Cybersecurity Incentives, 8309-8325 [2021-01986]

Agencies

• DEPARTMENT OF ENERGY
• Federal Energy Regulatory Commission

[Federal Register Volume 86, Number 23 (Friday, February 5, 2021)]
[Proposed Rules]
[Pages 8309-8325]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-01986]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 86, No. 23 / Friday, February 5, 2021 / 
Proposed Rules

[[Page 8309]]



DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 35

[Docket No. RM21-3-000]


Cybersecurity Incentives

AGENCY: Federal Energy Regulatory Commission, Department of Energy.

ACTION: Notice of Proposed Rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Commission is proposing to revise its regulations to 
establish rules for incentive-based rate treatments for voluntary 
cybersecurity investments by a public utility for or in connection with 
the transmission or sale of electric energy subject to the jurisdiction 
of the Commission, and rates or practices affecting or pertaining to 
such rates for the purpose of ensuring the reliability of the Bulk-
Power System.

DATES: Comments are due April 6, 2021. Also, reply comments are due May 
6, 2021.

ADDRESSES: Comments, identified by docket number, may be filed 
electronically at https://www.ferc.gov in acceptable native applications 
and print-to-PDF, but not in scanned or picture format. For those 
unable to file electronically, comments may be filed by mail or may be 
hand-delivered. Mailed comments should be addressed to: Federal Energy 
Regulatory Commission, Secretary of the Commission, 888 First Street 
NE, Washington, DC 20426. Hand-delivered comments should be delivered 
to: Federal Energy Regulatory Commission, 12225 Wilkins Avenue, 
Rockville, Maryland 20852. The Comment Procedures Section of this 
document contains more detailed filing procedures.

FOR FURTHER INFORMATION CONTACT: 
Jessica L. Cockrell (Technical Information), Office of Energy Policy 
and Innovation, Federal Energy Regulatory Commission, 888 First Street 
NE, Washington, DC 20426, (202) 502-8190, [email protected]
Craig W. Barrett (Technical Information), Office of Energy 
Infrastructure Security, Federal Energy Regulatory Commission, 888 
First Street NE, Washington, DC 20426, (202) 502-8830, 
[email protected]
Andr[eacute]s L[oacute]pez Esquerra (Technical Information), Office of 
Electric Reliability, Federal Energy Regulatory Commission, 888 First 
Street NE, Washington, DC 20426, (202) 502-6128, [email protected]
Adam Batenhorst (Legal Information), Office of the General Counsel, 
Federal Energy Regulatory Commission, 888 First Street NE, Washington, 
DC 20426, (202) 502-6150, [email protected]

SUPPLEMENTARY INFORMATION: 

Table of Contents

 
                                                         Paragraph Nos.
 
I. Introduction......................................                  1
II. Background.......................................                  5
    A. Critical Infrastructure Protection Reliability                  5
     Standards.......................................
    B. NIST Framework................................                 10
    C. Transmission Incentives Notice of Inquiry and                  12
     Rulemaking......................................
    D. Cybersecurity Incentives Policy White Paper...                 14
III. Need for Reform.................................                 17
IV. Discussion.......................................                 20
    A. Cybersecurity Incentives Framework............                 20
    B. Applicable Cybersecurity Investments..........                 21
        1. NERC CIP Incentives Approach..............                 22
        2. NIST Framework Approach...................                 32
    C. Incentives for Cybersecurity Investments......                 38
        1. ROE Adder.................................                 38
        2. Regulatory Asset Incentive................                 40
        3. Other Types of Incentives.................                 47
    D. Application Process...........................                 48
        1. NERC CIP Incentives Approach..............                 50
        2. NIST Framework Approach...................                 54
        3. ROE Adder.................................                 57
        4. Regulatory Asset Incentive................                 58
    E. Implementation................................                 59
        1. Incentive Duration........................                 59
        2. Informational Filing and Verification.....                 61
        3. Confidentiality Considerations............                 74
V. Information Collection Statement..................                 76
VI. Environmental Analysis...........................                 92
VII. Regulatory Flexibility Act......................                 93
VIII. Comment Procedures.............................                 97
IX. Document Availability............................                100
 


[[Page 8310]]

I. Introduction

    1. In this Notice of Proposed Rulemaking (NOPR), the Federal Energy 
Regulatory Commission (Commission) proposes under sections 205 and 206 
of the Federal Power Act (FPA) \1\ to establish rules for incentive-
based rate treatments for voluntary cybersecurity investments \2\ by a 
public utility.\3\ These rules would provide cybersecurity incentives 
to public utilities that make certain cybersecurity investments that go 
above and beyond the requirements of the CIP Reliability Standards,\4\ 
and materially enhance the cybersecurity posture of the Bulk-Power 
System \5\ by enhancing the applicants' cybersecurity posture 
substantially above levels required by CIP Reliability Standards, to 
the benefit of ratepayers.
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824d, 824e.
    \2\ Voluntary cybersecurity investments refer to cybersecurity 
investments not required to meet mandatory North American Electric 
Reliability Corporation (NERC) Critical Infrastructure Protection 
Reliability Standards (CIP Reliability Standards).
    \3\ The proposed incentive-based treatments for cybersecurity 
investments would also be available to non-public utilities to the 
extent that they have Commission-jurisdictional rates.
    \4\ Mandatory Reliability Standards for Critical Infrastructure 
Protection, Order No. 706, 73 FR 7367 (Feb. 7, 2008),122 FERC ] 
61,040, at P 1, order on reh'g and clarification, Order No. 706-A, 
123 FERC ] 61,174 (2008), order on clarification, Order No. 706-B, 
74 FR 12544 (Mar. 25, 2009), 126 FERC ] 61,229, order denying 
clarification, Order No. 706-C, 74 FR 30067 (June 24, 2009), 127 
FERC ] 61,273 (2009).
    \5\ Bulk-Power System is defined by FPA section 215 as 
facilities and control systems necessary for operating an 
interconnected electric energy transmission network (or any portion 
thereof), and electric energy from generation facilities needed to 
maintain transmission system reliability. The term does not include 
facilities used in the local distribution of electric energy. 16 
U.S.C. 825o(a).
---------------------------------------------------------------------------

    2. First, we propose to allow public utilities making certain 
cybersecurity investments to request an increase in the rate of return 
on equity (ROE) applicable to those capital investments. Such 
cybersecurity investments would include investments following specific 
CIP Reliability Standards and/or standards and guidelines from the 
National Institute of Standards and Technology (NIST) \6\ Framework.
---------------------------------------------------------------------------

    \6\ NIST is a part of the U.S. Department of Commerce that 
advances measurement science, standards, and technology. It has 
developed the voluntary Framework for Improving Critical 
Infrastructure Cybersecurity (NIST Framework) to ``address and 
manage cybersecurity risk in a cost-effective way based on business 
and organizational needs without placing additional regulatory 
requirements on businesses.'' NIST, Framework for Improving Critical 
Infrastructure Cybersecurity, at v (Apr. 16, 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
---------------------------------------------------------------------------

    3. Second, we propose to allow a public utility to seek deferred 
cost recovery for certain cybersecurity investments. We propose that 
only expenses for activities that go above and beyond actions required 
to comply with the CIP Reliability Standards be eligible for these 
incentives. Therefore, expenses incurred to comply with mandatory CIP 
Reliability Standards that a public utility incurs on a regular or 
ongoing basis, or that are incurred prior to the incentive request, 
would not be eligible for such regulatory asset treatment. We propose 
to allow deferred cost recovery for three categories of expenses: (1) 
Expenses associated with third-party provision of hardware, software, 
and computing networking services; (2) expenses for training to 
implement new cybersecurity enhancements undertaken pursuant to this 
rule; and (3) other implementation expenses, such as risk assessments 
\7\ by third parties or internal system reviews and initial responses 
to findings of such assessments. In all such cases, eligible costs 
would be limited to costs associated with implementing cybersecurity 
upgrades and would not include ongoing costs including system 
maintenance, surveillance, and other labor costs, either in the form of 
employee salaries or third-party service contracts. Furthermore, we 
propose that the deferred regulatory assets whose costs are typically 
expensed should be amortized over a five-year period.
---------------------------------------------------------------------------

    \7\ NIST, Framework for Improving Critical Infrastructure 
Cybersecurity, Version 1.1, at 26 (Apr. 16, 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
---------------------------------------------------------------------------

    4. Finally, under the proposed regulations, a public utility 
seeking one or more incentive based-rate treatments proposed in the 
NOPR must make a filing for Commission approval pursuant to FPA section 
205 and receive such approval prior to implementing the proposed 
incentives in its Commission-jurisdictional rates.

