Critical Infrastructure Protection Reliability Standard CIP-012-1-Cyber Security-Communications Between Control Centers, 8161-8169 [2020-02173]
Download as PDF
Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations
impact on a substantial number of small
entities.49 The Small Business
Administration’s (SBA) Office of Size
Standards develops the numerical
definition of a small business.50 The
SBA revised its size standard for electric
utilities (effective January 22, 2014) to a
standard based on the number of
employees, including affiliates (from the
prior standard based on megawatt hour
sales).51
37. Reliability Standard TPL–001–5 is
expected to impose an additional
burden on 214 entities 52 (PCs and TPs).
Of the 214 affected entities discussed
above, we estimate that approximately
10 percent of the affected entities are
small entities. We estimate that each of
the 21 small entities to whom the
proposed modifications to proposed
Reliability Standard TPL–001–5 apply
will incur one-time costs of
approximately $1,980 per entity to
implement the proposed Reliability
Standard. We do not consider the
estimated costs for these 21 small
entities to be a significant economic
impact.
38. Accordingly, the Commission
certifies that this final rule will not have
a significant economic impact on a
substantial number of small entities.
VI. Document Availability
39. In addition to publishing the full
text of this document in the Federal
Register, the Commission provides all
interested persons an opportunity to
view and/or print the contents of this
document via the internet through
FERC’s Home Page (https://
www.ferc.gov) and in FERC’s Public
Reference Room during normal business
hours (8:30 a.m. to 5:00 p.m. Eastern
time) at 888 First Street NE, Room 2A,
Washington, DC 20426.
40. From FERC’s Home Page on the
internet, this information is available on
eLibrary. The full text of this document
is available on eLibrary in PDF and
Microsoft Word format for viewing,
printing, and/or downloading. To access
this document in eLibrary, type the
docket number excluding the last three
digits of this document in the docket
number field.
41. User assistance is available for
eLibrary and the FERC’s website during
normal business hours from FERC
Online Support at (202) 502–6652 (toll
free at 1–866–208–3676) or email at
ferconlinesupport@ferc.gov, or the
Public Reference Room at (202) 502–
8371, TTY (202)502–8659. Email the
Public Reference Room at
public.referenceroom@ferc.gov.
VII. Effective Date and Congressional
Notification
42. These regulations are effective
April 13, 2020. The Commission has
determined, with the concurrence of the
Administrator of the Office of
Information and Regulatory Affairs of
OMB, that this rule is not a ‘‘major rule’’
as defined in section 351 of the Small
Business Regulatory Enforcement
Fairness Act of 1996. The rule will be
provided to the Senate, House,
Government Accountability Office, and
the SBA.
By the Commission.
Issued: January 23, 2020.
Kimberly D. Bose,
Secretary.
Note: The following appendix will not
appear in the Code of Federal Regulations.
Appendix—List of Commenters
Abbreviation
Commenter
AF&PA ............................................
APS .................................................
BPA .................................................
Carder .............................................
MISO ...............................................
NERC ..............................................
Pugh ................................................
Trade Associations .........................
American Forest and Paper Association.
Arizona Public Service Company.
Bonneville Power Administration.
William Carder.
Midcontinent Independent System Operator, Inc.
North American Electric Reliability Corporation.
Theresa Pugh.
American Public Power Association, Edison Electric Institute, Large Public Power Council, National Rural
Electric Cooperative Association.
Tri-State Generation and Transmission Association, Inc.
Tennessee Valley Authority.
Tri-State ..........................................
TVA .................................................
ACTION:
[FR Doc. 2020–02170 Filed 2–12–20; 8:45 am]
Final rule.
BILLING CODE 6717–01–P
The Federal Energy
Regulatory Commission (Commission)
approves Reliability Standard CIP–012–
1 (Cyber Security—Communications
between Control Centers). The North
American Electric Reliability
Corporation (NERC), the Commissioncertified Electric Reliability
Organization, submitted Reliability
Standard CIP–012–1 for Commission
approval in response to a Commission
directive. In addition, the Commission
directs NERC to develop modifications
to the CIP Reliability Standards to
require protections regarding the
availability of communication links and
SUMMARY:
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
18 CFR Part 40
[Docket No. RM18–20–000; ORDER NO. 866]
Critical Infrastructure Protection
Reliability Standard CIP–012–1—Cyber
Security—Communications Between
Control Centers
jbell on DSKJLSW7X2PROD with RULES
8161
Federal Energy Regulatory
Commission.
AGENCY:
48 5
U.S.C. 601–612.
52 Public utilities may fall under one of several
different categories, each with a size threshold
based on the company’s number of employees,
including affiliates, the parent company, and
49 Id.
50 13
51 Id.
CFR 121.101.
121.201.
VerDate Sep<11>2014
17:58 Feb 12, 2020
Jkt 250001
PO 00000
Frm 00031
Fmt 4700
Sfmt 4700
data communicated between bulk
electric system Control Centers.
DATES: This rule will become effective
April 13, 2020.
FOR FURTHER INFORMATION CONTACT:
Vincent Le, (Technical Information),
Office of Electric Reliability, Federal
Energy Regulatory Commission, 888
First Street NE, Washington, DC
20426, (202) 502–6204, vincent.le@
ferc.gov
Kevin Ryan, (Legal Information), Office
of the General Counsel, Federal
Energy Regulatory Commission, 888
First Street NE, Washington, DC
20426, (202) 502–6840, kevin.ryan@
ferc.gov
SUPPLEMENTARY INFORMATION:
subsidiaries. We are using a 500-employee
threshold due to each affected entity falling within
the role of Electric Bulk Power Transmission and
Control (NAISC Code: 221121).
E:\FR\FM\13FER1.SGM
13FER1
8162
Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations
1. Pursuant to section 215(d)(2) of the
Federal Power Act (FPA),1 the
Commission approves Reliability
Standard CIP–012–1 (Cyber Security—
Communications between Control
Centers). The North American Electric
Reliability Corporation (NERC), the
Commission-certified Electric
Reliability Organization (ERO),
submitted Reliability Standard CIP–
012–1 for Commission approval in
response to a Commission directive in
Order No. 822.2 In Order No. 822, the
Commission directed NERC, pursuant to
section 215(d)(5) of the FPA, to develop
modifications to the Reliability
Standards to require responsible entities
to implement controls to protect, at a
minimum, communications links and
sensitive bulk electric system data
communicated between bulk electric
system Control Centers ‘‘in a manner
that is appropriately tailored to address
the risks posed to the bulk electric
system by the assets being protected
(i.e., high, medium, or low impact).’’ 3
2. Consistent with the directive in
Order No. 822, Reliability Standard
CIP–012–1 improves upon the
currently-effective Critical Infrastructure
Protection (CIP) Reliability Standards to
mitigate cyber security risks associated
with communications between bulk
electric system Control Centers.
Specifically, Reliability Standard CIP–
012–1 supports situational awareness
and reliable bulk electric system
operations by requiring responsible
entities to protect the confidentiality
and integrity of Real-time Assessment 4
and Real-time monitoring data
transmitted between bulk electric
system Control Centers. Accordingly,
the Commission approves Reliability
Standard CIP–012–1 because it is largely
responsive to the Commission’s
directive in Order No. 822 and improves
the cyber security posture of responsible
entities. We also approve the associated
violation risk factors and violation
1 16
U.S.C. 824o(d)(2).
Critical Infrastructure Protection
Reliability Standards, Order No. 822, 154 FERC
¶ 61,037, at P 53, order denying reh’g, Order No.
822–A, 156 FERC ¶ 61,052 (2016).
3 16 U.S.C. 824o(d)(5); Order No. 822, 154 FERC
¶ 61,037 at P 53.
4 The NERC Glossary defines Real-time
Assessment as, ‘‘An evaluation of system conditions
using Real-time data to assess existing (preContingency) and potential (post-Contingency)
operating conditions. The assessment shall reflect
applicable inputs including, but not limited to:
Load, generation output levels, known Protection
System and Special Protection System status or
degradation, Transmission outages, generator
outages, Interchange, Facility Ratings, and
identified phase angle and equipment limitations.
(Real-time Assessment may be provided through
internal systems or through third-party services.)’’
NERC Glossary of Terms Used in NERC Reliability
Standards (July 3, 2018).
jbell on DSKJLSW7X2PROD with RULES
2 Revised
VerDate Sep<11>2014
17:58 Feb 12, 2020
Jkt 250001
severity levels, implementation plan,
and effective date.
3. In addition, pursuant to section
215(d)(5) of the FPA, the Commission
directs NERC to develop modifications
to the CIP Reliability Standards to
require protections regarding the
availability of communication links and
data communicated between bulk
electric system Control Centers. As
discussed in the Notice of Proposed
Rulemaking (NOPR), Reliability
Standard CIP–012–1 does not require
protections regarding the availability of
communication links and data
communicated between bulk electric
system Control Centers, as directed in
Order No. 822.5 In the NOPR, the
Commission indicated that it did not
agree with NERC’s assertion that
currently-effective Reliability Standards
address availability, and we are not
persuaded by NOPR comments raising
the same argument. Instead, pursuant to
section 215(d)(5) of the FPA, we
determine that the absence of a
requirement that specifically pertains to
the availability of communication links
and data communicated between bulk
electric system Control Centers
represents a reliability gap in the CIP
Reliability Standards that should be
addressed by NERC.
4. The Commission, in the NOPR, also
proposed to direct NERC to identify
clearly the types of data that must be
protected under Reliability Standard
CIP–012–1. The NOPR expressed
concern that Reliability Standard CIP–
012–1 does not adequately identify the
types of data covered by its
requirements, due to, among other
things, the fact that the term ‘‘Real-time
monitoring’’ is not defined in the
Reliability Standard or the NERC
Glossary. After considering the NOPR
comments, however, we determine not
to direct the proposed modification
based on the explanation of the types of
data that must be protected set forth in
the NOPR comments.
I. Background
A. Section 215 and Mandatory
Reliability Standards
5. Section 215 of the FPA requires a
Commission-certified ERO to develop
mandatory and enforceable Reliability
Standards, subject to Commission
review and approval. Reliability
Standards may be enforced by the ERO,
subject to Commission oversight, or by
5 See Critical Infrastructure Protection Reliability
Standard CIP–012–1—Cyber Security—
Communication between Control Centers, Notice of
Proposed Rulemaking, 167 FERC ¶ 61,055, at P 54
(2019) (NOPR).
PO 00000
Frm 00032
Fmt 4700
Sfmt 4700
the Commission independently.6
Pursuant to section 215 of the FPA, the
Commission established a process to
select and certify an ERO,7 and
subsequently certified NERC.8
B. Order No. 822
6. In Order No. 822, the Commission
approved seven modified CIP Reliability
Standards and directed NERC to
develop additional modifications to the
CIP Reliability Standards.9 Specifically,
the Commission directed that NERC,
among other things, develop
modifications to the CIP Reliability
Standards to require that responsible
entities implement controls to protect,
at a minimum, communications links
and sensitive bulk electric system data
communicated between bulk electric
system Control Centers ‘‘in a manner
that is appropriately tailored to address
the risks posed to the bulk electric
system by the assets being protected
(i.e., high, medium, or low impact).’’ 10
The Commission observed that NERC,
as well as other commenters in that
proceeding, ‘‘recognize that interControl Center communications play a
critical role in maintaining bulk electric
system reliability by . . . helping to
maintain situational awareness and
support reliable operations through
timely and accurate communication
between Control Centers.’’ 11
7. The Commission explained that
Control Centers associated with
responsible entities, including
reliability coordinators, balancing
authorities, and transmission operators,
must be capable of receiving and storing
a variety of bulk electric system data
from their interconnected entities in
order to adequately perform their
reliability functions. The Commission,
therefore, determined that ‘‘additional
measures to protect both the integrity
and availability of sensitive bulk electric
system data are warranted.’’ 12
The Commission cautioned, however,
that ‘‘not all communication network
components and data pose the same risk
to bulk electric system reliability and
may not require the same level of
6 16
U.S.C. 824o(e).
Concerning Certification of the Electric
Reliability Organization; and Procedures for the
Establishment, Approval, and Enforcement of
Electric Reliability Standards, Order No. 672, 114
FERC ¶ 61,104, order on reh’g, Order No. 672–A,
114 FERC ¶ 61,328 (2006).
8 North American Electric Reliability Corp., 116
FERC ¶ 61,062, order on reh’g and compliance, 117
FERC ¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc. v.
FERC, 564 F.3d 1342 (D.C. Cir. 2009).
9 Order No. 822, 154 FERC ¶ 61,037 at PP 1, 3.
10 Id. P 53.
11 Id. P 54.
12 Id.
7 Rules
E:\FR\FM\13FER1.SGM
13FER1
Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations
protection.’’ 13 Therefore, the
Commission determined that NERC
should develop controls that reflect the
risk being addressed in a reasonable
manner.
