Security Protection Application (if not owned by 
same Responsible Entity) (Requirement R1.3)'' where the total number of 
hours was understated by 100,000, and all calculations based upon this 
error.
    46. The Commission is submitting these reporting and recordkeeping 
requirements to OMB for its review and approval under section 3507(d) 
of the PRA. Comments are solicited on the Commission's need for this 
information, whether the information will have practical utility, the 
accuracy of the provided burden estimate, ways to enhance the quality, 
utility, and clarity of the information to be collected, and any 
suggested methods for minimizing the respondent's burden, including the 
use of automated information techniques.
    47. The Commission bases its paperwork burden estimates on the 
changes in paperwork burden presented by Reliability Standard CIP-012-
1.
    48. The NERC Compliance Registry, as of December 2019, identifies 
approximately 1,482 unique U.S. entities that are subject to mandatory 
compliance with Reliability Standards. Of this total, we estimate that 
719 entities will face an increased paperwork burden under proposed 
Reliability Standard CIP-012-1. Based on these assumptions, we estimate 
the following reporting burden:
---------------------------------------------------------------------------

    \59\ We consider the filing of an application to be a 
``response.''
    \60\ The hourly cost for wages plus benefits is based on the 
average of the occupational categories for 2018 found on the Bureau 
of Labor Statistics website (http://www.bls.gov/oes/current/naics2_22.htm):
    Information Security Analysts (Occupation Code: 15-1122): 
$61.494
    Computer and Mathematical (Occupation Code: 15-0000): $63.54
    Legal (Occupation Code: 23-0000): $142.86
    Computer and Information Systems Managers (Occupation Code: 11-
3021): $98.81.
    These various occupational categories' wage figures are averaged 
as follows: $61.494/hour + $63.54/hour + $142.86/hour + $98.81/hour) 
/ 4 = $91.70/hour. The resulting wage figure is rounded to $92.00/
hour for use in calculating wage figures in the final rule in Docket 
No. RM18-20-000.
    \61\ This includes the record retention costs for the one-time 
and the on-going reporting documents.

                                        FERC-725B--Modifications Due to the Final Rule in Docket No. RM18-20-000
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                      Number of
                                      Number of    responses \59\   Total number    Avg. burden hrs. & cost per      Total annual burden hours & total
                                     respondents   per respondent   of responses           response \60\                        annual cost
                                              (1)             (2)     (1) x (2) =  (4)..........................  (3) x (4) = 5
                                                                              (3)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Implementation of Documented                  719               1             719  128 hrs.; $11,776............  92,032 hrs.; $8,466,944.
 Plan(s) (Requirement R1) \61\.
Document Identification of                    719               1             719  40 hrs.; $3,680..............  28,560 hrs.; $2,645,920.
 Security Protection (Requirement
 R1.1) \61\.
Identification of Security                    719               1             719  20 hrs.; $1,840..............  14,280 hrs.; $1,322,960.
 Protection Application (if owned
 by same Responsible Entity)
 (Requirement R1.2) \61\.
Identification of Security                    719               1             719  160 hrs.; $14,720............  14,240 hrs.; $10,583,680.
 Protection Application (if not
 owned by same Responsible
 Entity) (Requirement R1.3) \61\.
Maintaining Compliance (ongoing,              719               1             719  83 hrs.; $7,636..............  59,677 hrs.; $5,490,284.
 starting in Year 2).
                                  ----------------------------------------------------------------------------------------------------------------------
    Total (one-time, in Year 1)..  ..............  ..............           2,876  .............................  250,212 hrs.; $23,019,504.
    Total (ongoing, starting in    ..............  ..............             719  .............................  59,677 hrs.; $5,490,284.
     Year 2).
--------------------------------------------------------------------------------------------------------------------------------------------------------


[[Page 8168]]

    49. The one-time burden (in Year 1) for the FERC-725B information 
collection will be averaged over three years:

 250,212 hours / 3 = 83,404 hours/year over Years 1-3
 The number of one-time responses for the FERC-725B information 
collection is also averaged over Years 1-3: 2,876 responses / 3 = 959 
responses/year

    50. The average annual number (for Years 1-3) of responses and 
burden for one-time and ongoing burden will total:

 1,678 responses [959 responses (one-time) + 719 responses 
(ongoing)]
 143,081 burden hours [83,404 hours (one-time) + 59,677 hours 
(ongoing)] hours (ongoing)]

    51. Title: Mandatory Reliability Standards for Critical 
Infrastructure Protection [CIP] Reliability Standards.
    Action: Revisions to FERC-725B information collection.
    OMB Control No.: 1902-0248.
    Respondents: Businesses or other for-profit institutions; not-for-
profit institutions.
    Frequency of Responses: One-time and Ongoing.
    Necessity of the Information: This final rule approves the 
requested modifications to Reliability Standards pertaining to critical 
infrastructure protection. As discussed above, the Commission approves 
NERC's proposed Reliability Standard CIP-012-1 pursuant to section 
215(d)(2) of the FPA because they improve upon the currently-effective 
suite of cyber security Reliability Standards.
    Internal Review: The Commission has reviewed the proposed 
Reliability Standard and made a determination that its action is 
necessary to implement section 215 of the FPA.
    52. Interested persons may obtain information on the reporting 
requirements by contacting the following: Federal Energy Regulatory 
Commission, 888 First Street NE, Washington, DC 20426 [Attention: Ellen 
Brown, Office of the Executive Director, email: [email protected], 
phone: (202) 502-8663, fax: (202) 273-0873].
    53. Please send comments concerning the collection of information 
and the associated burden estimate to the Commission, and to the Office 
of Management and Budget, Office of Information and Regulatory Affairs, 
725 17th Street NW, Washington, DC 20503, Washington, DC 20503 
[Attention: Desk Officer for the Federal Energy Regulatory Commission]. 
For security reasons, comments to OMB should be submitted by email to: 
[email protected]. Comments submitted to OMB should include 
FERC-725B (OMB Control No. 1902-0248).