II. Background

A. Critical Infrastructure Protection Reliability Standards

    5. On August 8, 2005, Congress enacted the Energy Policy Act of 
2005.\8\ The Energy Policy Act of 2005 added a new section 215 to the 
FPA,\9\ which requires a Commission-certified Electric Reliability 
Organization to develop mandatory and enforceable Reliability 
Standards,\10\ including requirements for cybersecurity protection, 
which are subject to Commission review and approval. Once approved, the 
Reliability Standards may be enforced by the Electric Reliability 
Organization subject to Commission oversight, or the Commission can 
independently enforce Reliability Standards.
---------------------------------------------------------------------------

    \8\ Energy Policy Act of 2005, Pub. L. 109-58, secs. 1261 et 
seq., 119 Stat. 594 (2005).
    \9\ 16 U.S.C. 824o.
    \10\ FPA section 215 defines Reliability Standard as a 
requirement, approved by the Commission, to provide for reliable 
operation of existing bulk-power system facilities, including 
cybersecurity protection, and the design of planned additions or 
modifications to such facilities to the extent necessary to provide 
for reliable operation of the Bulk-Power System. However, the term 
does not include any requirement to enlarge such facilities or to 
construct new transmission capacity or generation capacity. Id. at 
824o(a)(3).
---------------------------------------------------------------------------

    6. On February 3, 2006, the Commission issued Order No. 672,\11\ 
implementing FPA section 215. The Commission subsequently certified 
NERC as the Electric Reliability Organization. The Reliability 
Standards developed by NERC become mandatory and enforceable after 
Commission approval and apply to users, owners, and operators of the 
Bulk-Power System, as set forth in each Reliability Standard.\12\ The 
CIP Reliability Standards require entities to comply with specific 
requirements to safeguard critical cyber assets. These standards are 
results-based and do not specify a technology or method to achieve 
compliance, instead leaving it up to the entity to decide how best to 
comply.
---------------------------------------------------------------------------

    \11\ Rules Concerning Certification of the Elec. Reliability 
Org.; and Procedures for the Establishment, Approval, and Enf't of 
Elec. Reliability Standards, Order No. 672, 71 FR 8661 (Feb. 17, 
2006), 114 FERC ] 61,104, order on reh'g, Order No. 672-A, 71 FR 
19814 (Apr. 28, 2006), 114 FERC ] 61,328 (2006).
    \12\ NERC uses the term ``registered entity'' to identify users, 
owners, and operators of the Bulk-Power System responsible for 
performing specified reliability functions with respect to NERC 
Reliability Standards. See, e.g., Version 4 Critical Infrastructure 
Protection Reliability Standards, Order No. 761, 77 FR 24594 (Apr. 
25, 2012), 139 FERC ] 61,058, at P 46, order denying clarification 
and reh'g, 140 FERC ] 61,109 (2012). Within the NERC Reliability 
Standards are various subsets of entities responsible for performing 
various specified reliability functions. We collectively refer to 
these as ``entities.''
---------------------------------------------------------------------------

    7. On January 18, 2008, the Commission issued Order No. 706,\13\ 
approving the initial eight CIP Reliability Standards, CIP version 1 
Standards, submitted by NERC. Subsequently, the Commission has approved 
multiple versions of the CIP Reliability Standards submitted by NERC, 
partly to address the evolving nature of cyber-related threats to the 
Bulk-Power System. On November 22, 2013, the Commission issued Order 
No. 791,\14\ approving CIP version 5 Standards, the last major revision 
to the CIP Reliability Standards. The CIP version 5 Standards implement 
a tiered approach to categorize assets, identifying them as high, 
medium, or

[[Page 8311]]

low risk to the operation of the Bulk Electric System (BES) \15\ if 
compromised. High impact systems include large control centers. Medium 
impact systems include smaller control centers, ultra-high voltage 
transmission, and large substations and generating facilities. The 
remainder of the BES Cyber Systems \16\ are categorized as low impact 
systems. Most requirements in the CIP Reliability Standards apply to 
high and medium impact systems; however, a technical controls 
requirement in CIP-003, described below, applies only to low impact 
systems. Since 2013, the Commission has approved new and modified CIP 
Reliability Standards that address specific issues such as supply chain 
risk management, cyber incident reporting, communications between 
control centers, and the physical security of critical transmission 
facilities.\17\
---------------------------------------------------------------------------

    \13\ Order No. 706, 122 FERC ] 61,040 at P 1.
    \14\ Version 5 Critical Infrastructure Protection Reliability 
Standards, Order No. 791, 78 FR 72755 (Dec. 13, 2013), 145 FERC ] 
61,160 (2013), order on clarification and reh'g, Order No. 791-A, 
146 FERC ] 61,188 (2014).
    \15\ In general, NERC defines BES to include all Transmission 
Elements operated at 100 kV or higher and Real Power and Reactive 
Power resources connected at 100 kV or higher. This does not include 
facilities used in the local distribution of electric energy. See 
NERC, Bulk Electric System Definition Reference Document, Version 3, 
at page iii (August 2018). In Order No. 693, the Commission found 
that NERC's definition of BES is narrower than the statutory 
definition of Bulk-Power System. The Commission decided to rely on 
the NERC definition of BES to provide certainty regarding the 
applicability of Reliability Standards to specific entities. See 
Mandatory Reliability Standards for the Bulk-Power System, Order No. 
693, 72 FR 16415 (Apr. 4, 2007), 118 FERC ] 61,218, at PP 75, 79, 
491, order on reh'g, Order No. 693-A, 72 FR 49717 (July 25, 2007), 
120 FERC ] 61,053 (2007).
    \16\ NERC defines BES Cyber System as ``[o]ne or more BES Cyber 
Assets logically grouped by a responsible entity to perform one or 
more reliability tasks for a functional entity.'' NERC, Glossary of 
Terms Used in NERC Reliability Standards, at 5 (2020), https://www.nerc.com/files/glossary_of_terms.pdf (NERC Glossary of Terms). 
NERC defines BES Cyber Asset as
    A Cyber Asset that if rendered unavailable, degraded, or misused 
would, within 15 minutes of its required operation, misoperation, or 
non-operation, adversely impact one or more Facilities, systems, or 
equipment, which, if destroyed, degraded, or otherwise rendered 
unavailable when needed, would affect the reliable operation of the 
Bulk Electric System. Redundancy of affected Facilities, systems, 
and equipment shall not be considered when determining adverse 
impact. Each BES Cyber Asset is included in one or more BES Cyber 
Systems.
     Id. at 4.
    \17\ See, e.g., Order No. 791, 78 FR 72755; Revised Critical 
Infrastructure Protection Reliability Standards, Order No. 822, 81 
FR 4177 (Jan. 26, 2016), 154 FERC ] 61,037, reh'g denied, Order No. 
822-A, 156 FERC ] 61,052 (2016); Revised Critical Infrastructure 
Protection Reliability Standard CIP-003-7--Cyber Security--Security 
Management Controls, Order No. 843, 163 FERC ] 61,032 (2018).
---------------------------------------------------------------------------

    8. The CIP Reliability Standards currently consist of 12 standards 
specifying a set of requirements that entities must follow to ensure 
the cyber and physical security of the Bulk-Power System. There are 10 
currently effective cybersecurity standards and one cybersecurity 
standard that has been approved by the Commission and will become 
enforceable on July 1, 2022. There is also one physical security 
standard, which is not the subject of this NOPR:\18\
---------------------------------------------------------------------------

    \18\ CIP-014-2--Physical Security: requires entities to identify 
and protect transmission stations and transmission substations, and 
their associated primary control centers, that, if rendered 
inoperable or damaged as a result of a physical attack, could result 
in instability, uncontrolled separation, or cascading within an 
interconnection.
---------------------------------------------------------------------------