C. NERC Petition and Reliability
Standard CIP–012–1
8. On September 18, 2018, NERC
submitted for Commission approval
proposed Reliability Standard CIP–012–
1 and the associated violation risk
factors and violation severity levels,
implementation plan, and effective
date.14 NERC states that the purpose of
Reliability Standard CIP–012–1 is to
help maintain situational awareness and
reliable bulk electric system operations
by protecting the confidentiality and
integrity of Real-time Assessment and
Real-time monitoring data transmitted
between Control Centers.
9. NERC states that Reliability
Standard CIP–012–1 ‘‘requires
Responsible Entities to develop and
implement a plan to address the risks
posed by unauthorized disclosure
(confidentiality) and unauthorized
modification (integrity) of Real-time
Assessment and Real-time monitoring
data while being transmitted between
applicable Control Centers.’’ 15
According to NERC, the required plan
must include the following: (1)
Identification of security protections; (2)
identification of where the protections
are applied; and (3) identification of the
responsibilities of each entity in case a
Control Center is owned or operated by
different responsible entities.16
10. As noted above, the types of data
within the scope of Reliability Standard
CIP–012–1 consist of Real-time
Assessment and Real-time monitoring
data exchanged between Control
Centers. NERC states that it is critical
that this information is accurate since
responsible entities operate and monitor
the bulk electric system based on this
Real-time information. NERC explains
that Reliability Standard CIP–012–1
‘‘excludes other data typically
transferred between Control Centers,
such as Operational Planning Analysis
data, that is not used by the Reliability
Coordinator, Balancing Authority, and
Transmission Operator in Real-time.’’ 17
11. NERC also indicates that data at
rest and oral communications fall
outside the scope of Reliability Standard
jbell on DSKJLSW7X2PROD with RULES
13 Id.
P 56.
Standard CIP–012–1 is not attached
to this final rule. The Reliability Standard is
available on the Commission’s eLibrary document
retrieval system in Docket No. RM18–20–000 and
on the NERC website, www.nerc.com.
15 NERC Petition at 10.
16 Id. at 3.
17 Id. at 12.
CIP–012–1. Regarding data at rest, NERC
states that the standard drafting team
determined that since data at rest
resides within BES Cyber Systems,18 it
is already protected by the controls
mandated by Reliability Standards CIP–
003–6 through CIP–011–2. According to
NERC, oral communications are out of
scope of Reliability Standard CIP–012–
1 ‘‘because operators have the ability to
terminate the call and initiate a new one
via trusted means if they suspect a
problem with, or compromise of, the
communication channel.’’ 19 NERC
notes that Reliability Standard COM–
001–3 requires reliability coordinators,
balancing authorities, and transmission
operators to have alternative
interpersonal communication
capability, which could be used if there
is a suspected compromise of oral
communication on one channel.
D. Notice of Proposed Rulemaking
12. On April 18, 2019, the
Commission issued a NOPR proposing
to approve Reliability Standard CIP–
012–1 as just, reasonable, not unduly
discriminatory or preferential, and in
the public interest.20 The NOPR stated
that Reliability Standard CIP–012–1 is
largely responsive to the Commission’s
directive in Order No. 822 and improves
the cyber security posture of the bulk
electric system by requiring responsible
entities to protect the confidentiality
and integrity of Real-time Assessment
and Real-time monitoring data
transmitted between bulk electric
system Control Centers, which supports
situational awareness and reliable bulk
electric system operations.
13. While proposing to approve
Reliability Standard CIP–012–1, the
Commission also proposed to direct
NERC to develop modifications to the
CIP Reliability Standards to address
potential reliability gaps. First, the
NOPR stated that Reliability Standard
CIP–012–1 does not require protections
regarding the availability of
communication links and data
communicated between bulk electric
system Control Centers as directed in
Order No. 822. The NOPR explained
that the Commission was not persuaded
by NERC’s explanation that certain
currently-effective Reliability Standards
address the issue of availability. Second,
the NOPR raised a concern that
Reliability Standard CIP–012–1 does not
adequately identify the types of data
14 Reliability
VerDate Sep<11>2014
17:58 Feb 12, 2020
Jkt 250001
18 BES Cyber System is defined as ‘‘[o]ne or more
BES Cyber Assets logically grouped by a
responsible entity to perform one or more reliability
tasks for a functional entity.’’ NERC Glossary. The
acronym BES refers to the bulk electric system.
19 NERC Petition at 14.
20 NOPR, 167 FERC ¶ 61,055 at P 1.
PO 00000
Frm 00033
Fmt 4700
Sfmt 4700
8163
covered by its requirements, due to,
among other things, the fact that Realtime monitoring is not defined in the
proposed Reliability Standard or the
NERC Glossary.21
14. In response to the NOPR, eight
entities submitted comments. A list of
commenters appears in Appendix A.
The discussion below addresses the
proposals in the NOPR as well as the
NOPR comments.
II. Discussion
15. Pursuant to section 215(d)(2) of
the FPA, the Commission approves
Reliability Standard CIP–012–1 as just,
reasonable, not unduly discriminatory
or preferential, and in the public
interest. Reliability Standard CIP–012–1
largely addresses the Commission’s
directive in Order No. 822 because it
will enhance existing protections for
bulk electric system reliability by
augmenting the currently-effective CIP
Reliability Standards to mitigate cyber
security risks associated with
communications between bulk electric
system Control Centers. Reliability
Standard CIP–012–1 achieves this by
requiring responsible entities to protect
the confidentiality and integrity of Realtime Assessment and Real-time
monitoring data transmitted between
bulk electric system Control Centers,
thereby supporting situational
awareness and reliable bulk electric
system operations.
16. While the Commission approves
Reliability Standard CIP–012–1, we also
determine that the reliability risks
identified in Order No. 822 will not be
fully addressed with the
implementation of the Reliability
Standard. As discussed below, a
significant cyber security risk associated
with the protection of communications
links and sensitive bulk electric system
data communicated between bulk
electric system Control Centers remains
because Reliability Standard CIP–012–1
does not address the availability of
communication links and data
communicated between bulk electric
system Control Centers. To address this
gap, the Commission directs NERC,
pursuant to section 215(d)(5) of the
FPA, to develop modifications to the
CIP Reliability Standards to require
protections regarding the availability of
communication links and data
communicated between bulk electric
system Control Centers.
17. Below, we discuss the following
issues: (A) Availability of bulk electric
system communication links and data;
and (B) scope of bulk electric system
data that must be protected.
21 Id.
E:\FR\FM\13FER1.SGM
P 16.
13FER1
8164
Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations
A. Availability of Bulk Electric System
Communication Links and Data
1. NOPR
18. The NOPR stated that Reliability
Standard CIP–012–1 does not address
the availability component of the
Commission’s directive in Order No.
822. The NOPR identified this as a gap
because ensuring timely and reliable
access to and use of data is essential to
the reliable operation of the bulk
electric system. The NOPR indicated
that the existing Reliability Standards
cited in NERC’s petition do not require
responsible entities to protect the
availability of sensitive bulk electric
system data in a manner consistent with
Order No. 822.22 In particular, the
NOPR stated that the cited Reliability
Standards either do not apply to
communications between individual
Control Centers or, while their effect
may be to support availability, the
Reliability Standards do not create an
obligation to protect availability.23
jbell on DSKJLSW7X2PROD with RULES
2. Comments
19. NERC, Trade Associations, TriState and IRC do not support a directive
that addresses the availability of
communication links and data
communicated between bulk electric
system Control Centers. Reclamation,
Appelbaum, and Liu express support for
the directive, while Bonneville offers
qualified support.
20. Comments opposing the proposed
directive largely reiterate the petition’s
assertion that currently-effective
Reliability Standards adequately protect
the availability of communication links
and data communicated between bulk
electric system Control Centers. For
example, NERC contends that ‘‘[w]hile
IRO–002–5 and TOP–001–4 cover
infrastructure within Control Centers,
not between Control Centers, the
requirements help protect the
availability of data to be exchanged
between Control Centers . . . [because]
the data exchange infrastructure in
scope of these requirements facilitates
sending and receiving data between
Control Centers.’’ 24 NERC explains that
if ‘‘an applicable entity lost capability of
some of this data exchange
infrastructure, the applicable entity
could continue to send and receive data
between Control Centers because of the
redundant data exchange infrastructure
within its Control Center.25 In addition,
NERC states that Reliability Standards
22 Id.
P 24.
23 Id.
24 NERC
Comments at 5.
25 Id.; see also Trade Associations Comments at
6–8, Tri-state Comments at 3.
VerDate Sep<11>2014
17:58 Feb 12, 2020
Jkt 250001
IRO–010–2 and TOP–003–3 require
applicable entities to use a mutually
agreeable security protocol between
Control Centers. NERC explains that this
supports availability by helping to
ensure that conflicting protocols do not
impede receipt of data between Control
Centers.
21. NERC also contends that
Reliability Standard EOP–008–2 helps
support the availability of
communication links between Control
Centers by requiring reliability
coordinators to have backup Control
Center facilities, or backup Control
Center functionality for balancing
authorities and transmission operators,
in addition to their primary Control
Centers. NERC explains that ‘‘[t]hese
backup facilities supply redundancy of
some communication links and data
exchange infrastructure and capabilities
at the backup Control Center.’’ 26 NERC
further explains that entities with
geographically diverse primary and
backup Control Centers may have
communication links that are physically
separate from one another. NERC
concludes that although ‘‘geographic
diversity alone will not always provide
redundancy of communication links,
having backup Control Centers with
different paths to communicate with
other Control Centers helps support
availability of communication links.’’ 27
22. In addition, comments opposing
the directive maintain that it is
premature to require protections for the
availability of the communication links
and data at issue. NERC states that it
recognizes that ‘‘there may be additional
controls that could help address’’ risks
to the availability of data and
communication links and commits to
‘‘study the risks to availability of data
and communication links between
Control Centers and the current controls
that support availability.’’ 28 Trade
Associations, similarly, ‘‘encourage[s]
the Commission to consider directing
NERC to study the issue [of
telecommunications security] to identify
specific availability vulnerabilities and
potential mitigation methods.’’ 29
23. IRC, while not supporting the
proposed directive, ‘‘acknowledges that
[the Commission] could require
additional actions by responsible
entities to promote the availability of
[bulk electric system] communication
links to the extent possible through
contracts with telecommunications
26 NERC Comments at 7; see also Trade
Associations Comments at 9–10.
27 NERC Comments at 7.
28 Id. at 8–9.
29 Trade Associations Comments at 12.
PO 00000
Frm 00034
Fmt 4700
Sfmt 4700
providers.’’ 30 IRC recommends a best
efforts approach similar to how supply
chain risks are addressed under
Reliability Standard CIP–013–1.
Specifically, IRC suggests that ‘‘NERC
could adopt a standard that would
require responsible entities, when
negotiating these service contacts, to
take reasonable steps or use best efforts
to maximize the availability of
communication links.’’ 31
24. Reclamation, in support of the
Commission proposal, states that the
availability of communication networks
should encompass links between
Control Centers owned by the same
entity as well as Control Centers owned
by different entities. Reclamation
maintains that the requirements for
electronic communications be parallel
to the following requirements for oral
communication contained in Reliability
Standard COM–001–3: (1) Have
electronic communication capability; (2)
designate alternative electronic
communication capability in the event
of a failure of the primary
communication capability; (3) test the
alternate method of electronic
communication; (4) notify the entity on
the other end of the communication
path if a failure is detected; and (5)
establish mutually agreeable action to
restore the electronic communication
capability.
25. As an initial matter, Bonneville
recommends delaying approval of
Reliability Standard CIP–012–1 until
NERC conducts a pilot project to study
the most effective way to encrypt data
while ensuring the data is available to
responsible entities. However, if the
Commission approves the Reliability
Standard, Bonneville ‘‘agrees with the
Commission’s proposal to address the
availability of communication links and
data communicated between Control
Centers.’’ 32 Bonneville explains that
maintaining the availability of the
communication links includes
addressing both redundancy and
recovery. Therefore, Bonneville
recommends that, if Reliability Standard
CIP–012–1 is approved, ‘‘the
Commission order NERC to adopt
modifications requiring Responsible
Entities to have incident recovery plans/
continuity of operation plans addressing
planning for recovery time, capability,
and capacity.’’ 33 Similarly, Appelbaum
supports the proposed directive and
contends that ‘‘a requirement for a
continuing operations plan for loss of
critical data resulting for the loss of
30 IRC
Comments at 3 (emphasis in original).
31 Id.
32 Bonneville
33 Id.
E:\FR\FM\13FER1.SGM
at 6.
13FER1
Comments at 5.
Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations
Control Center functionality should be
directed.’’ 34
jbell on DSKJLSW7X2PROD with RULES
3. Commission Determination
26. We determine that modifications
to the CIP Reliability Standards to
address the availability of
communication links and data
communicated between bulk electric
system control centers will enhance
bulk electric system reliability. As the
Commission stated in Order No. 822,
bulk electric system Control Centers
‘‘must be capable of receiving and
storing a variety of sensitive bulk
electric system data from interconnected
entities.’’ 35 We are not persuaded by the
contention in the petition and
comments that currently-effective
Reliability Standards adequately
address the directive in Order No. 822
regarding availability. Instead, we
determine that the Reliability Standards
cited by NERC either do not apply to
communications between Control
Centers or do not create an obligation to
protect the availability of data between
Control Centers. Accordingly, the
directed modifications to the CIP
Reliability Standards are not duplicative
of existing Reliability Standards.
27. As the Commission explained in
the NOPR, the existing Reliability
Standards cited by NERC are not
responsive to the availability directive
in Order No. 822.36 Reliability
Standards IRO–002–5 and TOP–001–4
require responsible entities to have
redundant and diversely routed data
exchange infrastructure within the
Control Center environment, but they do
not address communications between
individual Control Centers, which was
the subject of the Commission’s
directive in Order No. 822.37 While it is
true that the infrastructure associated
with communications within Control
Centers may be useful to data exchange
between Control Centers, nothing in the
cited Reliability Standards creates an
obligation to maintain data availability
between Control Centers. Similarly,
Reliability Standards IRO–010–2 and
TOP–003–3 require responsible entities
to have mutually agreeable security
protocols for exchange of Real-time
data, which may have the effect of
contributing to greater availability;
however, these requirements do not
create an obligation, as directed in
Order No. 822, to protect the availability
of those communication capabilities and
Comments at 7.
No. 822, 154 FERC ¶ 61,037 at P 54.
36 NOPR, 167 FERC ¶ 61,055 at P 24.
37 NOPR, 167 FERC ¶ 61,055 at P 24; NERC
Comments at 5 (‘‘IRO–002–5 and TOP–011–4 cover
infrastructure within Control Centers, not between
Control Centers’’).
associated data by applying appropriate
security controls.
28. As the NOPR explained, creating
an obligation to protect availability,
while affording flexibility in terms of
what data is protected and how, is
distinct from relying on currentlyeffective Reliability Standards whose
effect may be to support availability.38
The comments do not offer a new or
persuasive reason to alter this view. For
example, the Trade Associations repeat
the line of reasoning in the NERC
petition by ‘‘encourag[ing] the
Commission to focus holistically on the
broad requirements contained with [the]
IRO and TOP standards, which focus on
the performance requirements necessary
to support Real-time monitoring and
Real-time Assessments.’’ 39 In this
circumstance, we disagree with that
approach because, as the Commission
observed in Order No. 822, ‘‘NERC and
other commenters recognize that interControl Center communications play a
critical role in maintaining bulk electric
system reliability by, among other
things, helping to maintain situational
awareness and reliable bulk electric
system operations through timely and
accurate communication between
Control Center.’’ 40 Thus, the holistic
view urged by Trade Associations does
not address the gap recognized by the
Commission in Order No. 822.
29. The contention in NERC’s
comments that Reliability Standard
EOP–008–2 could also help maintain
the availability of communication links
between bulk electric system Control
Centers, rests on the same reasoning that
the ancillary benefits of an existing
Reliability Standard addresses the
reliability gap identified by the
Commission and concomitant
availability directive in Order No. 822.
While we agree that a requirement to
maintain a backup Control Center
arguably provides a level of redundancy
for a responsible entity’s overall
operations, it does not require
redundant and diversely routed
communication paths between either
the primary and backup Control Centers
or third-party Control Centers.
30. In addition, we do not agree that
it is premature to require protections for
the availability of the communication
links and data communicated between
bulk electric system Control Centers.
While NERC and Trade Associations
advocate further study of the risks
associated with availability, we
34 Appelbaum
35 Order
VerDate Sep<11>2014
17:58 Feb 12, 2020
Jkt 250001
38 NOPR, 167 FERC ¶ 61,055 at P 24; NERC
Comments at 6–7 (stating that alarms, recovery
plans, and the ability to disable data encryption
also support data availability).
39 Trade Associations Comments at 8.
40 Order No. 822, 154 FERC ¶ 61,037 at P 54.
PO 00000
Frm 00035
Fmt 4700
Sfmt 4700
8165
conclude that the risks associated with
losing the availability of either data or
communication links between bulk
electric system Control Centers is
supported by the existing record and
warrants a directive to modify the CIP
Reliability Standards.41
31. We address several related issues
raised in the comments. Commenters
raise a concern that directing NERC to
address requirements for certain aspects
of availability, in particular redundancy
and diverse routing, could have
significant impacts on responsible
entities using third-party
telecommunications providers.
Specifically, Trade Associations notes
that responsible entities ‘‘may not have
sufficient control over the design of
these networks to ensure that such
requirements are met.’’ 42 Without
control over these networks,
commenters suggest that the only
options for addressing availability
would be to construct costly private
networks or implement less secure
internet-based connections.43
32. We are not persuaded by these
arguments. Rather, as IRC correctly
notes in its discussion of the challenges
raised in securing third-party
telecommunications networks, while
the Commission lacks jurisdiction over
telecommunication service providers
that may own and operate the
communication links between bulk
electric system Control Centers, the
Commission has the authority to require
responsible entities to take actions to
promote the availability of
communication links through service
contracts with network providers.44 For
example, entities could enter into
service contracts with
telecommunication service providers
that include an agreed-upon quality of
service commitment to maintain the
availability of the data exchange
capability to minimize the availability
risk. Such arrangements would mirror
the approach in Reliability Standard
CIP–013–1 (Cyber Security—Supply
Chain Risk Management), which also
involved non-jurisdictional entities.45
NERC should likewise consider
allowing responsible entities to contract
with telecommunication service
providers to minimize the risk of loss of
41 See Appelbaum Comments at 7, Bonneville
Comments at 5, IRC Comments at 3, Dr. Liu
Comments at 1, Reclamation Comments at 1.
42 Trade Associations Comments at 12.
43 See, e.g., id., Tri-State Comments at 2.
44 IRC Comments at 3.
45 The currently-approved supply chain risk
management Reliability Standard exempts
communication networks and data links between
discrete Electronic Security Perimeters. See NERC
Reliability Standard CIP–013–1, Applicability
Section 4.2.3.2.
E:\FR\FM\13FER1.SGM
13FER1
jbell on DSKJLSW7X2PROD with RULES
8166
Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations
availability of communication links and
data communicated between bulk
electric system Control Centers in cases
where communications between Control
Centers are managed by a third party.
33. We agree with Reclamation’s
comment that protections for the
availability of communication links and
data communicated between bulk
electric system Control Centers should
encompass both entity-owned and thirdparty owned Control Centers. The intent
of the Commission’s directive is for
NERC to address the risks associated
with the availability of communication
links and data communicated between
all bulk electric system Control Centers,
which will require coordination
between neighboring responsible
entities.
34. We reject Bonneville’s
recommendation that the Commission
delay approval of Reliability Standard
CIP–012–1 to allow for a pilot project on
encryption. The record in this
proceeding does not support a delay,
and Bonneville’s request conflicts with
the implementation plan proposed by
NERC.46 Moreover, the standard
drafting team addressed the
Commission’s finding on this issue in
Order No. 822. In Order No. 822, the
Commission stated ‘‘that any lag in
communication speed resulting from
implementation of protections should
only be measurable on the order of
milliseconds and, therefore, will not
adversely impact Control Center
communications . . . [but that]
technical issues should be considered
by the standard drafting team . . . e.g.,
by making certain aspects of the revised
CIP Standards eligible for Technical
Feasibility Exceptions.’’ 47 In response,
NERC stated that the standard drafting
team ‘‘developed an objective-based
rather than prescriptive requirement
. . . [that] will allow Responsible
Entities flexibility in mitigating the risks
posed . . . in a manner suited to each
of their respective operational
environments.’’ 48 Accordingly, we
determine not to delay approval of
Reliability Standard CIP–012–1.
35. We agree with Bonneville and
Appelbaum that maintaining the
availability of communication networks
and data should include provisions for
incident recovery and continuity of
operations in a responsible entity’s
compliance plan. We recognize that the
redundancy of communication links
cannot always be guaranteed;
responsible entities should therefore
46 See
NERC Petition at Exhibit B.
47 Order No. 822, 154 FERC ¶ 61,037 at P 62.
48 NERC Petition, Exhibit D (Consideration of
Issues and Directives) at 7.
VerDate Sep<11>2014
17:58 Feb 12, 2020
Jkt 250001
plan for both recovery of compromised
communication links and use of backup
communication capability should it be
needed for redundancy (i.e., satellite or
other alternate backup
communications).
36. Accordingly, pursuant to section
215(d)(5) of the FPA, we direct that
NERC develop modifications to the CIP
Reliability Standards to require
protections regarding the availability of
communication links and data
communicated between bulk electric
system Control Centers, as discussed
above.
B. Scope of Bulk Electric System Data
That Must Be Protected
1. NOPR
37. The NOPR observed that
Reliability Standard CIP–012–1 requires
the protection of Real-time Assessment
and Real-time monitoring data. The
Commission explained that that while
Real-time Assessment is defined in the
NERC Glossary, Real-time monitoring
data is not defined. Accordingly, the
NOPR expressed concern that
Reliability Standard CIP–012–1 does not
clearly indicate the types of data to be
protected. To address this, the
Commission proposed to direct that
NERC develop modifications to the CIP
Reliability Standards to clearly identify
the types of data that must be protected,
including whether a NERC Glossary
definition of Real-time monitoring
would assist with implementation and
compliance.
2. Comments
38. Appelbaum and Reclamation
support the development of one or more
definitions. Specifically, Reclamation
recommends that the Commission direct
NERC to develop definitions for the
terms: (1) Real-time monitoring data; (2)
Real-time data; (3) BES Data; (4)
Operational Data; (5) System Planning
Data; (6) availability and (7) Real-time
monitoring. Appelbaum supports
requiring a definition of Real-time
monitoring given its importance to
triggering alarms that system operators
respond to and because it is an input to
automatic dispatch.
39. NERC and other commenters
maintain that a directive is unnecessary
because the terms Real-time Assessment
and Real-time monitoring are clear.
NERC states that the ‘‘language used in
proposed Reliability Standard CIP–012–
1, ‘Real-time Assessment and Real-time
monitoring data,’ is sufficient to identify
the data as described in TOP–003–3 and
IRO–010–2.’’ 49 Specifically, NERC
explains that since the IRO and TOP
Reliability Standards are the only
currently-effective Reliability Standards
that use the phrase Real-time
monitoring and the term Real-time
Assessment, ‘‘[c]ompliance with these
standards defines the data that is used
in Real-time monitoring and Real-time
Assessments.’’ 50 NERC concludes that
by ‘‘using this language that is only
referenced in the IRO and TOP
Reliability Standards families, proposed
CIP–012–1 brings the data identified
pursuant to TOP–003–3 and IRO–010–2
into scope.’’ 51
40. Trade Associations and IRC
concur with NERC that the scope of data
subject to the requirements of proposed
Reliability Standard CIP–012–1 is
adequately clear. According to Trade
Associations, responsible Entities and
NERC understand that the types of data
covered in CIP–012–1 is the data
specified for Real-time Assessment and
Real-time monitoring under TOP–003
and IRO–010. Similarly, IRC notes that
‘‘all responsible entities must already
know the universe of data needed for
Real-time Assessment and Real-time
monitoring activities in order to comply
with NERC Reliability Standards TOP–
003–3 and IRO–010–2.’’ 52 Regarding the
concern raised in the NOPR that the
term Real-time monitoring is not
defined, IRC states that it ‘‘sees no
reason that the term should be
presumed to mean something different
from what it means in other places
where it is used in the NERC Reliability
Standards.’’53
41. While Bonneville does not take a
position on the NOPR proposal, it notes
a concern over ‘‘creating a compliance
requirement to identify how different
types of information are protected.’’ 54
Bonneville states that, generally, the use
of the same data exchange infrastructure
will result in all data using that
infrastructure receiving the same
protection regardless of data type.
Therefore, Bonneville avers that, if the
Commission directs NERC to define the
scope of data to be protected, then ‘‘a
Responsible Entity should have the
option to show that all data types are
protected at the highest level using the
same security protocols, without having
to identify and show how specific types
of data are protected.’’ 55
3. Commission Determination
42. In view of the comments, we
determine not to adopt the NOPR
50 Id.
51 Id.
52 IRC
Comments at 4.
53 Id.
54 Reclamation
49 NERC
PO 00000
Comments at 10.
Frm 00036
Fmt 4700
55 Id.
Sfmt 4700
E:\FR\FM\13FER1.SGM
13FER1
Comments at 6.
Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations
proposal to direct modifications to
define the scope of data covered by
Reliability Standard CIP–012–1. NERC,
Trade Associations and IRC agree that
Reliability Standard CIP–012–1 requires
the protection of Real-time Assessment
and Real-time monitoring data
identified under Reliability Standards
TOP–003–3 and IRO–010–2. This point
is also confirmed in the Technical
Rationale document for Reliability
Standard CIP–012–1.56 We are
persuaded that responsible entities must
know the types of data needed for Realtime Assessment and Real-time
monitoring activities in order to comply
with Reliability Standards TOP–003–3
and IRO–010–2.
43. With this understanding, we are
satisfied that the data protected under
Reliability Standard CIP–012–1 is the
same data identified under Reliability
Standards TOP–003–3 and IRO–010–2.
We determine that this clarification
addresses the concern in the NOPR that
not defining the types of data that must
be protected under Reliability Standard
CIP–012–1 could result in uneven
compliance and enforcement. In
addition, we agree with Bonneville that
responsible entities may show that all
data types are protected at the highest
level using the same security protocols,
without having to identify and show
how specific types of data are protected,
so long as the security protocols are
reasonable.
III. Information Collection Statement
44. The FERC–725B information
collection requirements contained in
this final rule are subject to review by
the Office of Management and Budget
(OMB) under section 3507(d) of the
Paperwork Reduction Act of 1995.57
OMB’s regulations require approval of
certain information collection
requirements imposed by agency
rules.58 Upon approval of a collection of
information, OMB will assign an OMB
control number and expiration date.
Respondents subject to the filing
requirements of this rule will not be
penalized for failing to respond to the
collection of information unless the
collection of information displays a
valid OMB control number.
45. The Commission received no
comments on the validity of the burden
and cost estimates in the NOPR. The
Commission is updating the burden
estimates and labor costs contained in
the NOPR. The Commission in this final
rule corrected an error from the NOPR
in the row ‘‘Identification of Security
Protection Application (if not owned by
same Responsible Entity) (Requirement
8167
R1.3)’’ where the total number of hours
was understated by 100,000, and all
calculations based upon this error.
46. The Commission is submitting
these reporting and recordkeeping
requirements to OMB for its review and
approval under section 3507(d) of the
PRA. Comments are solicited on the
Commission’s need for this information,
whether the information will have
practical utility, the accuracy of the
provided burden estimate, ways to
enhance the quality, utility, and clarity
of the information to be collected, and
any suggested methods for minimizing
the respondent’s burden, including the
use of automated information
techniques.
47. The Commission bases its
paperwork burden estimates on the
changes in paperwork burden presented
by Reliability Standard CIP–012–1.
48. The NERC Compliance Registry,
as of December 2019, identifies
approximately 1,482 unique U.S.
entities that are subject to mandatory
compliance with Reliability Standards.
Of this total, we estimate that 719
entities will face an increased
paperwork burden under proposed
Reliability Standard CIP–012–1. Based
on these assumptions, we estimate the
following reporting burden:
FERC–725B—MODIFICATIONS DUE TO THE FINAL RULE IN DOCKET NO. RM18–20–000
Number of
respondents
Number of
responses 59
per
respondent
Total number
of responses
Avg. burden hrs. &
cost per
response 60
Total annual burden hours
& total annual cost
(1)
(2)
(1) × (2) = (3)
(4)
(3) × (4) = 5
Implementation of Documented Plan(s)
(Requirement R1) 61.
Document Identification of Security Protection (Requirement R1.1) 61.
Identification of Security Protection Application (if owned by same Responsible Entity) (Requirement R1.2) 61.
Identification of Security Protection Application (if not owned by same Responsible
Entity)
(Requirement
R1.3) 61.
Maintaining Compliance (ongoing, starting in Year 2).
jbell on DSKJLSW7X2PROD with RULES
Total (one-time, in Year 1) ..............
Total (ongoing, starting in Year 2) ..
719
1
719
128 hrs.; $11,776 ..
92,032 hrs.; $8,466,944.
719
1
719
40 hrs.; $3,680 ......
28,560 hrs.; $2,645,920.
719
1
719
20 hrs.; $1,840 ......
14,280 hrs.; $1,322,960.
719
1
719
160 hrs.; $14,720 ..
14,240 hrs.; $10,583,680.
719
1
719
83 hrs.; $7,636 ......
59,677 hrs.; $5,490,284.
........................
........................
........................
........................
2,876
719
................................
................................
250,212 hrs.; $23,019,504.
59,677 hrs.; $5,490,284.
56 NERC Petition, Exhibit F (Technical Rationale)
at 1–2.
57 44 U.S.C. 3507(d).
58 5 CFR 1320.
59 We consider the filing of an application to be
a ‘‘response.’’
60 The hourly cost for wages plus benefits is based
on the average of the occupational categories for
2018 found on the Bureau of Labor Statistics
VerDate Sep<11>2014
17:58 Feb 12, 2020
Jkt 250001
website (https://www.bls.gov/oes/current/naics2_
22.htm):
Information Security Analysts (Occupation Code:
15–1122): $61.494
Computer and Mathematical (Occupation Code:
15–0000): $63.54
Legal (Occupation Code: 23–0000): $142.86
Computer and Information Systems Managers
(Occupation Code: 11–3021): $98.81.
PO 00000
Frm 00037
Fmt 4700
Sfmt 4700
These various occupational categories’ wage
figures are averaged as follows: $61.494/hour +
$63.54/hour + $142.86/hour + $98.81/hour) ÷ 4 =
$91.70/hour. The resulting wage figure is rounded
to $92.00/hour for use in calculating wage figures
in the final rule in Docket No. RM18–20–000.
61 This includes the record retention costs for the
one-time and the on-going reporting documents.
E:\FR\FM\13FER1.SGM
13FER1
jbell on DSKJLSW7X2PROD with RULES
8168
Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations
49. The one-time burden (in Year 1)
for the FERC–725B information
collection will be averaged over three
years:
• 250,212 hours ÷ 3 = 83,404 hours/year
over Years 1–3
• The number of one-time responses for
the FERC–725B information
collection is also averaged over Years
1–3: 2,876 responses ÷ 3 = 959
responses/year
50. The average annual number (for
Years 1–3) of responses and burden for
one-time and ongoing burden will total:
• 1,678 responses [959 responses (onetime) + 719 responses (ongoing)]
• 143,081 burden hours [83,404 hours
(one-time) + 59,677 hours (ongoing)]
hours (ongoing)]
51. Title: Mandatory Reliability
Standards for Critical Infrastructure
Protection [CIP] Reliability Standards.
Action: Revisions to FERC–725B
information collection.
OMB Control No.: 1902–0248.
Respondents: Businesses or other forprofit institutions; not-for-profit
institutions.
Frequency of Responses: One-time
and Ongoing.
Necessity of the Information: This
final rule approves the requested
modifications to Reliability Standards
pertaining to critical infrastructure
protection. As discussed above, the
Commission approves NERC’s proposed
Reliability Standard CIP–012–1
pursuant to section 215(d)(2) of the FPA
because they improve upon the
currently-effective suite of cyber
security Reliability Standards.
Internal Review: The Commission has
reviewed the proposed Reliability
Standard and made a determination that
its action is necessary to implement
section 215 of the FPA.
52. Interested persons may obtain
information on the reporting
requirements by contacting the
following: Federal Energy Regulatory
Commission, 888 First Street NE,
Washington, DC 20426 [Attention: Ellen
Brown, Office of the Executive Director,
email: DataClearance@ferc.gov, phone:
(202) 502–8663, fax: (202) 273–0873].
53. Please send comments concerning
the collection of information and the
associated burden estimate to the
Commission, and to the Office of
Management and Budget, Office of
Information and Regulatory Affairs, 725
17th Street NW, Washington, DC 20503,
Washington, DC 20503 [Attention: Desk
Officer for the Federal Energy
Regulatory Commission]. For security
reasons, comments to OMB should be
submitted by email to: oira_
submission@omb.eop.gov. Comments
VerDate Sep<11>2014
17:58 Feb 12, 2020
Jkt 250001
submitted to OMB should include
FERC–725B (OMB Control No. 1902–
0248).
IV. Environmental Analysis
54. The Commission is required to
prepare an Environmental Assessment
or an Environmental Impact Statement
for any action that may have a
significant adverse effect on the human
environment.62 The Commission has
categorically excluded certain actions
from this requirement as not having a
significant effect on the human
environment. Included in the exclusion
are rules that are clarifying, corrective,
or procedural or that do not
substantially change the effect of the
regulations being amended.63 The
actions proposed herein fall within this
categorical exclusion in the
Commission’s regulations.
V. Regulatory Flexibility Act Analysis
55. The Regulatory Flexibility Act of
1980 (RFA) generally requires a
description and analysis of proposed
and final rules that will have significant
economic impact on a substantial
number of small entities.64 The Small
Business Administration’s (SBA) Office
of Size Standards develops the
numerical definition of a small
business.65 The SBA revised its size
standard for electric utilities (effective
January 22, 2014) to a standard based on
the number of employees, including
affiliates (from the prior standard based
on megawatt hour sales).66
56. Reliability Standard CIP–012–1 is
expected to impose an additional
burden on 719 entities 67 (reliability
coordinators [RC], generator operators
[GOP], generator owners [GO],
transmission operators [TOP], balancing
authorities [BA], and transmission
owners [TO]).
62 Regulations Implementing the National
Environmental Policy Act of 1969, Order No. 486,
FERC Stats. & Regs. ¶ 30,783 (1987).
63 18 CFR 380.4(a)(2)(ii).
64 5 U.S.C. 601–12.
65 13 CFR 121.101.
66 13 CFR 121.201, Subsection 221.
67 Public utilities may fall under one of several
different categories, each with a size threshold
based on the company’s number of employees,
including affiliates, the parent company, and
subsidiaries. These entities may be included in the
SBA categories for: Hydroelectric Power
Generation, Fossil Fuel Electric Power Generation,
Nuclear Electric Power Generation, Solar Electric
Power Generation, Wind Electric Power Generation
Geothermal Electric Power Generation, Biomass
Electric Power Generation, Other Electric Power
Generation, Biomass Electric Power Generation, or
Electric Bulk Power Transmission and Control.
These categories have thresholds for small entities
varying from 250–750 employees. For the analysis
in this final rule, we are using a conservative
threshold of 750 employees.
PO 00000
Frm 00038
Fmt 4700
Sfmt 4700
57. Of the 719 affected entities
discussed above, we estimate that
approximately 82% percent of the
affected entities are small entities. We
estimate that each of the 590 small
entities to whom the modifications to
Reliability Standard CIP–012–1 apply
will incur one-time, non-paperwork cost
in Year 1 of approximately $17,051,
plus paperwork cost in Year 1 of
$32,016, giving a total cost in Year 1 of
$49,067. In Year 2 and Year 3, each
entity will incur only the ongoing
annual paperwork cost of $7,594. We do
not consider the estimated costs for
these 590 small entities to be a
significant economic impact.
58. Accordingly, we certify that
Reliability Standard CIP–012–1 will not
have a significant economic impact on
a substantial number of small entities.
VI. Effective Date and Congressional
Notification
59. This final rule is effective April
13, 2020. The Commission has
determined, with the concurrence of the
Administrator of the Office of
Information and Regulatory Affairs of
OMB, that this rule is not a ‘‘major rule’’
as defined in section 351 of the Small
Business Regulatory Enforcement
Fairness Act of 1996. This final rule is
being submitted to the Senate, House,
and Government Accountability Office.
VII. Document Availability
60. In addition to publishing the full
text of this document in the Federal
Register, the Commission provides all
interested persons an opportunity to
view and/or print the contents of this
document via the internet through the
Commission’s Home Page (https://
www.ferc.gov) and in the Commission’s
Public Reference Room during normal
business hours (8:30 a.m. to 5:00 p.m.
Eastern time) at 888 First Street NE,
Room 2A, Washington, DC 20426.
61. From the Commission’s Home
Page on the internet, this information is
available on eLibrary. The full text of
this document is available on eLibrary
in PDF and Microsoft Word format for
viewing, printing, and/or downloading.
To access this document in eLibrary,
type the docket number of this
document, excluding the last three
digits, in the docket number field.
62. User assistance is available for
eLibrary and the Commission’s website
during normal business hours from the
Commission’s Online Support at
(202)502–6652 (toll free at 1–866–208–
3676) or email at ferconlinesupport@
ferc.gov, or the Public Reference Room
at (202) 502–8371, TTY (202) 502–8659.
Email the Public Reference Room at
public.referenceroom@ferc.gov.
E:\FR\FM\13FER1.SGM
13FER1
Federal Register / Vol. 85, No. 30 / Thursday, February 13, 2020 / Rules and Regulations
By the Commission.
8169
Issued: January 23, 2020.
Kimberly D. Bose,
Secretary.
Note: The following Appendix will not
appear in the Code of Federal Regulations.
APPENDIX—COMMENTERS
Abbreviation
Commenter
Appelbaum ................................................................................................