IV. Environmental Analysis

    54. The Commission is required to prepare an Environmental 
Assessment or an Environmental Impact Statement for any action that may 
have a significant adverse effect on the human environment.\62\ The 
Commission has categorically excluded certain actions from this 
requirement as not having a significant effect on the human 
environment. Included in the exclusion are rules that are clarifying, 
corrective, or procedural or that do not substantially change the 
effect of the regulations being amended.\63\ The actions proposed 
herein fall within this categorical exclusion in the Commission's 
regulations.
---------------------------------------------------------------------------

    \62\ Regulations Implementing the National Environmental Policy 
Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987).
    \63\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------

V. Regulatory Flexibility Act Analysis

    55. The Regulatory Flexibility Act of 1980 (RFA) generally requires 
a description and analysis of proposed and final rules that will have 
significant economic impact on a substantial number of small 
entities.\64\ The Small Business Administration's (SBA) Office of Size 
Standards develops the numerical definition of a small business.\65\ 
The SBA revised its size standard for electric utilities (effective 
January 22, 2014) to a standard based on the number of employees, 
including affiliates (from the prior standard based on megawatt hour 
sales).\66\
---------------------------------------------------------------------------

    \64\ 5 U.S.C. 601-12.
    \65\ 13 CFR 121.101.
    \66\ 13 CFR 121.201, Subsection 221.
---------------------------------------------------------------------------

    56. Reliability Standard CIP-012-1 is expected to impose an 
additional burden on 719 entities \67\ (reliability coordinators [RC], 
generator operators [GOP], generator owners [GO], transmission 
operators [TOP], balancing authorities [BA], and transmission owners 
[TO]).
---------------------------------------------------------------------------

    \67\ Public utilities may fall under one of several different 
categories, each with a size threshold based on the company's number 
of employees, including affiliates, the parent company, and 
subsidiaries. These entities may be included in the SBA categories 
for: Hydroelectric Power Generation, Fossil Fuel Electric Power 
Generation, Nuclear Electric Power Generation, Solar Electric Power 
Generation, Wind Electric Power Generation Geothermal Electric Power 
Generation, Biomass Electric Power Generation, Other Electric Power 
Generation, Biomass Electric Power Generation, or Electric Bulk 
Power Transmission and Control. These categories have thresholds for 
small entities varying from 250-750 employees. For the analysis in 
this final rule, we are using a conservative threshold of 750 
employees.
---------------------------------------------------------------------------

    57. Of the 719 affected entities discussed above, we estimate that 
approximately 82% percent of the affected entities are small entities. 
We estimate that each of the 590 small entities to whom the 
modifications to Reliability Standard CIP-012-1 apply will incur one-
time, non-paperwork cost in Year 1 of approximately $17,051, plus 
paperwork cost in Year 1 of $32,016, giving a total cost in Year 1 of 
$49,067. In Year 2 and Year 3, each entity will incur only the ongoing 
annual paperwork cost of $7,594. We do not consider the estimated costs 
for these 590 small entities to be a significant economic impact.
    58. Accordingly, we certify that Reliability Standard CIP-012-1 
will not have a significant economic impact on a substantial number of 
small entities.

VI. Effective Date and Congressional Notification

    59. This final rule is effective April 13, 2020. The Commission has 
determined, with the concurrence of the Administrator of the Office of 
Information and Regulatory Affairs of OMB, that this rule is not a 
``major rule'' as defined in section 351 of the Small Business 
Regulatory Enforcement Fairness Act of 1996. This final rule is being 
submitted to the Senate, House, and Government Accountability Office.

VII. Document Availability

    60. In addition to publishing the full text of this document in the 
Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
internet through the Commission's Home Page (http://www.ferc.gov) and 
in the Commission's Public Reference Room during normal business hours 
(8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A, 
Washington, DC 20426.
    61. From the Commission's Home Page on the internet, this 
information is available on eLibrary. The full text of this document is 
available on eLibrary in PDF and Microsoft Word format for viewing, 
printing, and/or downloading. To access this document in eLibrary, type 
the docket number of this document, excluding the last three digits, in 
the docket number field.
    62. User assistance is available for eLibrary and the Commission's 
website during normal business hours from the Commission's Online 
Support at (202)502-6652 (toll free at 1-866-208-3676) or email at 
[email protected], or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at 
[email protected].


[[Page 8169]]


    By the Commission.

    Issued: January 23, 2020.
Kimberly D. Bose,
Secretary.


    Note:  The following Appendix will not appear in the Code of 
Federal Regulations.


                          Appendix--Commenters
------------------------------------------------------------------------
              Abbreviation                          Commenter
------------------------------------------------------------------------
Appelbaum..............................  Jonathan Appelbaum.
Bonneville.............................  Bonneville Power
                                          Administration.
IRC....................................  ISO/RTO Council.
Dr. Liu................................  Dr. Chen-Ching Liu.
NERC...................................  North American Electric
                                          Reliability Corporation.
Reclamation............................  Bureau of Reclamation.
Trade Associations.....................  American Public Power
                                          Association, Edison Electric
                                          Institute, National Rural
                                          Electric Cooperative
                                          Association.
Tri-State..............................  Tri-State Generation and
                                          Transmission Association, Inc.
------------------------------------------------------------------------

[FR Doc. 2020-02173 Filed 2-12-20; 8:45 am]
 BILLING CODE 6717-01-P