     CIP-002-5.1a Bulk Electric System Cyber System 
Categorization: requires entities to identify and categorize BES Cyber 
Assets for the application of cyber security requirements commensurate 
with the adverse impact that loss, compromise, or misuse of those BES 
Cyber Systems could have on the reliable operation of the BES.
     CIP-003-8 Security Management Controls: Requires entities 
to specify consistent and sustainable security management controls that 
establish responsibility and accountability to protect BES Cyber 
Systems against compromise that could lead to misoperation or 
instability in the BES.
     CIP-004-6 Personnel and Training: Requires entities to 
minimize the risk against compromise that could lead to misoperation or 
instability in the BES from individuals accessing BES Cyber Systems by 
requiring an appropriate level of personnel risk assessment, training, 
and security awareness in support of protecting BES Cyber Systems.
     CIP-005-6 Electronic Security Perimeter(s): Requires 
entities to manage electronic access to BES Cyber Systems by specifying 
a controlled Electronic Security Perimeter in support of protecting BES 
Cyber Systems against compromise that could lead to misoperation or 
instability in the BES.
     CIP-006-6 Physical Security of Bulk Electric System Cyber 
Systems: Requires entities to manage physical access to BES Cyber 
Systems by specifying a physical security plan in support of protecting 
BES Cyber Systems against compromise that could lead to misoperation or 
instability in the BES.
     CIP-007-6 System Security Management: Requires entities to 
manage system security by specifying select technical, operational, and 
procedural requirements in support of protecting BES Cyber Systems 
against compromise that could lead to misoperation or instability in 
the BES.
     CIP-008-5 Incident Reporting and Response Planning: \19\ 
Requires entities to mitigate the risk to the reliable operation of the 
BES as the result of a cybersecurity incident by specifying incident 
response requirements.
---------------------------------------------------------------------------

    \19\ An update to CIP-008-6 Reliability Standard will become 
enforceable on January 1, 2021.
---------------------------------------------------------------------------

     CIP-009-6 Recovery Plans for Bulk Electric System Cyber 
Systems: Requires entities to recover reliability functions performed 
by BES Cyber Systems by specifying recovery plan requirements in 
support of the continued stability, operability, and reliability of the 
BES.
     CIP-010-3 Configuration Change Management and 
Vulnerability Assessments: Requires entities to prevent and detect 
unauthorized changes to BES Cyber Systems by specifying configuration 
change management and vulnerability assessment requirements in support 
of protecting BES Cyber Systems from compromise that could lead to 
misoperation or instability in the BES.
     CIP-011-2 Information Protection: Requires entities to 
prevent unauthorized access to BES Cyber System Information by 
specifying information protection requirements in support of protecting 
BES Cyber Systems against compromise that could lead to misoperation or 
instability in the BES.
     CIP-012-1 Communications between Control Centers: \20\ 
Requires entities to protect the confidentiality and integrity of Real-
time Assessment and Real-time monitoring data transmitted between 
Control Centers.
---------------------------------------------------------------------------

    \20\ CIP-012-1: Communications between Control Centers will be 
subject to enforcement by July 1, 2022.
---------------------------------------------------------------------------

     CIP-013-1 Supply Chain Risk Management: Requires entities 
to mitigate cybersecurity risks to the reliable operation of the BES by 
implementing security controls for supply chain risk management of BES 
Cyber Systems.
    9. The CIP Reliability Standards, viewed as a whole, implement a 
defense-in-depth approach to protecting the security of BES Cyber 
Systems at all impact levels.\21\ The CIP Reliability Standards are 
objective-based and allow entities to choose compliance approaches best 
tailored to their systems.\22\
---------------------------------------------------------------------------

    \21\ Order No. 822, 154 FERC ] 61,037 at 32.
    \22\ Order No. 706, 122 FERC ] 61,040 at 72.
---------------------------------------------------------------------------

B. NIST Framework

    10. The Cybersecurity Enhancement Act of 2014 (Cybersecurity Act) 
\23\ updated the role of the NIST to include identifying and developing 
cybersecurity risk frameworks for voluntary use by critical 
infrastructure owners and operators. Under the Cybersecurity Act, NIST 
must identify a

[[Page 8312]]

prioritized, flexible, repeatable, performance-based, and cost-
effective approach, including information security measures and 
controls, that may be voluntarily adopted by owners and operators of 
critical infrastructure to help them identify, assess, and manage cyber 
risks.\24\
---------------------------------------------------------------------------

    \23\ 15 U.S.C. 272(e)(1)(A)(i).
    \24\ 15 U.S.C. 272 (e)(1)(A)(iii). Security Controls is defined 
as follows: The management, operational, and technical controls 
(i.e., safeguards or countermeasures) prescribed for an information 
system to protect the confidentiality, integrity, and availability 
of the system and its information. NIST, Computer Security Resource 
Center Glossary, https://csrc.nist.gov/glossary/term/security_controls.
---------------------------------------------------------------------------

    11. As noted above, NIST implements the Cybersecurity Act through 
its NIST Framework,\25\ which provides a common organizing structure 
for multiple approaches to cybersecurity by assembling standards, 
guidelines, and practices that are currently working effectively in 
industry.\26\ The Cybersecurity Framework incorporates voluntary 
consensus standards and industry best practices to the fullest extent 
possible.\27\ The NIST Framework consists of three parts: Framework 
Core; Implementation Tiers; and Framework Profiles.\28\ The Framework 
Core is a set of cybersecurity activities, outcomes, and informative 
references that are common across sectors and critical infrastructure. 
Elements of the Framework Core provide detailed guidance for developing 
individual Framework Profiles.\29\ Through use of Framework Profiles, 
the NIST Framework is designed to help an organization to align and 
prioritize its cybersecurity activities with its business/mission 
requirements, risk tolerances, and resources. The Implementation Tiers 
provide a mechanism for an organization to view and understand the 
characteristics of its approach to managing cybersecurity risk, which 
is designed to help in prioritizing and achieving cybersecurity 
objectives.\30\ The Framework Core consists of five concurrent and 
continuous Functions--Identify, Protect, Detect, Respond, and Recover. 
When considered together, these Functions provide a high-level, 
strategic view of the lifecycle of an organization's management of 
cybersecurity risk.\31\
---------------------------------------------------------------------------

    \25\ Version 1.0 of the NIST Framework was released in 2014, and 
subsequently replaced with version 1.1 in 2018.
    \26\ NIST, Framework for Improving Critical Infrastructure 
Cybersecurity, Version 1.1, at v (Apr. 16, 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
    \27\ See Executive Order No. 13636, Improving Critical 
Infrastructure Cybersecurity, 78 FR 11737 (Feb. 19, 2013).
    \28\ NIST Framework at v.
    \29\ Id.
    \30\ Id.
    \31\ Id. at 3.
---------------------------------------------------------------------------

C. Transmission Incentives Notice of Inquiry and Rulemaking

    12. On March 21, 2019, the Commission issued a Notice of Inquiry 
seeking comment on the scope and implementation of its electric 
transmission incentives policy \32\ to ensure that the policy continues 
to satisfy its obligations under FPA section 219.\33\ The Notice of 
Inquiry included numerous questions regarding the Commission's approach 
to, and the objectives of, its transmission incentives policy; the 
mechanics and implementation of a transmission incentives policy; and 
metrics for evaluating the effectiveness of transmission incentives. As 
related to this proceeding, the Commission requested comment on whether 
it should incent physical and cybersecurity enhancements at 
transmission facilities and, if so, what types of security investments 
should qualify for transmission incentives.\34\
---------------------------------------------------------------------------

    \32\ Inquiry Regarding the Commission's Electric Transmission 
Incentives Policy, 166 FERC ] 61,208 (2019) (2019 Notice of 
Inquiry).
    \33\ 16 U.S.C. 824s.
    \34\ 2019 Notice of Inquiry, 166 FERC ] 61,208 at P 27.
---------------------------------------------------------------------------

    13. On March 20, 2020, the Commission issued a Notice of Proposed 
Rulemaking on several topics considered in the 2019 Notice of 
Inquiry.\35\ In the Transmission Incentives NOPR, the Commission 
acknowledged that, although reliability is clearly delineated as a 
benefit to be promoted by transmission incentives, there are differing 
mandates for promoting reliability under FPA sections 215 and 219. 
Further, the Commission stated that cybersecurity is an important part 
of reliability and indicated that it would address cybersecurity 
incentives independently in a separate, future proceeding.\36\
---------------------------------------------------------------------------

    \35\ Electric Transmission Incentives Policy Under Section 219 
of the Federal Power Act, 85 FR 18784 (Apr. 2, 2020), 170 FERC ] 
61,204, errata notice, 171 FERC ] 61,072 (2020) (Transmission 
Incentives NOPR).
    \36\ 2019 Notice of Inquiry, 166 FERC ] 61,208 at P 5.
---------------------------------------------------------------------------