Bonneville .................................................................................................
IRC ............................................................................................................
Dr. Liu .......................................................................................................
NERC ........................................................................................................
Reclamation ..............................................................................................
Trade Associations ...................................................................................
Jonathan Appelbaum.
Bonneville Power Administration.
ISO/RTO Council.
Dr. Chen-Ching Liu.
North American Electric Reliability Corporation.
Bureau of Reclamation.
American Public Power Association, Edison Electric Institute, National
Rural Electric Cooperative Association.
Tri-State Generation and Transmission Association, Inc.
Tri-State ....................................................................................................
[FR Doc. 2020–02173 Filed 2–12–20; 8:45 am]
Table of Contents for Preamble
III. Basis and Purpose
BILLING CODE 6717–01–P
I. Abbreviations
II. Regulatory History
III. Basis and Purpose
IV. Discussion of Rule
V. Regulatory Analyses
A. Regulatory Planning and Review
B. Impact on Small Entities
C. Assistance for Small Entities
D. Collection of Information
E. Federalism
F. Unfunded Mandates Reform Act
G. Taking of Private Property
H. Civil Justice Reform
I. Protection of Children
J. Indian Tribal Governments
K. Energy Effects
L. Technical Standards
M. Environment
This rulemaking project was
identified as part of the Coast Guard’s
Regulatory Reform Task Force Initiative.
These field regulation changes were
identified as part of the deregulation
identification process required by
Executive Order 13771 (Reducing
Regulation and Controlling Regulatory
Costs), Executive Order 13777
(Enforcing the Regulatory Reform
Agenda Deregulatory Process), and
associated guidance issued in 2017.
This rule makes technical and editorial
corrections in Title 33 of the Code of
Federal Regulations (CFR). Specifically,
the rule removes safety zones, security
zones, and special local regulations
where the event is no longer held. This
rule also removes special anchorage
areas that are no longer used, and
redesignates certain special anchorage
areas in the Hawaiian Islands and Guam
so they are grouped in the CFR as
District 14 anchorages. Additionally, the
rule removes outdated references to
penalties in regulations governing
certain regulated navigation areas in
Florida and Georgia, and updates
Captain of the Port (COTP) information
in regulations for certain regulated
navigation areas and security zones in
Kentucky, Ohio, and Missouri. These
changes are necessary to correct errors,
change addresses, and make other nonsubstantive changes that improve the
clarity of the CFR. This rule does not
create or change any substantive
requirements.
The changes to 33 CFR part 1 are
authorized under 14 U.S.C. 503, which
grants the Secretary of the Department
of Homeland Security (DHS) broad
authority to promulgate such
regulations as are appropriate to carry
out the provisions of any law applicable
to the Coast Guard. The changes to 33
DEPARTMENT OF HOMELAND
SECURITY
Coast Guard
33 CFR Parts 1, 100, 110, and 165
[Docket No. USCG–2018–0533]
RIN 1625–ZA38
Navigation and Navigable Waters, and
Shipping; Technical, Organizational,
and Conforming Amendments for U.S.
Coast Guard Field Districts 5, 8, 9, 11,
13, 14, and 17
Coast Guard, DHS.
Final rule.
AGENCY:
ACTION:
The Coast Guard is issuing
non-substantive technical,
organizational, and conforming
amendments to existing regulations in
parts 1, 100, 110, and 165 of Title 33 of
the Code of Federal Regulations. These
amendments update and clarify general
regulations in part 1, and update
regulations for Field Districts 5, 8, 9, 11,
13, 14, and 17 to reflect the current
status of regulated navigation areas,
special local regulations, anchorages,
safety zones, and security zones. This
rule will have no substantive effect on
the regulated public.
DATES: This final rule is effective March
16, 2020.
FOR FURTHER INFORMATION CONTACT: For
information about this document call or
email Dominique Christianson, Coast
Guard; telephone 202–372–3856, email
Dominique.Christianson@uscg.mil.
SUPPLEMENTARY INFORMATION:
jbell on DSKJLSW7X2PROD with RULES
SUMMARY:
VerDate Sep<11>2014
17:58 Feb 12, 2020
Jkt 250001
I. Abbreviations
CFR Code of Federal Regulations
CG–LRA Office of Regulations and
Administrative Law
COTP Captain of the Port
DHS Department of Homeland Security
FR Federal Register
OMB Office of Management and Budget
§ Section
U.S.C. United States Code
II. Regulatory History
We did not publish a notice of
proposed rulemaking for this rule.
Under Title 5 of the United States Code
(U.S.C.), section 553(b)(A), the Coast
Guard finds that this rule is exempt
from notice and public comment
rulemaking requirements because these
changes involve rules of agency
organization, procedure, or practice. In
addition, the Coast Guard finds that
notice and comment procedures are
unnecessary under 5 U.S.C. 553(b)(B), as
this rule consists only of technical and
editorial corrections, and these changes
will have no substantive effect on the
public.
PO 00000
Frm 00039
Fmt 4700
Sfmt 4700
E:\FR\FM\13FER1.SGM
13FER1
Agencies
[Federal Register Volume 85, Number 30 (Thursday, February 13, 2020)]
[Rules and Regulations]
[Pages 8161-8169]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-02173]
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
18 CFR Part 40
[Docket No. RM18-20-000; ORDER NO. 866]
Critical Infrastructure Protection Reliability Standard CIP-012-
1--Cyber Security--Communications Between Control Centers
AGENCY: Federal Energy Regulatory Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Federal Energy Regulatory Commission (Commission) approves
Reliability Standard CIP-012-1 (Cyber Security--Communications between
Control Centers). The North American Electric Reliability Corporation
(NERC), the Commission-certified Electric Reliability Organization,
submitted Reliability Standard CIP-012-1 for Commission approval in
response to a Commission directive. In addition, the Commission directs
NERC to develop modifications to the CIP Reliability Standards to
require protections regarding the availability of communication links
and data communicated between bulk electric system Control Centers.
DATES: This rule will become effective April 13, 2020.
FOR FURTHER INFORMATION CONTACT:
Vincent Le, (Technical Information), Office of Electric Reliability,
Federal Energy Regulatory Commission, 888 First Street NE, Washington,
DC 20426, (202) 502-6204, [email protected]
Kevin Ryan, (Legal Information), Office of the General Counsel, Federal
Energy Regulatory Commission, 888 First Street NE, Washington, DC
20426, (202) 502-6840, [email protected]
SUPPLEMENTARY INFORMATION:
[[Page 8162]]
1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA),\1\
the Commission approves Reliability Standard CIP-012-1 (Cyber
Security--Communications between Control Centers). The North American
Electric Reliability Corporation (NERC), the Commission-certified
Electric Reliability Organization (ERO), submitted Reliability Standard
CIP-012-1 for Commission approval in response to a Commission directive
in Order No. 822.\2\ In Order No. 822, the Commission directed NERC,
pursuant to section 215(d)(5) of the FPA, to develop modifications to
the Reliability Standards to require responsible entities to implement
controls to protect, at a minimum, communications links and sensitive
bulk electric system data communicated between bulk electric system
Control Centers ``in a manner that is appropriately tailored to address
the risks posed to the bulk electric system by the assets being
protected (i.e., high, medium, or low impact).'' \3\
---------------------------------------------------------------------------
\1\ 16 U.S.C. 824o(d)(2).
\2\ Revised Critical Infrastructure Protection Reliability
Standards, Order No. 822, 154 FERC ] 61,037, at P 53, order denying
reh'g, Order No. 822-A, 156 FERC ] 61,052 (2016).
\3\ 16 U.S.C. 824o(d)(5); Order No. 822, 154 FERC ] 61,037 at P
53.
---------------------------------------------------------------------------
2. Consistent with the directive in Order No. 822, Reliability
Standard CIP-012-1 improves upon the currently-effective Critical
Infrastructure Protection (CIP) Reliability Standards to mitigate cyber
security risks associated with communications between bulk electric
system Control Centers. Specifically, Reliability Standard CIP-012-1
supports situational awareness and reliable bulk electric system
operations by requiring responsible entities to protect the
confidentiality and integrity of Real-time Assessment \4\ and Real-time
monitoring data transmitted between bulk electric system Control
Centers. Accordingly, the Commission approves Reliability Standard CIP-
012-1 because it is largely responsive to the Commission's directive in
Order No. 822 and improves the cyber security posture of responsible
entities. We also approve the associated violation risk factors and
violation severity levels, implementation plan, and effective date.
---------------------------------------------------------------------------
\4\ The NERC Glossary defines Real-time Assessment as, ``An
evaluation of system conditions using Real-time data to assess
existing (pre-Contingency) and potential (post-Contingency)
operating conditions. The assessment shall reflect applicable inputs
including, but not limited to: Load, generation output levels, known
Protection System and Special Protection System status or
degradation, Transmission outages, generator outages, Interchange,
Facility Ratings, and identified phase angle and equipment
limitations. (Real-time Assessment may be provided through internal
systems or through third-party services.)'' NERC Glossary of Terms
Used in NERC Reliability Standards (July 3, 2018).
---------------------------------------------------------------------------
3. In addition, pursuant to section 215(d)(5) of the FPA, the
Commission directs NERC to develop modifications to the CIP Reliability
Standards to require protections regarding the availability of
communication links and data communicated between bulk electric system
Control Centers. As discussed in the Notice of Proposed Rulemaking
(NOPR), Reliability Standard CIP-012-1 does not require protections
regarding the availability of communication links and data communicated
between bulk electric system Control Centers, as directed in Order No.
822.\5\ In the NOPR, the Commission indicated that it did not agree
with NERC's assertion that currently-effective Reliability Standards
address availability, and we are not persuaded by NOPR comments raising
the same argument. Instead, pursuant to section 215(d)(5) of the FPA,
we determine that the absence of a requirement that specifically
pertains to the availability of communication links and data
communicated between bulk electric system Control Centers represents a
reliability gap in the CIP Reliability Standards that should be
addressed by NERC.
---------------------------------------------------------------------------
\5\ See Critical Infrastructure Protection Reliability Standard
CIP-012-1--Cyber Security--Communication between Control Centers,
Notice of Proposed Rulemaking, 167 FERC ] 61,055, at P 54 (2019)
(NOPR).
---------------------------------------------------------------------------
4. The Commission, in the NOPR, also proposed to direct NERC to
identify clearly the types of data that must be protected under
Reliability Standard CIP-012-1. The NOPR expressed concern that
Reliability Standard CIP-012-1 does not adequately identify the types
of data covered by its requirements, due to, among other things, the
fact that the term ``Real-time monitoring'' is not defined in the
Reliability Standard or the NERC Glossary. After considering the NOPR
comments, however, we determine not to direct the proposed modification
based on the explanation of the types of data that must be protected
set forth in the NOPR comments.
I. Background
A. Section 215 and Mandatory Reliability Standards
5. Section 215 of the FPA requires a Commission-certified ERO to
develop mandatory and enforceable Reliability Standards, subject to
Commission review and approval. Reliability Standards may be enforced
by the ERO, subject to Commission oversight, or by the Commission
independently.\6\ Pursuant to section 215 of the FPA, the Commission
established a process to select and certify an ERO,\7\ and subsequently
certified NERC.\8\
---------------------------------------------------------------------------
\6\ 16 U.S.C. 824o(e).
\7\ Rules Concerning Certification of the Electric Reliability
Organization; and Procedures for the Establishment, Approval, and
Enforcement of Electric Reliability Standards, Order No. 672, 114
FERC ] 61,104, order on reh'g, Order No. 672-A, 114 FERC ] 61,328
(2006).
\8\ North American Electric Reliability Corp., 116 FERC ]
61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006),
aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
---------------------------------------------------------------------------
B. Order No. 822
6. In Order No. 822, the Commission approved seven modified CIP
Reliability Standards and directed NERC to develop additional
modifications to the CIP Reliability Standards.\9\ Specifically, the
Commission directed that NERC, among other things, develop
modifications to the CIP Reliability Standards to require that
responsible entities implement controls to protect, at a minimum,
communications links and sensitive bulk electric system data
communicated between bulk electric system Control Centers ``in a manner
that is appropriately tailored to address the risks posed to the bulk
electric system by the assets being protected (i.e., high, medium, or
low impact).'' \10\ The Commission observed that NERC, as well as other
commenters in that proceeding, ``recognize that inter-Control Center
communications play a critical role in maintaining bulk electric system
reliability by . . . helping to maintain situational awareness and
support reliable operations through timely and accurate communication
between Control Centers.'' \11\
---------------------------------------------------------------------------
\9\ Order No. 822, 154 FERC ] 61,037 at PP 1, 3.
\10\ Id. P 53.
\11\ Id. P 54.