D. Cybersecurity Incentives Policy White Paper

    14. On June 18, 2020, Commission staff issued a white paper to 
explore a new framework for providing transmission incentives to public 
utilities for cybersecurity investments that produce significant 
cybersecurity benefits for actions taken that exceed the requirements 
of the CIP Reliability Standards.\37\ In the White Paper, Commission 
staff discussed augmenting the current CIP Reliability Standards under 
FPA section 215 with an incentive-based framework under FPA section 219 
that encourages public utilities to undertake cybersecurity investments 
on a voluntary basis. Commission staff reasoned that this framework 
would incent a public utility to adopt best practices to protect its 
own transmission system as well as improve the security of the BES. 
Further, Commission staff stated that the framework could allow the 
electric industry to be more agile in monitoring and responding to new 
and evolving cybersecurity threats, to identify and respond to a wider 
range of threats, and to address threats with comprehensive and more 
effective solutions. Commission staff reasoned that an incentive-based 
framework would allow a public utility to tailor its request for 
incentives to the potential challenges it faces and take responsive 
action. Commission staff explained that, in the future, these voluntary 
actions taken by public utilities, if proven beneficial, could be the 
basis of future CIP Reliability Standards that would be mandatory.\38\
---------------------------------------------------------------------------

    \37\ Cybersecurity Incentives Policy White Paper, Notice of 
White Paper, Docket No. AD20-19-000 (issued June 18, 2020) (White 
Paper).
    \38\ Id. at 12-13.
---------------------------------------------------------------------------

    15. Commission staff stated that providing transmission incentives 
for cybersecurity investments would require a new framework for the 
Commission to evaluate requests from public utilities for transmission 
incentives. Commission staff opined that a first necessary step would 
be to establish approaches that examine the effectiveness of 
cybersecurity investments in enabling the public utility to achieve a 
level of protection that exceeds the CIP Reliability Standards and also 
enhances the security of its transmission system. Commission staff 
stated that a public utility would then be able to identify the 
cybersecurity investments for which it seeks transmission incentives 
with the Commission evaluating such transmission incentive requests.
    16. In the White Paper, Commission staff provided two potential 
approaches for identifying cybersecurity investments eligible for 
transmission incentives. The first approach was based on a public 
utility voluntarily applying certain CIP Reliability Standard 
requirements to transmission facilities that are not subject to those 
requirements, e.g., applying all requirements applicable to medium or

[[Page 8313]]

high impact systems to low impact systems. The second approach was 
based on a public utility voluntarily implementing portions of the NIST 
Framework. Commission staff suggested that the two approaches could be 
used independently or in combination.\39\
---------------------------------------------------------------------------

    \39\ Commission staff noted that, under this potential approach, 
although a public utility could request a combination of incentives 
for its facility containing multiple assets, each individual asset 
would be eligible for only one cybersecurity incentive at a time.
---------------------------------------------------------------------------

III. Need for Reform

    17. We recognize that the energy sector faces numerous and complex 
cybersecurity challenges. These growing threats come at a time of both 
great change in the operation of the transmission system and an 
increase in the number and nature of attack methods.\40\ Encouraging 
utilities to address cybersecurity of the Bulk-Power System is uniquely 
important given the degree to which components of the Bulk-Power System 
are digitally interconnected with one another and the ever-expanding 
risks posed by adversaries create challenges for those tasked with 
defending those interconnections from cyber exploitation. In addition, 
a cybersecurity breach could have exponential effects on the Bulk-Power 
System. As the operating environment continues to change, there is the 
potential for increased vulnerabilities and amplification of 
cybersecurity threats to the Bulk-Power System. For example, as the 
Commission has previously explained, the global supply chain affords 
significant benefits to customers, including low cost, 
interoperability, rapid innovation, and a variety of product 
features.\41\ Despite these benefits, the global supply chain creates 
opportunities for adversaries to directly or indirectly affect the 
management or operation of companies with potential risks to end users 
that could introduce new unintended threats to the system and 
necessitate rapid mitigating actions.\42\ Further, the COVID-19 
national emergency \43\ prompted many organizations to revise their 
operations to support an increased number of remote workers. The rapid 
expansion of teleworking capabilities revealed potential 
vulnerabilities, and some identified cybersecurity events specifically 
targeting remote access network equipment.\44\ It is important that 
public utilities make cybersecurity investments to quickly and 
effectively address these cybersecurity challenges as well as other 
emerging threats. Therefore, the Commission has concluded that, given 
the unique importance of protecting the cybersecurity of the Bulk-Power 
System, it is appropriate to provide incentives for public utility 
cybersecurity investment as proposed in this NOPR.
---------------------------------------------------------------------------

    \40\ See, e.g., Eversource Energy Serv. Co., Comments, Docket 
No. Public Law 19-3-000, at 29-30 (filed June 26, 2019) (noting that 
market operations are becoming increasingly more complex at the same 
time that there is an increasing cybersecurity threat to the 
operation and control of the transmission system).
    \41\ See, e.g. Revised Critical Infrastructure Protection 
Reliability Standards, Notice of Proposed Rulemaking, 80 FR 43354, 
152 FERC ] 61,054, at PP 61-62 (2015).
    \42\ Supply Chain Risk Management Reliability Standards, Order 
No. 850, 165 FERC ] 61,020, at P 2 (2018).
    \43\ The Secretary of Health and Human Services declared a 
public health emergency on January 31, 2020, under section 319 of 
the Public Health Service Act (42 U.S.C. 247d), in response to 
COVID-19.
    \44\ Cybersecurity and Infrastructure Security Agency, National 
Cyber Awareness System Alerts, COVID-19 Exploited by Malicious Cyber 
Actors (Alert AA20-099A) (Apr. 8, 2020), https://us-cert.cisa.gov/
ncas/alerts/
aa20099a#:~:text=Both%20CISA%20and%20NCSC%20are,threat%20to%20individ
uals%20and%20organizations.
---------------------------------------------------------------------------

    18. Section 215 of the FPA and the CIP Reliability Standards 
promulgated under that statute have served as the Commission's primary 
tools for mandating changes to cybersecurity practices within the 
electric sector. As required by FPA section 215, the Commission's 
mandatory CIP Reliability Standards provide for the reliable operation 
of the Bulk-Power System.\45\ Although the CIP Reliability Standards 
offer protection of the BES \46\ and improve the baseline cybersecurity 
posture of entities,\47\ they have certain limitations. For example, it 
can take many months for a new Reliability Standard to be developed 
and, once approved, it may be several more months or years before a 
Reliability Standard is fully implemented and enforceable.\48\ Further, 
the Bulk-Power System relies on the interdependence of connected 
networks and equipment; because the CIP Reliability Standards apply to 
BES facilities, which are generally 100 kV or higher as identified in 
CIP-002, not all cybersecurity systems are covered by these standards. 
Thus, while there are limits to how quickly CIP Reliability Standards 
can become mandatory and enforceable as well as limits to what the CIP 
Reliability Standards can cover, the cybersecurity threats public 
utilities face evolve and arise on their own timeframe. For these 
reasons, we believe that an effective strategy against emerging 
cybersecurity threats includes not only requiring public utilities to 
comply with the mandatory CIP Reliability Standards but also 
encouraging public utilities to make cybersecurity investments in 
addition to those required by the CIP Reliability Standards. We propose 
to do this by providing incentives to public utilities that voluntarily 
make certain cybersecurity investments above and beyond those 
investments required by the CIP Reliability Standards. The Commission 
proposes taking a two-prong approach to cybersecurity, which includes 
both mandatory CIP Reliability Standards and a cybersecurity incentives 
framework. This approach would encourage public utilities to increase 
the protection of their systems against cybersecurity threats. 
Currently, public utilities may not have the appropriate economic 
incentives to invest in cybersecurity measures that go above and beyond 
the mandatory CIP Reliability Standards. The cybersecurity incentives 
outlined in this NOPR strive to incent public utilities to use known, 
effective, and dynamic solutions to cybersecurity threats for the 
benefit of ratepayers.
---------------------------------------------------------------------------

    \45\ FPA section 215(a)(3) provides that the term reliability 
standard means a requirement, approved by the Commission under this 
section, to provide for reliable operation of the bulk-power system.
    \46\ Order No. 791, 145 FERC ] 61,160 at PP 2, 41.
    \47\ Order No. 822, 154 FERC ] 61,037 at 2.
    \48\ See, e.g., Am. Elec. Power, Inc., Comments, Docket No. 
PL19-3-000, at 13-14 (filed June 26, 2019) (noting that there is a 
potential gap between the dynamic threats faced by the energy 
industry and the CIP Reliability Standards development and 
compliance process, which sets the rules for minimum compliance).
---------------------------------------------------------------------------

    19. Given that cybersecurity investments can be made to more than a 
public utility's transmission system, we find that basing our 
incentives framework under this proposal on our transmission incentives 
authority under FPA section 219, as considered in the White Paper, may 
unnecessarily limit the application of an effective cybersecurity 
incentives framework and, thereby, limit possible cybersecurity 
investment. Creating an incentive-based approach under FPA sections 205 
and 206 that encourages public utilities to undertake cybersecurity 
investments on a voluntary basis that are above and beyond the 
requirements of the mandatory CIP Reliability Standards better ensures 
secure service for ratepayers. This approach would incent a public 
utility to adopt cybersecurity practices that would not only better 
protect its own systems but also improve the security of the Bulk-Power 
System. For example, the expansion of network monitoring provides the 
potential integration of all aspects of Bulk-Power System security to 
include physical access control, equipment status indicators, and 
system performance monitoring. This provides

[[Page 8314]]

for improved incident response time, pre-emptive planning, and system 
optimization. Further, relying on FPA sections 205 and 206 would allow 
public utilities to be more agile in monitoring and responding to new 
and unanticipated cybersecurity threats, to identify and respond to a 
wider range of threats, and to address threats with comprehensive and 
more effective solutions. An incentive-based approach allows a public 
utility to tailor its request for incentives to the potential 
challenges and responsive actions that it faces. Finally, while we 
recognize that granting incentives to a public utility under this 
proposal will have an impact on the public utility's rates, we believe 
that such impact, over time, will be outweighed by the public utility 
having a more secure grid and services for the benefit of ratepayers.

IV. Discussion

A. Cybersecurity Incentives Framework

    20. Pursuant to FPA sections 205 and 206,\49\ we propose to add 
Sec.  35.48 to the Commission's regulations to establish rules to 
provide incentive-based rate treatments for voluntary cybersecurity 
investments made by a public utility for or in connection with the 
transmission or sale of electric energy subject to the jurisdiction of 
the Commission. FPA sections 205 and 206 give the Commission authority 
over the rates of a public utility for or in connection with the 
transmission or sale of electric energy subject to the Commission's 
jurisdiction.\50\ The Commission's FPA section 205 and 206 authority is 
broader than the Commission's authority under FPA section 219. FPA 
section 219 requires the Commission to issue a rule that provides 
incentive rate treatment for the transmission of electric energy in 
interstate commerce by public utilities for the purpose of benefitting 
consumers by ensuring reliability and reducing the cost of delivered 
power by reducing transmission congestion.\51\ However, in this NOPR 
the Commission is proposing to provide incentives for a different 
purpose under a different section of the FPA: To provide incentives for 
cybersecurity investment not only in transmission facilities but also 
for cybersecurity investment in information technology and operational 
technology \52\ networks that a public utility uses to provide other 
jurisdictional services. Reliance on FPA sections 205 and 206, 
therefore, allows for a more comprehensive way to encourage 
cybersecurity investment than is available under FPA section 219. We 
believe that this comprehensive approach is warranted because 
cybersecurity threats to a public utility's system can come in a 
variety of forms, such as through a public utility's information 
technology and management systems, and not just through a public 
utility's systems that directly operate its transmission facilities. In 
addition, the means a public utility may need to use to protect against 
cybersecurity intrusions that may harm its jurisdictional system may 
not be limited to steps to protect the public utility's systems that 
run its transmission assets. Incentive ratemaking to encourage 
cybersecurity investments for not only those systems that are used to 
directly operate a public utility's transmission system but also other 
systems used for the provision of jurisdictional services is consistent 
with our general ratemaking authority under FPA sections 205 and 206 
under which we may depart from cost-of-service ratemaking.\53\ We 
believe that this action is appropriate to facilitate increased 
cybersecurity investment, and that the resulting rates will be just and 
reasonable.
---------------------------------------------------------------------------

    \49\ 16 U.S.C. 824d(a).
    \50\ 16 U.S.C. 824d(a) (FPA section 205(a) provides that all 
rates and charges made, demanded, or received by any public utility 
for or in connection with the transmission or sale of electric 
energy subject to the jurisdiction of the Commission, and all rules 
and regulations affecting or pertaining to such rates or charges 
shall be just and reasonable); see also FERC v. Elec. Power Supply 
Ass'n, 136 S. Ct. 760, 774 (2016) (stating the Commission's FPA 
section 205 and 206 jurisdiction extends to practices that directly 
affect Commission-jurisdictional rates and that are not otherwise 
expressly excluded from the Commission's jurisdiction).
    \51\ 16 U.S.C. 824s(a).
    \52\ Operational technology is defined as programmable systems 
or devices that interact with the physical environment (or manage 
devices that interact with the physical environment). These systems/
devices detect or cause a direct change through the monitoring and/
or control of devices, processes, and events. Examples include 
industrial control systems, building management systems, fire 
control systems, and physical access control mechanisms. NIST, 
Computer Security Resource Center Glossary, https://csrc.nist.gov/glossary/term/operational_technology.
    \53\ Incentive Ratemaking for Interstate Natural Gas Pipelines, 
Oil Pipelines, & Elec. Utilities, 61 FERC ] 61,168, at 61,594 
(1992); see also Farmers Union Cent. Exchange, Inc. v. FERC, 734 
F.2d 1486, 1503-04 (D.C. Cir. 1984) (``In some circumstances, the 
contrasting or changing characteristics of regulated industries may 
justify the agency's decision to take a new approach to the 
determination of `just and reasonable' rates.'').
---------------------------------------------------------------------------

B. Applicable Cybersecurity Investments

    21. We propose to add Sec.  35.48(b) to the Commission's 
regulations to authorize incentive-based rate treatments for a public 
utility that makes voluntary cybersecurity investments in the Bulk-
Power System, provided that the proposed incentive is just and 
reasonable and not unduly discriminatory or preferential.
1. NERC CIP Incentives Approach
    22. We propose to add Sec.  35.48(b)(1) to the Commission's 
regulations to provide that a public utility may receive incentive rate 
treatment for voluntarily applying identified CIP Reliability Standards 
to facilities that are not currently subject to those requirements 
(NERC CIP Incentives Approach). Using the existing CIP Reliability 
Standards as a framework for providing cybersecurity incentives allows 
the Commission to leverage an existing set of baseline cybersecurity 
requirements. Further, public utilities and the Commission are already 
familiar with the CIP Reliability Standards and encouraging public 
utilities to voluntarily apply known standards to additional facilities 
will establish a benchmark for determining eligibility for an 
incentive.
    23. As discussed above, CIP-002 (Bulk Electric System Cyber System 
Categorization) implements a tiered approach to categorizing assets, 
requiring an entity to categorize its cyber assets as high, medium, or 
low risk to the reliable operation of the BES if compromised. These 
impact ratings determine which requirements in the CIP Reliability 
Standards CIP-003 though CIP-013 apply to BES Cyber Systems.
    24. The CIP version 5 Standards became enforceable for high and 
medium impact BES Cyber Systems on July 1, 2016, and the CIP 
Reliability Standards applicable to low impact BES Cyber Systems became 
enforceable on April 1, 2020. In approving the CIP version 5 Standards, 
the Commission determined that ``categorizing BES Cyber Systems based 
on their low, medium, or high impact on the reliable operation of the 
BES, with all BES Cyber Systems being categorized as at least low 
impact, offers more comprehensive protection of the bulk electric 
system'' and that ``the new cybersecurity controls improve the security 
posture of responsible entities.'' \54\
---------------------------------------------------------------------------

    \54\ Order No. 791, 145 FERC ] 61,160 at P2.
---------------------------------------------------------------------------

    25. We propose two ways for a public utility to demonstrate that it 
is eligible for a cybersecurity incentive through voluntary investment 
in applying the requirements of the CIP Reliability Standards to 
additional facilities. Public utilities that choose to request the 
proposed incentives under the NERC CIP Incentives Approach will receive 
a rebuttable presumption that the investments materially enhance the 
security posture of the Bulk-Power System by enhancing the applicants'

[[Page 8315]]

cybersecurity posture substantially above levels required by CIP 
Reliability Standards to merit an incentive for such cybersecurity 
investments.\55\
---------------------------------------------------------------------------