---------------------------------------------------------------------------
7. The Commission explained that Control Centers associated with
responsible entities, including reliability coordinators, balancing
authorities, and transmission operators, must be capable of receiving
and storing a variety of bulk electric system data from their
interconnected entities in order to adequately perform their
reliability functions. The Commission, therefore, determined that
``additional measures to protect both the integrity and availability of
sensitive bulk electric system data are warranted.'' \12\
---------------------------------------------------------------------------
\12\ Id.
---------------------------------------------------------------------------
The Commission cautioned, however, that ``not all communication
network components and data pose the same risk to bulk electric system
reliability and may not require the same level of
[[Page 8163]]
protection.'' \13\ Therefore, the Commission determined that NERC
should develop controls that reflect the risk being addressed in a
reasonable manner.
---------------------------------------------------------------------------
\13\ Id. P 56.
---------------------------------------------------------------------------
C. NERC Petition and Reliability Standard CIP-012-1
8. On September 18, 2018, NERC submitted for Commission approval
proposed Reliability Standard CIP-012-1 and the associated violation
risk factors and violation severity levels, implementation plan, and
effective date.\14\ NERC states that the purpose of Reliability
Standard CIP-012-1 is to help maintain situational awareness and
reliable bulk electric system operations by protecting the
confidentiality and integrity of Real-time Assessment and Real-time
monitoring data transmitted between Control Centers.
---------------------------------------------------------------------------
\14\ Reliability Standard CIP-012-1 is not attached to this
final rule. The Reliability Standard is available on the
Commission's eLibrary document retrieval system in Docket No. RM18-
20-000 and on the NERC website, www.nerc.com.
---------------------------------------------------------------------------
9. NERC states that Reliability Standard CIP-012-1 ``requires
Responsible Entities to develop and implement a plan to address the
risks posed by unauthorized disclosure (confidentiality) and
unauthorized modification (integrity) of Real-time Assessment and Real-
time monitoring data while being transmitted between applicable Control
Centers.'' \15\ According to NERC, the required plan must include the
following: (1) Identification of security protections; (2)
identification of where the protections are applied; and (3)
identification of the responsibilities of each entity in case a Control
Center is owned or operated by different responsible entities.\16\
---------------------------------------------------------------------------
\15\ NERC Petition at 10.
\16\ Id. at 3.
---------------------------------------------------------------------------
10. As noted above, the types of data within the scope of
Reliability Standard CIP-012-1 consist of Real-time Assessment and
Real-time monitoring data exchanged between Control Centers. NERC
states that it is critical that this information is accurate since
responsible entities operate and monitor the bulk electric system based
on this Real-time information. NERC explains that Reliability Standard
CIP-012-1 ``excludes other data typically transferred between Control
Centers, such as Operational Planning Analysis data, that is not used
by the Reliability Coordinator, Balancing Authority, and Transmission
Operator in Real-time.'' \17\
---------------------------------------------------------------------------
\17\ Id. at 12.
---------------------------------------------------------------------------
11. NERC also indicates that data at rest and oral communications
fall outside the scope of Reliability Standard CIP-012-1. Regarding
data at rest, NERC states that the standard drafting team determined
that since data at rest resides within BES Cyber Systems,\18\ it is
already protected by the controls mandated by Reliability Standards
CIP-003-6 through CIP-011-2. According to NERC, oral communications are
out of scope of Reliability Standard CIP-012-1 ``because operators have
the ability to terminate the call and initiate a new one via trusted
means if they suspect a problem with, or compromise of, the
communication channel.'' \19\ NERC notes that Reliability Standard COM-
001-3 requires reliability coordinators, balancing authorities, and
transmission operators to have alternative interpersonal communication
capability, which could be used if there is a suspected compromise of
oral communication on one channel.
---------------------------------------------------------------------------
\18\ BES Cyber System is defined as ``[o]ne or more BES Cyber
Assets logically grouped by a responsible entity to perform one or
more reliability tasks for a functional entity.'' NERC Glossary. The
acronym BES refers to the bulk electric system.
\19\ NERC Petition at 14.
---------------------------------------------------------------------------
D. Notice of Proposed Rulemaking
12. On April 18, 2019, the Commission issued a NOPR proposing to
approve Reliability Standard CIP-012-1 as just, reasonable, not unduly
discriminatory or preferential, and in the public interest.\20\ The
NOPR stated that Reliability Standard CIP-012-1 is largely responsive
to the Commission's directive in Order No. 822 and improves the cyber
security posture of the bulk electric system by requiring responsible
entities to protect the confidentiality and integrity of Real-time
Assessment and Real-time monitoring data transmitted between bulk
electric system Control Centers, which supports situational awareness
and reliable bulk electric system operations.
---------------------------------------------------------------------------
\20\ NOPR, 167 FERC ] 61,055 at P 1.
---------------------------------------------------------------------------
13. While proposing to approve Reliability Standard CIP-012-1, the
Commission also proposed to direct NERC to develop modifications to the
CIP Reliability Standards to address potential reliability gaps. First,
the NOPR stated that Reliability Standard CIP-012-1 does not require
protections regarding the availability of communication links and data
communicated between bulk electric system Control Centers as directed
in Order No. 822. The NOPR explained that the Commission was not
persuaded by NERC's explanation that certain currently-effective
Reliability Standards address the issue of availability. Second, the
NOPR raised a concern that Reliability Standard CIP-012-1 does not
adequately identify the types of data covered by its requirements, due
to, among other things, the fact that Real-time monitoring is not
defined in the proposed Reliability Standard or the NERC Glossary.\21\
---------------------------------------------------------------------------
\21\ Id. P 16.
---------------------------------------------------------------------------
14. In response to the NOPR, eight entities submitted comments. A
list of commenters appears in Appendix A. The discussion below
addresses the proposals in the NOPR as well as the NOPR comments.
II. Discussion
15. Pursuant to section 215(d)(2) of the FPA, the Commission
approves Reliability Standard CIP-012-1 as just, reasonable, not unduly
discriminatory or preferential, and in the public interest. Reliability
Standard CIP-012-1 largely addresses the Commission's directive in
Order No. 822 because it will enhance existing protections for bulk
electric system reliability by augmenting the currently-effective CIP
Reliability Standards to mitigate cyber security risks associated with
communications between bulk electric system Control Centers.
Reliability Standard CIP-012-1 achieves this by requiring responsible
entities to protect the confidentiality and integrity of Real-time
Assessment and Real-time monitoring data transmitted between bulk
electric system Control Centers, thereby supporting situational
awareness and reliable bulk electric system operations.
16. While the Commission approves Reliability Standard CIP-012-1,
we also determine that the reliability risks identified in Order No.
822 will not be fully addressed with the implementation of the
Reliability Standard. As discussed below, a significant cyber security
risk associated with the protection of communications links and
sensitive bulk electric system data communicated between bulk electric
system Control Centers remains because Reliability Standard CIP-012-1
does not address the availability of communication links and data
communicated between bulk electric system Control Centers. To address
this gap, the Commission directs NERC, pursuant to section 215(d)(5) of
the FPA, to develop modifications to the CIP Reliability Standards to
require protections regarding the availability of communication links
and data communicated between bulk electric system Control Centers.
17. Below, we discuss the following issues: (A) Availability of
bulk electric system communication links and data; and (B) scope of
bulk electric system data that must be protected.
[[Page 8164]]
A. Availability of Bulk Electric System Communication Links and Data
1. NOPR
18. The NOPR stated that Reliability Standard CIP-012-1 does not
address the availability component of the Commission's directive in
Order No. 822. The NOPR identified this as a gap because ensuring
timely and reliable access to and use of data is essential to the
reliable operation of the bulk electric system. The NOPR indicated that
the existing Reliability Standards cited in NERC's petition do not
require responsible entities to protect the availability of sensitive
bulk electric system data in a manner consistent with Order No.
822.\22\ In particular, the NOPR stated that the cited Reliability
Standards either do not apply to communications between individual
Control Centers or, while their effect may be to support availability,
the Reliability Standards do not create an obligation to protect
availability.\23\
---------------------------------------------------------------------------
\22\ Id. P 24.
\23\ Id.
---------------------------------------------------------------------------
2. Comments
19. NERC, Trade Associations, Tri-State and IRC do not support a
directive that addresses the availability of communication links and
data communicated between bulk electric system Control Centers.
Reclamation, Appelbaum, and Liu express support for the directive,
while Bonneville offers qualified support.
20. Comments opposing the proposed directive largely reiterate the
petition's assertion that currently-effective Reliability Standards
adequately protect the availability of communication links and data
communicated between bulk electric system Control Centers. For example,
NERC contends that ``[w]hile IRO-002-5 and TOP-001-4 cover
infrastructure within Control Centers, not between Control Centers, the
requirements help protect the availability of data to be exchanged
between Control Centers . . . [because] the data exchange
infrastructure in scope of these requirements facilitates sending and
receiving data between Control Centers.'' \24\ NERC explains that if
``an applicable entity lost capability of some of this data exchange
infrastructure, the applicable entity could continue to send and
receive data between Control Centers because of the redundant data
exchange infrastructure within its Control Center.\25\ In addition,
NERC states that Reliability Standards IRO-010-2 and TOP-003-3 require
applicable entities to use a mutually agreeable security protocol
between Control Centers. NERC explains that this supports availability
by helping to ensure that conflicting protocols do not impede receipt
of data between Control Centers.
---------------------------------------------------------------------------
\24\ NERC Comments at 5.
\25\ Id.; see also Trade Associations Comments at 6-8, Tri-state
Comments at 3.
---------------------------------------------------------------------------
21. NERC also contends that Reliability Standard EOP-008-2 helps
support the availability of communication links between Control Centers
by requiring reliability coordinators to have backup Control Center
facilities, or backup Control Center functionality for balancing
authorities and transmission operators, in addition to their primary
Control Centers. NERC explains that ``[t]hese backup facilities supply
redundancy of some communication links and data exchange infrastructure
and capabilities at the backup Control Center.'' \26\ NERC further
explains that entities with geographically diverse primary and backup
Control Centers may have communication links that are physically
separate from one another. NERC concludes that although ``geographic
diversity alone will not always provide redundancy of communication
links, having backup Control Centers with different paths to
communicate with other Control Centers helps support availability of
communication links.'' \27\
---------------------------------------------------------------------------
\26\ NERC Comments at 7; see also Trade Associations Comments at
9-10.
\27\ NERC Comments at 7.
---------------------------------------------------------------------------
22. In addition, comments opposing the directive maintain that it
is premature to require protections for the availability of the
communication links and data at issue. NERC states that it recognizes
that ``there may be additional controls that could help address'' risks
to the availability of data and communication links and commits to
``study the risks to availability of data and communication links
between Control Centers and the current controls that support
availability.'' \28\ Trade Associations, similarly, ``encourage[s] the
Commission to consider directing NERC to study the issue [of
telecommunications security] to identify specific availability
vulnerabilities and potential mitigation methods.'' \29\
---------------------------------------------------------------------------
\28\ Id. at 8-9.
\29\ Trade Associations Comments at 12.
---------------------------------------------------------------------------
23. IRC, while not supporting the proposed directive,
``acknowledges that [the Commission] could require additional actions
by responsible entities to promote the availability of [bulk electric
system] communication links to the extent possible through contracts
with telecommunications providers.'' \30\ IRC recommends a best efforts
approach similar to how supply chain risks are addressed under
Reliability Standard CIP-013-1. Specifically, IRC suggests that ``NERC
could adopt a standard that would require responsible entities, when
negotiating these service contacts, to take reasonable steps or use
best efforts to maximize the availability of communication links.''
\31\
---------------------------------------------------------------------------
\30\ IRC Comments at 3 (emphasis in original).
\31\ Id.
---------------------------------------------------------------------------
24. Reclamation, in support of the Commission proposal, states that
the availability of communication networks should encompass links
between Control Centers owned by the same entity as well as Control
Centers owned by different entities. Reclamation maintains that the
requirements for electronic communications be parallel to the following
requirements for oral communication contained in Reliability Standard
COM-001-3: (1) Have electronic communication capability; (2) designate
alternative electronic communication capability in the event of a
failure of the primary communication capability; (3) test the alternate
method of electronic communication; (4) notify the entity on the other
end of the communication path if a failure is detected; and (5)
establish mutually agreeable action to restore the electronic
communication capability.
25. As an initial matter, Bonneville recommends delaying approval
of Reliability Standard CIP-012-1 until NERC conducts a pilot project
to study the most effective way to encrypt data while ensuring the data
is available to responsible entities. However, if the Commission
approves the Reliability Standard, Bonneville ``agrees with the
Commission's proposal to address the availability of communication
links and data communicated between Control Centers.'' \32\ Bonneville
explains that maintaining the availability of the communication links
includes addressing both redundancy and recovery. Therefore, Bonneville
recommends that, if Reliability Standard CIP-012-1 is approved, ``the
Commission order NERC to adopt modifications requiring Responsible
Entities to have incident recovery plans/continuity of operation plans
addressing planning for recovery time, capability, and capacity.'' \33\
Similarly, Appelbaum supports the proposed directive and contends that
``a requirement for a continuing operations plan for loss of critical
data resulting for the loss of
[[Page 8165]]
Control Center functionality should be directed.'' \34\
---------------------------------------------------------------------------
\32\ Bonneville Comments at 5.