    \55\ We do not propose that NERC will have any role in 
monitoring or reviewing the implementation of voluntary incentives 
or otherwise participating in this incentives program.
---------------------------------------------------------------------------

a. Med/High Incentive
    26. We propose to add Sec.  35.48(b)(1)(i) to the Commission's 
regulations to allow a public utility to receive incentive rate 
treatment for voluntarily applying the requirements for medium or high 
impact systems to low impact systems, and/or the requirements for high 
impact systems to medium impact systems (Med/High Incentive).
    27. Under the Med/High Incentive, a public utility seeking a 
cybersecurity incentive for a facility that is classified as a low 
impact BES Cyber System would invest in ways to make that facility meet 
all the requirement and sub-requirement protections applicable to 
medium or high impact BES Cyber Systems. Also, under the Med/High 
incentive, a public utility seeking a cybersecurity incentive for a 
facility classified as a medium impact BES Cyber System would invest in 
ways to make that facility meet all the requirement and sub-requirement 
protections applicable to high impact BES Cyber Systems. The public 
utility could choose to apply the medium and/or high impact 
requirements to some or all of its low or medium impact BES Cyber 
Systems, and would receive incentives only for the investments it makes 
to apply the more stringent protections.
b. Hub-Spoke Incentive
    28. We propose to add Sec.  35.48(b)(1)(ii) to the Commission's 
regulations to allow a public utility to receive incentive rate 
treatment for voluntarily ensuring that all external routable 
connectivity \56\ to and from the low impact system connect to a high 
or medium impact BES Cyber System (Hub-Spoke Incentive). Under the Hub-
Spoke Incentive, a public utility is eligible for incentives if its 
investment applies CIP Reliability Standard security controls inherited 
from a high or medium impact BES Cyber System at locations containing 
low impact BES Cyber Systems by ensuring all external routable 
connectivity to and from the low impact system connect to a high or 
medium impact BES Cyber System.
---------------------------------------------------------------------------

    \56\ NERC defines external routable connectivity as ``the 
ability to access a BES Cyber System from a Cyber Asset that is 
outside of its associated Electronic Security Perimeter via a bi-
directional routable protocol connection.'' NERC, Glossary of Terms 
Used in NERC reliability Standards (2020), https://www.nerc.com/files/glossary_of_terms.pdf.
---------------------------------------------------------------------------

    29. Under the Hub-Spoke Incentive, all the cyber communications to 
and from a low impact system location must connect to a medium or high 
impact BES Cyber System and the cyber communication security controls 
required for the medium or high impact BES Cyber System must be 
implemented on the low impact system.\57\ Therefore, the cyber 
communication would be protected at a higher security level before 
being transmitted to or received by the low impact BES Cyber System. 
Thus, low impact BES Cyber Systems would inherit the higher security 
posture of either the medium or high impact controls.
---------------------------------------------------------------------------

    \57\ See proposed Sec.  35.48(b)(1)(ii).
---------------------------------------------------------------------------

c. Other Considerations
    30. Nothing in this proposal modifies a public utility's obligation 
to comply with all the mandatory NERC Reliability Standard obligations 
for its low, medium, and high impact BES Cyber Systems. A public 
utility requesting incentive rate treatment for voluntarily applying 
the CIP Reliability Standards requirements, as discussed above, will 
not be subject to penalties from the Commission for failing to 
voluntarily follow the CIP Reliability Standards. However, if the 
Commission approves a public utility's request for cybersecurity 
incentives pursuant to either the Med/High or Hub-Spoke Incentive and 
the public utility subsequently ceases to implement the CIP Reliability 
Standards consistent with the order approving the application, we 
propose that the public utility would not be able to receive the 
incentive for the period during which it is not implementing the CIP 
Reliability Standards consistent with the order approving the 
application.
    31. Additionally, since the NERC CIP Incentives Approach is based 
on a public utility making voluntary cybersecurity investments based on 
the CIP Reliability Standards as they exist at the time of the 
investment, we propose that the determination of the types of 
cybersecurity incentives that a public utility would be eligible for 
would reflect the currently enforceable version of the CIP Reliability 
Standards at the time the public utility submits a request for 
incentives. As discussed in section IV.E.1 (Incentive Duration), where 
NERC publicly announces that it is considering making certain 
cybersecurity activities or investments mandatory through issuing a 
standard authorization request,\58\ a public utility would still be 
eligible to receive incentives until the requirements become mandatory 
and enforceable.
---------------------------------------------------------------------------

    \58\ A standard authorization request is the form used to 
document the scope and reliability benefit of a proposed project for 
one or more new or modified Reliability Standards or definitions, as 
well as document the benefit of retiring one or more approved 
Reliability Standards. NERC, Standard Authorization Request (SAR), 
https://www.nerc.com/pa/Stand/Pages/SARs.aspx.
---------------------------------------------------------------------------

2. NIST Framework Approach
    32. We propose to add Sec.  35.48(b)(2) to the Commission's 
regulations to provide that a public utility may receive incentive rate 
treatment for implementing certain security controls included in the 
NIST Framework (NIST Framework Approach). The Commission would evaluate 
a public utility's application for cybersecurity investments that 
implement security controls in the NIST Framework to determine whether 
the cybersecurity investments go above and beyond the CIP Reliability 
Standards and are eligible for incentives. Through the NIST Framework 
Approach, public utilities have the flexibility of non-prescriptive 
implementation options to go above and beyond the CIP Reliability 
Standards.
    33. Although the NIST Framework contains many types of security 
controls, we propose to limit eligibility for cybersecurity incentives 
to the types of controls that are most likely to provide a significant 
benefit to the cybersecurity of Commission-jurisdictional transmission 
facilities, not just the BES. In the White Paper, Commission staff 
identified five types of security controls included in the NIST 
Framework that may be considered for incentives under the NIST 
Framework approach: (1) Automated and continuous monitoring; (2) access 
control; (3) data protection; (4) incident response; and (5) physical 
security of cyber systems. Commission staff also acknowledged that, 
given the continuous and rapid changes in cybersecurity risks, the 
Commission may need to periodically update the types of security 
controls eligible for incentives.\59\ In proposing the NIST Framework 
Approach, we propose to initially only consider incentives that fall 
within the first type of security controls, automated and continuous 
monitoring. For example, continuous monitoring tools that utilize 
automated features for pulling information from a variety of sources or 
that allow for data consolidation into Security Information and Event 
Management tools would

[[Page 8316]]

qualify as automated and continuous monitoring security controls.\60\ 
While this will limit the NIST Framework security controls eligible for 
incentives at this time, the Commission considers this to be an 
important next step in encouraging cybersecurity investments and may 
consider additional security control types in the future.
---------------------------------------------------------------------------

    \59\ White Paper at 19.
    \60\ NIST, Information Security Continuous Monitoring for 
Federal Information Systems and Organizations, NIST Special 
Publication 800-137, at 13 (Sep. 2011), https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf.
---------------------------------------------------------------------------

    34. Under this proposal, one example of an investment that could 
warrant an incentive as automated and continuous monitoring would be 
for a public utility to install a dynamic asset management program to 
improve its ability to quickly detect and address new or previously 
unknown equipment on its network. Unknown and unattended equipment can 
present significant vulnerabilities and threats to both the information 
technology and operational technology networks. Implementing a process 
that automatically and continuously scans the current inventory of 
hardware and software across both the information technology and 
operational technology networks can identify, block, log and report any 
unauthorized access.
    35. Another example of an automated and continuous monitoring 
investment eligible for an incentive is the implementation of a dynamic 
file analysis program or a ``sandbox.'' One deployment of a sandbox is 
as an automated malware detection environment that continuously scans 
email attachments and weblinks in the corporate email system for 
malicious code. When malicious code is detected, a sandbox blocks 
delivery to the end user in real time and automatically issues an alert 
to the security team. Malicious code deployed in the sandbox will 
potentially be activated when placed there, but it will be isolated 
from the information technology and operational technology networks, 
thereby protecting the networks while alerting the public utility to 
the threat. The deployment of sandboxes enhances the ability of a 
public utility to detect and prevent the delivery of malicious code, 
disrupts social engineering attacks on users, and tests software for 
dangerous behavior. Further, the ability to perform post-incident 
forensic triage and analysis enables public utilities to establish the 
root causes of an event, identify related vulnerabilities, and mitigate 
associated risks in an expedited manner to optimize long-term 
operational capabilities.
    36. As discussed below, public utilities seeking an incentive under 
this approach would need to show how a cybersecurity investment, for 
example, in physical components, software, licensing for cybersecurity 
enhancements as well as operational costs such as contracts with 
security providers, third-party incident responders, and third-party 
security operations centers, allows the public utility to meet NIST 
Framework security controls, as identified above, will go above and 
beyond the requirements of the CIP Reliability Standards, and 
materially enhance the current cybersecurity posture of the Bulk-Power 
System by enhancing the applicants' cybersecurity posture substantially 
above levels required by CIP Reliability Standards, to the benefit of 
ratepayers. As the Commission evaluates incentive applications, we will 
remain cognizant of ongoing changes to the CIP Reliability Standards, 
the NIST Framework, and underlying referenced security controls.
    37. As with the NERC CIP Incentives Approach, if a public utility 
ceases to maintain the cybersecurity posture associated with the 
Commission's order approving its NIST Framework Approach incentives 
application, the public utility would not be able to receive the 
incentive for the period during which it is not implementing the CIP 
Reliability Standards as described in the Commission's order approving 
its application.

C. Incentives for Cybersecurity Investments

1. ROE Adder
    38. We propose to add Sec.  35.48(c)(1) to the Commission's 
regulations to allow a public utility that makes eligible cybersecurity 
capital investments, as more fully described above, to request an ROE 
adder of 200 basis points (Cybersecurity ROE Incentives) for those 
eligible cybersecurity investments. This ROE incentive will encourage 
public utilities to proactively make additional investments in 
cybersecurity systems. We believe that such a 200-basis point adder is 
appropriate to provide a meaningful incentive to encourage public 
utilities to improve their systems' cybersecurity. For example, we note 
that given the relatively small size of such investments, compared to 
conventional transmission projects, the dollar amounts provided under 
the incentives should not have a burdensome effect on the public 
utility's rates. Yet, the benefit to the system, and ultimately to rate 
payers, by this additional investment will provide additional 
cybersecurity protections that could have a large impact on the public 
utility's system by allowing it to better detect and address 
cybersecurity threats to the Bulk-Power System. The total cybersecurity 
incentives requested would be capped at the zone of reasonableness.\61\ 
Additionally, we find that the same expenditures should not be eligible 
for both the Cybersecurity ROE Incentives and the Regulatory Asset 
Incentives discussed below. Given that regulatory asset treatment is 
available to costs that are normally treated as expenses, as discussed 
below, we believe that it is unnecessary to incent investment to also 
enable deferred costs that would otherwise be expensed to receive this 
200 basis-point incentive. We propose that public utilities only be 
eligible to receive the Cybersecurity ROE Incentive as a cybersecurity 
incentive for capital investments.
---------------------------------------------------------------------------

    \61\ In the Transmission Incentives NOPR the Commission proposes 
that, under FPA section 219, the Commission may approve a rate that 
exceeds the zone of reasonableness to further the purposes of that 
statutory provision. In this NOPR, however, the Commission is acting 
under FPA sections 205 and 206.
---------------------------------------------------------------------------

    39. Transmission-specific investments based on the NERC CIP 
Incentives Approach and the NIST Framework Approach may be eligible for 
the Cybersecurity ROE Incentive under this NOPR. In addition, we 
propose that enterprise-wide costs--which are not specific to 
transmission but a portion of which are recovered through transmission 
rates--may also be eligible for incentives if the applicant can 
demonstrate how the investment will materially enhance the security 
posture of the Bulk-Power System by enhancing the applicants' 
cybersecurity posture substantially above levels required by CIP 
Reliability Standards, to the benefit of ratepayers. While 
cybersecurity systems that are not subject to the CIP Reliability 
Standards may be less critical to reliable operations, compromise of 
these systems may nevertheless allow access to more critical systems 
and therefore we believe that incentivizing the enhanced protection of 
these systems is important to the reliability of the Bulk-Power-
System.\62\ Only the conventionally allocated portion of such 
investments that flows through to Commission jurisdictional cost-of-
service rates will be eligible for this rate treatment. For instance, 
if a public utility seeks an incentive for cybersecurity investment 
that it made to its general plant

[[Page 8317]]

facilities, both the underlying investments and associated incentives 
must be allocated based on conventions of the rates (e.g., the 
transmission share using a wages and salaries allocator for general 
plant in most transmission cost of service rates). With this 
limitation, we seek to ensure that the cybersecurity incentives policy 
adheres to the ratemaking principles of beneficiary pays and cost-
causality by limiting a transmission customer's share of incentive 
costs to the share of such investments that serve (and is traditionally 
allocated to) transmission. We note that the Commission's rules and 
regulations in the Uniform System of Accounts \63\ already require 
public utilities to maintain records supporting any entries to the 
regulatory asset account so that the utility can furnish full 
information as to the nature and amount of, and justification for, each 
regulatory asset recorded in the account. Therefore, pursuant to our 
existing regulations, public utilities must maintain sufficient records 
to support the distinction of any expenses that are afforded 
incentivized treatment.\64\
---------------------------------------------------------------------------

    \62\ For example, WANNACRY attacked specific servers that were 
vulnerable and once the attacker gained access to the server, the 
attacker moved to other internal systems to complete the attack. 
See, NCCIC, Fact Sheet, What is Wannacry/Wanacryptor?, https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf.
    \63\ See 18 CFR part 101, Account Definition Account 182.3, 
Other Regulatory Assets, paragraph D.
    \64\ Id.
---------------------------------------------------------------------------

2. Regulatory Asset Incentive
    40. We propose to add Sec.  35.48(c)(2) to the Commission's 
regulations to allow a public utility to seek deferred cost recovery 
pursuant to this NOPR. We believe that, in limited circumstances, it 
may be appropriate to allow a public utility to defer recovery of 
certain cybersecurity costs that are generally expensed as incurred, 
and treat them as regulatory assets, while also allowing such 
regulatory assets to be included in transmission rate base (Regulatory 
Asset Incentive). Such expenses must be associated with the NERC CIP 
Incentives Approach or the NIST Framework Approach investments that 
receive Commission approval for ROE incentives. Like the provision of 
ROE incentives, discussed above, we propose that only expenses for 
activities that go above and beyond the CIP Reliability Standards, as 
discussed above, be eligible for incentives. Under this proposal, 
expenses that are mandatory, that a public utility incurs on a regular 
or ongoing basis, or that are incurred prior to the incentive request, 
would not be eligible for such regulatory asset treatment.
    41. More specifically, to implement proposed Sec.  35.48(c)(2) of 
the Commission's regulations, we propose to allow deferred cost 
recovery for three categories of expenses: (1) Expenses associated with 
third-party provision of hardware, software, and computing networking 
services; (2) expenses for training to implement new cybersecurity 
enhancements undertaken pursuant to this rule; and (3) other 
implementation expenses, such as system assessments by third parties or 
internal system reviews and initial responses to findings of such 
assessments. In all such cases, eligible costs are limited to costs 
associated with implementing cybersecurity upgrades and do not include 
ongoing costs including system maintenance, surveillance, and other 
labor costs, either in the form of employee salaries or third-party 
service contracts.
    42. Regarding the first category, certain cost categories, such as 
software, that companies traditionally purchased and could capitalize, 
are now often procured as services with periodic payments to vendors 
that is updated as needed. Therefore, to encourage investment in 
cybersecurity, we believe that it would be appropriate to allow public 
utilities to defer and amortize eligible costs that are typically 
recorded as expense that are associated with third party provision of 
hardware, software, and computing and networking services. Pursuant to 
our existing regulations, public utilities must maintain sufficient 
records to support the distinction of any expenses that are afforded 
incentivized treatment.\65\
---------------------------------------------------------------------------

    \65\ Id.
---------------------------------------------------------------------------

    43. Regarding the second category, in response to the White Paper, 
many commenters stated that training is central to improving 
cybersecurity. We agree that such training is critical to successful 
implementation of cybersecurity enhancements. Therefore, we propose to 
allow public utilities to request the Regulatory Asset Incentive for 
training expenses associated with cybersecurity investments made 
pursuant to this rule. However, ongoing training expenses, which many 
organizations provide to employees regularly, would not be eligible 
because such training is an ongoing rather than implementation type of 
operating expense for the implementation we seek to incentivize. 
Pursuant to our existing regulations, public utilities must maintain 
sufficient records to support the distinction of any training expenses 
that are afforded incentivized treatment.\66\
---------------------------------------------------------------------------

    \66\ Id.
---------------------------------------------------------------------------