\33\ Id. at 6.
\34\ Appelbaum Comments at 7.
---------------------------------------------------------------------------
3. Commission Determination
26. We determine that modifications to the CIP Reliability
Standards to address the availability of communication links and data
communicated between bulk electric system control centers will enhance
bulk electric system reliability. As the Commission stated in Order No.
822, bulk electric system Control Centers ``must be capable of
receiving and storing a variety of sensitive bulk electric system data
from interconnected entities.'' \35\ We are not persuaded by the
contention in the petition and comments that currently-effective
Reliability Standards adequately address the directive in Order No. 822
regarding availability. Instead, we determine that the Reliability
Standards cited by NERC either do not apply to communications between
Control Centers or do not create an obligation to protect the
availability of data between Control Centers. Accordingly, the directed
modifications to the CIP Reliability Standards are not duplicative of
existing Reliability Standards.
---------------------------------------------------------------------------
\35\ Order No. 822, 154 FERC ] 61,037 at P 54.
---------------------------------------------------------------------------
27. As the Commission explained in the NOPR, the existing
Reliability Standards cited by NERC are not responsive to the
availability directive in Order No. 822.\36\ Reliability Standards IRO-
002-5 and TOP-001-4 require responsible entities to have redundant and
diversely routed data exchange infrastructure within the Control Center
environment, but they do not address communications between individual
Control Centers, which was the subject of the Commission's directive in
Order No. 822.\37\ While it is true that the infrastructure associated
with communications within Control Centers may be useful to data
exchange between Control Centers, nothing in the cited Reliability
Standards creates an obligation to maintain data availability between
Control Centers. Similarly, Reliability Standards IRO-010-2 and TOP-
003-3 require responsible entities to have mutually agreeable security
protocols for exchange of Real-time data, which may have the effect of
contributing to greater availability; however, these requirements do
not create an obligation, as directed in Order No. 822, to protect the
availability of those communication capabilities and associated data by
applying appropriate security controls.
---------------------------------------------------------------------------
\36\ NOPR, 167 FERC ] 61,055 at P 24.
\37\ NOPR, 167 FERC ] 61,055 at P 24; NERC Comments at 5 (``IRO-
002-5 and TOP-011-4 cover infrastructure within Control Centers, not
between Control Centers'').
---------------------------------------------------------------------------
28. As the NOPR explained, creating an obligation to protect
availability, while affording flexibility in terms of what data is
protected and how, is distinct from relying on currently-effective
Reliability Standards whose effect may be to support availability.\38\
The comments do not offer a new or persuasive reason to alter this
view. For example, the Trade Associations repeat the line of reasoning
in the NERC petition by ``encourag[ing] the Commission to focus
holistically on the broad requirements contained with [the] IRO and TOP
standards, which focus on the performance requirements necessary to
support Real-time monitoring and Real-time Assessments.'' \39\ In this
circumstance, we disagree with that approach because, as the Commission
observed in Order No. 822, ``NERC and other commenters recognize that
inter-Control Center communications play a critical role in maintaining
bulk electric system reliability by, among other things, helping to
maintain situational awareness and reliable bulk electric system
operations through timely and accurate communication between Control
Center.'' \40\ Thus, the holistic view urged by Trade Associations does
not address the gap recognized by the Commission in Order No. 822.
---------------------------------------------------------------------------
\38\ NOPR, 167 FERC ] 61,055 at P 24; NERC Comments at 6-7
(stating that alarms, recovery plans, and the ability to disable
data encryption also support data availability).
\39\ Trade Associations Comments at 8.
\40\ Order No. 822, 154 FERC ] 61,037 at P 54.
---------------------------------------------------------------------------
29. The contention in NERC's comments that Reliability Standard
EOP-008-2 could also help maintain the availability of communication
links between bulk electric system Control Centers, rests on the same
reasoning that the ancillary benefits of an existing Reliability
Standard addresses the reliability gap identified by the Commission and
concomitant availability directive in Order No. 822. While we agree
that a requirement to maintain a backup Control Center arguably
provides a level of redundancy for a responsible entity's overall
operations, it does not require redundant and diversely routed
communication paths between either the primary and backup Control
Centers or third-party Control Centers.
30. In addition, we do not agree that it is premature to require
protections for the availability of the communication links and data
communicated between bulk electric system Control Centers. While NERC
and Trade Associations advocate further study of the risks associated
with availability, we conclude that the risks associated with losing
the availability of either data or communication links between bulk
electric system Control Centers is supported by the existing record and
warrants a directive to modify the CIP Reliability Standards.\41\
---------------------------------------------------------------------------
\41\ See Appelbaum Comments at 7, Bonneville Comments at 5, IRC
Comments at 3, Dr. Liu Comments at 1, Reclamation Comments at 1.
---------------------------------------------------------------------------
31. We address several related issues raised in the comments.
Commenters raise a concern that directing NERC to address requirements
for certain aspects of availability, in particular redundancy and
diverse routing, could have significant impacts on responsible entities
using third-party telecommunications providers. Specifically, Trade
Associations notes that responsible entities ``may not have sufficient
control over the design of these networks to ensure that such
requirements are met.'' \42\ Without control over these networks,
commenters suggest that the only options for addressing availability
would be to construct costly private networks or implement less secure
internet-based connections.\43\
---------------------------------------------------------------------------
\42\ Trade Associations Comments at 12.
\43\ See, e.g., id., Tri-State Comments at 2.
---------------------------------------------------------------------------
32. We are not persuaded by these arguments. Rather, as IRC
correctly notes in its discussion of the challenges raised in securing
third-party telecommunications networks, while the Commission lacks
jurisdiction over telecommunication service providers that may own and
operate the communication links between bulk electric system Control
Centers, the Commission has the authority to require responsible
entities to take actions to promote the availability of communication
links through service contracts with network providers.\44\ For
example, entities could enter into service contracts with
telecommunication service providers that include an agreed-upon quality
of service commitment to maintain the availability of the data exchange
capability to minimize the availability risk. Such arrangements would
mirror the approach in Reliability Standard CIP-013-1 (Cyber Security--
Supply Chain Risk Management), which also involved non-jurisdictional
entities.\45\ NERC should likewise consider allowing responsible
entities to contract with telecommunication service providers to
minimize the risk of loss of
[[Page 8166]]
availability of communication links and data communicated between bulk
electric system Control Centers in cases where communications between
Control Centers are managed by a third party.
---------------------------------------------------------------------------
\44\ IRC Comments at 3.
\45\ The currently-approved supply chain risk management
Reliability Standard exempts communication networks and data links
between discrete Electronic Security Perimeters. See NERC
Reliability Standard CIP-013-1, Applicability Section 4.2.3.2.
---------------------------------------------------------------------------
33. We agree with Reclamation's comment that protections for the
availability of communication links and data communicated between bulk
electric system Control Centers should encompass both entity-owned and
third-party owned Control Centers. The intent of the Commission's
directive is for NERC to address the risks associated with the
availability of communication links and data communicated between all
bulk electric system Control Centers, which will require coordination
between neighboring responsible entities.
34. We reject Bonneville's recommendation that the Commission delay
approval of Reliability Standard CIP-012-1 to allow for a pilot project
on encryption. The record in this proceeding does not support a delay,
and Bonneville's request conflicts with the implementation plan
proposed by NERC.\46\ Moreover, the standard drafting team addressed
the Commission's finding on this issue in Order No. 822. In Order No.
822, the Commission stated ``that any lag in communication speed
resulting from implementation of protections should only be measurable
on the order of milliseconds and, therefore, will not adversely impact
Control Center communications . . . [but that] technical issues should
be considered by the standard drafting team . . . e.g., by making
certain aspects of the revised CIP Standards eligible for Technical
Feasibility Exceptions.'' \47\ In response, NERC stated that the
standard drafting team ``developed an objective-based rather than
prescriptive requirement . . . [that] will allow Responsible Entities
flexibility in mitigating the risks posed . . . in a manner suited to
each of their respective operational environments.'' \48\ Accordingly,
we determine not to delay approval of Reliability Standard CIP-012-1.
---------------------------------------------------------------------------
\46\ See NERC Petition at Exhibit B.
\47\ Order No. 822, 154 FERC ] 61,037 at P 62.
\48\ NERC Petition, Exhibit D (Consideration of Issues and
Directives) at 7.
---------------------------------------------------------------------------
35. We agree with Bonneville and Appelbaum that maintaining the
availability of communication networks and data should include
provisions for incident recovery and continuity of operations in a
responsible entity's compliance plan. We recognize that the redundancy
of communication links cannot always be guaranteed; responsible
entities should therefore plan for both recovery of compromised
communication links and use of backup communication capability should
it be needed for redundancy (i.e., satellite or other alternate backup
communications).
36. Accordingly, pursuant to section 215(d)(5) of the FPA, we
direct that NERC develop modifications to the CIP Reliability Standards
to require protections regarding the availability of communication
links and data communicated between bulk electric system Control
Centers, as discussed above.
B. Scope of Bulk Electric System Data That Must Be Protected
1. NOPR
37. The NOPR observed that Reliability Standard CIP-012-1 requires
the protection of Real-time Assessment and Real-time monitoring data.
The Commission explained that that while Real-time Assessment is
defined in the NERC Glossary, Real-time monitoring data is not defined.
Accordingly, the NOPR expressed concern that Reliability Standard CIP-
012-1 does not clearly indicate the types of data to be protected. To
address this, the Commission proposed to direct that NERC develop
modifications to the CIP Reliability Standards to clearly identify the
types of data that must be protected, including whether a NERC Glossary
definition of Real-time monitoring would assist with implementation and
compliance.
2. Comments
38. Appelbaum and Reclamation support the development of one or
more definitions. Specifically, Reclamation recommends that the
Commission direct NERC to develop definitions for the terms: (1) Real-
time monitoring data; (2) Real-time data; (3) BES Data; (4) Operational
Data; (5) System Planning Data; (6) availability and (7) Real-time
monitoring. Appelbaum supports requiring a definition of Real-time
monitoring given its importance to triggering alarms that system
operators respond to and because it is an input to automatic dispatch.
39. NERC and other commenters maintain that a directive is
unnecessary because the terms Real-time Assessment and Real-time
monitoring are clear. NERC states that the ``language used in proposed
Reliability Standard CIP-012-1, `Real-time Assessment and Real-time
monitoring data,' is sufficient to identify the data as described in
TOP-003-3 and IRO-010-2.'' \49\ Specifically, NERC explains that since
the IRO and TOP Reliability Standards are the only currently-effective
Reliability Standards that use the phrase Real-time monitoring and the
term Real-time Assessment, ``[c]ompliance with these standards defines
the data that is used in Real-time monitoring and Real-time
Assessments.'' \50\ NERC concludes that by ``using this language that
is only referenced in the IRO and TOP Reliability Standards families,
proposed CIP-012-1 brings the data identified pursuant to TOP-003-3 and
IRO-010-2 into scope.'' \51\
---------------------------------------------------------------------------
\49\ NERC Comments at 10.
\50\ Id.
\51\ Id.
---------------------------------------------------------------------------
40. Trade Associations and IRC concur with NERC that the scope of
data subject to the requirements of proposed Reliability Standard CIP-
012-1 is adequately clear. According to Trade Associations, responsible
Entities and NERC understand that the types of data covered in CIP-012-
1 is the data specified for Real-time Assessment and Real-time
monitoring under TOP-003 and IRO-010. Similarly, IRC notes that ``all
responsible entities must already know the universe of data needed for
Real-time Assessment and Real-time monitoring activities in order to
comply with NERC Reliability Standards TOP-003-3 and IRO-010-2.'' \52\
Regarding the concern raised in the NOPR that the term Real-time
monitoring is not defined, IRC states that it ``sees no reason that the
term should be presumed to mean something different from what it means
in other places where it is used in the NERC Reliability
Standards.''\53\
---------------------------------------------------------------------------
\52\ IRC Comments at 4.
\53\ Id.
---------------------------------------------------------------------------
41. While Bonneville does not take a position on the NOPR proposal,
it notes a concern over ``creating a compliance requirement to identify
how different types of information are protected.'' \54\ Bonneville
states that, generally, the use of the same data exchange
infrastructure will result in all data using that infrastructure
receiving the same protection regardless of data type. Therefore,
Bonneville avers that, if the Commission directs NERC to define the
scope of data to be protected, then ``a Responsible Entity should have
the option to show that all data types are protected at the highest
level using the same security protocols, without having to identify and
show how specific types of data are protected.'' \55\
---------------------------------------------------------------------------
\54\ Reclamation Comments at 6.
\55\ Id.
---------------------------------------------------------------------------
3. Commission Determination
42. In view of the comments, we determine not to adopt the NOPR
[[Page 8167]]
proposal to direct modifications to define the scope of data covered by
Reliability Standard CIP-012-1. NERC, Trade Associations and IRC agree
that Reliability Standard CIP-012-1 requires the protection of Real-
time Assessment and Real-time monitoring data identified under
Reliability Standards TOP-003-3 and IRO-010-2. This point is also
confirmed in the Technical Rationale document for Reliability Standard
CIP-012-1.\56\ We are persuaded that responsible entities must know the
types of data needed for Real-time Assessment and Real-time monitoring
activities in order to comply with Reliability Standards TOP-003-3 and
IRO-010-2.
---------------------------------------------------------------------------
\56\ NERC Petition, Exhibit F (Technical Rationale) at 1-2.
---------------------------------------------------------------------------
43. With this understanding, we are satisfied that the data
protected under Reliability Standard CIP-012-1 is the same data
identified under Reliability Standards TOP-003-3 and IRO-010-2. We
determine that this clarification addresses the concern in the NOPR
that not defining the types of data that must be protected under
Reliability Standard CIP-012-1 could result in uneven compliance and
enforcement. In addition, we agree with Bonneville that responsible
entities may show that all data types are protected at the highest
level using the same security protocols, without having to identify and
show how specific types of data are protected, so long as the security
protocols are reasonable.
III. Information Collection Statement
44. The FERC-725B information collection requirements contained in
this final rule are subject to review by the Office of Management and
Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of
1995.\57\ OMB's regulations require approval of certain information
collection requirements imposed by agency rules.\58\ Upon approval of a
collection of information, OMB will assign an OMB control number and
expiration date. Respondents subject to the filing requirements of this
rule will not be penalized for failing to respond to the collection of
information unless the collection of information displays a valid OMB
control number.
---------------------------------------------------------------------------
\57\ 44 U.S.C. 3507(d).
\58\ 5 CFR 1320.
---------------------------------------------------------------------------
45. The Commission received no comments on the validity of the
burden and cost estimates in the NOPR. The Commission is updating the
burden estimates and labor costs contained in the NOPR. The Commission
in this final rule corrected an error from the NOPR in the row
``Identification of Security Protection Application (if not owned by
same Responsible Entity) (Requirement R1.3)'' where the total number of
hours was understated by 100,000, and all calculations based upon this
error.
46. The Commission is submitting these reporting and recordkeeping
requirements to OMB for its review and approval under section 3507(d)
of the PRA. Comments are solicited on the Commission's need for this
information, whether the information will have practical utility, the
accuracy of the provided burden estimate, ways to enhance the quality,
utility, and clarity of the information to be collected, and any
suggested methods for minimizing the respondent's burden, including the
use of automated information techniques.
47. The Commission bases its paperwork burden estimates on the
changes in paperwork burden presented by Reliability Standard CIP-012-
1.
48. The NERC Compliance Registry, as of December 2019, identifies
approximately 1,482 unique U.S. entities that are subject to mandatory
compliance with Reliability Standards. Of this total, we estimate that
719 entities will face an increased paperwork burden under proposed
Reliability Standard CIP-012-1. Based on these assumptions, we estimate
the following reporting burden:
---------------------------------------------------------------------------
\59\ We consider the filing of an application to be a
``response.''
\60\ The hourly cost for wages plus benefits is based on the
average of the occupational categories for 2018 found on the Bureau
of Labor Statistics website (https://www.bls.gov/oes/current/naics2_22.htm):
Information Security Analysts (Occupation Code: 15-1122):
$61.494
Computer and Mathematical (Occupation Code: 15-0000): $63.54
Legal (Occupation Code: 23-0000): $142.86
Computer and Information Systems Managers (Occupation Code: 11-
3021): $98.81.
These various occupational categories' wage figures are averaged
as follows: $61.494/hour + $63.54/hour + $142.86/hour + $98.81/hour)
/ 4 = $91.70/hour. The resulting wage figure is rounded to $92.00/
hour for use in calculating wage figures in the final rule in Docket
No. RM18-20-000.
\61\ This includes the record retention costs for the one-time
and the on-going reporting documents.
FERC-725B--Modifications Due to the Final Rule in Docket No. RM18-20-000
--------------------------------------------------------------------------------------------------------------------------------------------------------
Number of
Number of responses \59\ Total number Avg. burden hrs. & cost per Total annual burden hours & total
respondents per respondent of responses response \60\ annual cost
(1) (2) (1) x (2) = (4).......................... (3) x (4) = 5
(3)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Implementation of Documented 719 1 719 128 hrs.; $11,776............ 92,032 hrs.; $8,466,944.
Plan(s) (Requirement R1) \61\.
Document Identification of 719 1 719 40 hrs.; $3,680.............. 28,560 hrs.; $2,645,920.
Security Protection (Requirement
R1.1) \61\.
Identification of Security 719 1 719 20 hrs.; $1,840.............. 14,280 hrs.; $1,322,960.
Protection Application (if owned
by same Responsible Entity)
(Requirement R1.2) \61\.
Identification of Security 719 1 719 160 hrs.; $14,720............ 14,240 hrs.; $10,583,680.
Protection Application (if not
owned by same Responsible
Entity) (Requirement R1.3) \61\.
Maintaining Compliance (ongoing, 719 1 719 83 hrs.; $7,636.............. 59,677 hrs.; $5,490,284.
starting in Year 2).
----------------------------------------------------------------------------------------------------------------------
Total (one-time, in Year 1).. .............. .............. 2,876 ............................. 250,212 hrs.; $23,019,504.
Total (ongoing, starting in .............. .............. 719 ............................. 59,677 hrs.; $5,490,284.
Year 2).
--------------------------------------------------------------------------------------------------------------------------------------------------------
[[Page 8168]]
49. The one-time burden (in Year 1) for the FERC-725B information
collection will be averaged over three years:
250,212 hours / 3 = 83,404 hours/year over Years 1-3
The number of one-time responses for the FERC-725B information
collection is also averaged over Years 1-3: 2,876 responses / 3 = 959
responses/year
50. The average annual number (for Years 1-3) of responses and
burden for one-time and ongoing burden will total:
1,678 responses [959 responses (one-time) + 719 responses
(ongoing)]
143,081 burden hours [83,404 hours (one-time) + 59,677 hours
(ongoing)] hours (ongoing)]
51. Title: Mandatory Reliability Standards for Critical
Infrastructure Protection [CIP] Reliability Standards.
Action: Revisions to FERC-725B information collection.
OMB Control No.: 1902-0248.
Respondents: Businesses or other for-profit institutions; not-for-
profit institutions.
Frequency of Responses: One-time and Ongoing.
Necessity of the Information: This final rule approves the
requested modifications to Reliability Standards pertaining to critical
infrastructure protection. As discussed above, the Commission approves
NERC's proposed Reliability Standard CIP-012-1 pursuant to section
215(d)(2) of the FPA because they improve upon the currently-effective
suite of cyber security Reliability Standards.
Internal Review: The Commission has reviewed the proposed
Reliability Standard and made a determination that its action is
necessary to implement section 215 of the FPA.
52. Interested persons may obtain information on the reporting
requirements by contacting the following: Federal Energy Regulatory
Commission, 888 First Street NE, Washington, DC 20426 [Attention: Ellen
Brown, Office of the Executive Director, email: [email protected],
phone: (202) 502-8663, fax: (202) 273-0873].
53. Please send comments concerning the collection of information
and the associated burden estimate to the Commission, and to the Office
of Management and Budget, Office of Information and Regulatory Affairs,
725 17th Street NW, Washington, DC 20503, Washington, DC 20503
[Attention: Desk Officer for the Federal Energy Regulatory Commission].
For security reasons, comments to OMB should be submitted by email to:
[email protected]. Comments submitted to OMB should include
FERC-725B (OMB Control No. 1902-0248).
IV. Environmental Analysis
54. The Commission is required to prepare an Environmental
Assessment or an Environmental Impact Statement for any action that may
have a significant adverse effect on the human environment.\62\ The
Commission has categorically excluded certain actions from this
requirement as not having a significant effect on the human
environment. Included in the exclusion are rules that are clarifying,
corrective, or procedural or that do not substantially change the
effect of the regulations being amended.\63\ The actions proposed
herein fall within this categorical exclusion in the Commission's
regulations.
---------------------------------------------------------------------------
\62\ Regulations Implementing the National Environmental Policy
Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987).
\63\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------
V. Regulatory Flexibility Act Analysis
55. The Regulatory Flexibility Act of 1980 (RFA) generally requires
a description and analysis of proposed and final rules that will have
significant economic impact on a substantial number of small
entities.\64\ The Small Business Administration's (SBA) Office of Size
Standards develops the numerical definition of a small business.\65\
The SBA revised its size standard for electric utilities (effective
January 22, 2014) to a standard based on the number of employees,
including affiliates (from the prior standard based on megawatt hour
sales).\66\
---------------------------------------------------------------------------
\64\ 5 U.S.C. 601-12.
\65\ 13 CFR 121.101.
\66\ 13 CFR 121.201, Subsection 221.
---------------------------------------------------------------------------
56. Reliability Standard CIP-012-1 is expected to impose an
additional burden on 719 entities \67\ (reliability coordinators [RC],
generator operators [GOP], generator owners [GO], transmission
operators [TOP], balancing authorities [BA], and transmission owners
[TO]).
---------------------------------------------------------------------------
\67\ Public utilities may fall under one of several different
categories, each with a size threshold based on the company's number
of employees, including affiliates, the parent company, and
subsidiaries. These entities may be included in the SBA categories
for: Hydroelectric Power Generation, Fossil Fuel Electric Power
Generation, Nuclear Electric Power Generation, Solar Electric Power
Generation, Wind Electric Power Generation Geothermal Electric Power
Generation, Biomass Electric Power Generation, Other Electric Power
Generation, Biomass Electric Power Generation, or Electric Bulk
Power Transmission and Control. These categories have thresholds for
small entities varying from 250-750 employees. For the analysis in
this final rule, we are using a conservative threshold of 750
employees.
---------------------------------------------------------------------------
57. Of the 719 affected entities discussed above, we estimate that
approximately 82% percent of the affected entities are small entities.
We estimate that each of the 590 small entities to whom the
modifications to Reliability Standard CIP-012-1 apply will incur one-
time, non-paperwork cost in Year 1 of approximately $17,051, plus
paperwork cost in Year 1 of $32,016, giving a total cost in Year 1 of
$49,067. In Year 2 and Year 3, each entity will incur only the ongoing
annual paperwork cost of $7,594. We do not consider the estimated costs
for these 590 small entities to be a significant economic impact.
58. Accordingly, we certify that Reliability Standard CIP-012-1
will not have a significant economic impact on a substantial number of
small entities.
VI. Effective Date and Congressional Notification
59. This final rule is effective April 13, 2020. The Commission has
determined, with the concurrence of the Administrator of the Office of
Information and Regulatory Affairs of OMB, that this rule is not a
``major rule'' as defined in section 351 of the Small Business
Regulatory Enforcement Fairness Act of 1996. This final rule is being
submitted to the Senate, House, and Government Accountability Office.
VII. Document Availability
60. In addition to publishing the full text of this document in the
Federal Register, the Commission provides all interested persons an
opportunity to view and/or print the contents of this document via the
internet through the Commission's Home Page (https://www.ferc.gov) and
in the Commission's Public Reference Room during normal business hours
(8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A,
Washington, DC 20426.
61. From the Commission's Home Page on the internet, this
information is available on eLibrary. The full text of this document is
available on eLibrary in PDF and Microsoft Word format for viewing,
printing, and/or downloading. To access this document in eLibrary, type
the docket number of this document, excluding the last three digits, in
the docket number field.
62. User assistance is available for eLibrary and the Commission's
website during normal business hours from the Commission's Online
Support at (202)502-6652 (toll free at 1-866-208-3676) or email at
[email protected], or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at
[email protected].
[[Page 8169]]
By the Commission.
Issued: January 23, 2020.
Kimberly D. Bose,
Secretary.
Note: The following Appendix will not appear in the Code of
Federal Regulations.
Appendix--Commenters
------------------------------------------------------------------------
Abbreviation Commenter
------------------------------------------------------------------------
Appelbaum.............................. Jonathan Appelbaum.
Bonneville............................. Bonneville Power
Administration.
IRC.................................... ISO/RTO Council.
Dr. Liu................................ Dr. Chen-Ching Liu.
NERC................................... North American Electric
Reliability Corporation.
Reclamation............................ Bureau of Reclamation.
Trade Associations..................... American Public Power
Association, Edison Electric
Institute, National Rural
Electric Cooperative
Association.
Tri-State.............................. Tri-State Generation and
Transmission Association, Inc.
------------------------------------------------------------------------
[FR Doc. 2020-02173 Filed 2-12-20; 8:45 am]
BILLING CODE 6717-01-P