    44. Regarding the third category, we believe that there may be 
large one-time expenses associated with implementing cybersecurity 
upgrades. These may include unusually large internal system evaluations 
and assessments or analyses by third parties. These expenses may be 
large relative to the size of the capital investments associated with 
the cybersecurity upgrades and essential to their proper 
implementation. We propose that such expenses not include regularly 
scheduled activities that would occur irrespective of the cybersecurity 
upgrades. Pursuant to our existing regulations, public utilities must 
maintain sufficient records to support the distinction of any expenses 
that are afforded incentivized treatment.
    45. Additionally, consistent with the proposal for the ROE 
incentive for eligible cybersecurity capital investments, only directly 
assigned transmission costs or the conventionally allocated (i.e., 
using the wages and salaries allocator) portion of enterprise-wide 
expenses would be eligible the Regulatory Asset Incentive. Applicants 
would be required under proposed Sec.  35.48(b) to demonstrate that any 
enterprise-wide expenses for which they seek this treatment materially 
enhances the cybersecurity of the Bulk-Power System by enhancing the 
applicants' cybersecurity posture substantially above levels required 
by CIP Reliability Standards, to the benefit of ratepayers.
    46. Finally, we propose in Sec.  35.48(d)(2) that deferred 
regulatory assets whose costs are typically expensed should be 
amortized over a five-year period. We believe that this duration will 
allow incentive recipients a reasonable amount of time to earn a return 
on expenditures for which no return is normally allowed. Moreover, the 
proposed amortization period generally corresponds to the short 
lifespan and depreciation rates of cybersecurity investments.
3. Other Types of Incentives
    47. In this NOPR, we are proposing to grant ROE and deferred cost 
recovery incentives. Nonetheless, we recognize that other incentives, 
such as construction work in progress, may be warranted to encourage 
investment in cybersecurity if adequately supported. To maintain 
flexibility under this proposal for other types of incentives under 
these new regulations, we propose to add Sec.  35.48(c)(3) to the 
Commission's regulations that provides the Commission additional 
flexibility to grant a public utility any other incentives, pursuant to 
the requirements of this section, that the Commission deems to be just 
and reasonable and not unduly discriminatory or preferential for 
investments undertaken pursuant to

[[Page 8318]]

this rule.\67\ We propose to consider applications for other 
cybersecurity incentives on a case-by-case basis to determine if they 
are just and reasonable and not unduly discriminatory or preferential 
under FPA section 205.
---------------------------------------------------------------------------

    \67\ We note that the Commission adopted similar flexibility and 
language to consider other proposals in Sec.  35.35(d)(viii) of the 
Commission's rules and regulations in Order No. 679. See 18 CFR 
35.35(d)(1)(viii); Promoting Transmission Investment through Pricing 
Reform, Order No. 679, 71 FR 43293 (Jul. 31, 2006), 116 FERC ] 
61,057 (2006), order on reh'g, Order No. 679-A, 72 FR 1152 (Jan. 10, 
2007), 117 FERC ] 61,345 (2006), order on reh'g 119 FERC ] 61,062 
(2007).
---------------------------------------------------------------------------

D. Application Process

    48. Proposed Sec.  35.48(e) of the Commission's regulations would 
require a public utility's request for one or more incentive based-rate 
treatments to be made in a filing pursuant to FPA section 205. As 
proposed, such a request must include a detailed explanation of how the 
public utility plans to implement one or both of the proposed incentive 
approaches and the requested rate treatment. We propose that applicants 
provide detail on the investments or expenses for which they seek 
incentives, as described in more detail below. An applicant would make 
a filing showing how its project(s) meet the eligibility requirements 
described below. In proposing what showing an applicant must make, we 
balance the need for sufficient information to determine if an 
applicant is eligible for the incentive against the risk of the 
applicant providing potentially sensitive information on cybersecurity 
vulnerabilities in its application. We discuss confidentiality concerns 
further in section IV.E.3 (Confidentiality Considerations).
    49. Finally, under Sec.  35.48(e) of the proposed regulations, a 
public utility seeking one or more incentive based-rate treatments 
proposed in the NOPR must make a filing for Commission approval 
pursuant to FPA section 205 and receive such approval prior to 
implementing the proposed incentives in its Commission-jurisdictional 
rates. In order to effectuate the incentives in rates, public utilities 
would need to propose in their FPA section 205 filing conforming 
revisions to their formula rates, as appropriate, to reflect incentive 
rate treatment granted pursuant to these proposed regulations.\68\
---------------------------------------------------------------------------

    \68\ Public utilities with stated rates may file under FPA 
section 205 to seek incentives as part of a larger rate case or make 
a request for single issue ratemaking, which the Commission will 
evaluate on a case-by-case basis.
---------------------------------------------------------------------------

1. NERC CIP Incentives Approach
    50. To implement proposed Sec.  35.48(b) of the Commission's 
regulations, for capital investments, we propose that an applicant 
describe the proposed investments as well as their anticipated cost, 
completion date and geographic location. An applicant would also 
describe how the proposed investment meets the description of the Med/
High Incentive and/or the Hub-Spoke Incentive.
    51. We propose that applicants describe the implementation and 
method of continuing adherence to the actions required to obtain and 
maintain the incentive, as described in Sec.  35.48(e)(1) of the 
proposed regulations. The applicant would include in its application, 
at a minimum, an identification of the scope of assets for which the 
public utility is requesting the incentive, and the associated BES 
Cyber Systems that will be protected. Specifically, an applicant would 
include a list of BES assets for which the public utility is requesting 
the incentive, the geographical location of the BES assets, the 
function they support, the incentive method the public utility is 
requesting for each of the BES assets, the current impact ratings of 
the BES assets and the impact level(s) that the assets now meet as a 
result of the investment, and a list of BES Cyber Systems associated 
with each of the BES assets including details on their use.
    52. Unlike conventional transmission investments, which entail 
completion of a physical transmission project, investments under the 
NERC CIP Incentives Approach seek to bring BES assets otherwise not 
required to be subject to certain cybersecurity requirements to a 
higher cybersecurity level, and that higher level must be maintained 
for it to continue to provide ratepayer benefits. Consequently, the 
Commission proposes that, if an investment that receives a Med/High 
Incentive or Hub-Spoke Incentive ceases to meet the requirements of 
that incentive, the public utility would be required to update its 
cost-of-service rates to reflect this change. In addition, the 
Commission or third parties may initiate FPA section 206 proceedings to 
revoke such incentives.
    53. In Order No. 791, the Commission recognized that categorizing 
BES Cyber Systems based on their low, medium, or high impact on the 
reliable operation of the BES, with all BES Cyber Systems being 
categorized as at least low impact, offers more comprehensive 
protection of the BES than the prior CIP Reliability Standards.\69\ The 
Commission also acknowledged that CIP version 5 Standards offer new 
cybersecurity controls that will improve the overall security posture 
of responsible entities.\70\ Given the Commission's experience with the 
CIP Reliability Standards, we propose that an asset-by-asset showing of 
benefits is unnecessary because, though the benefits of upgrades may 
vary by system, we believe that all upgrades based on the NERC CIP 
Incentives Approach materially enhance the cybersecurity posture of the 
Bulk-Power System by enhancing the applicants' cybersecurity posture 
substantially above levels required by CIP Reliability Standards, to 
the benefit of ratepayers, and warrant incentives. Thus, we propose 
that a public utility seeking incentives under the NERC CIP Incentives 
Approach and that provides the information required under this 
application process receive a rebuttable presumption that the 
cybersecurity investments materially enhance the cybersecurity of the 
Bulk-Power System by enhancing the applicants' cybersecurity posture 
substantially above levels required by CIP Reliability Standards to 
merit an incentive.
---------------------------------------------------------------------------

    \69\ Order No. 791, 145 FERC ] 61,160 at P 41.
    \70\ Id.
---------------------------------------------------------------------------

2. NIST Framework Approach
    54. In contrast to applications for incentives based on the NERC 
CIP Incentives Approach, we propose that a public utility seeking 
incentives for cybersecurity investments under the NIST Framework 
Approach would not be entitled to a rebuttable presumption and instead 
must provide additional information showing that the proposed 
investment materially enhances the cybersecurity posture of the Bulk-
Power System by enhancing the applicants' cybersecurity posture 
substantially above levels required by CIP Reliability Standards. 
However, we request comments on what demonstration an applicant should 
be required to make to show that its NIST Framework Approach 
investments merit incentives under the FPA section 205 just and 
reasonable standard.
    55. Depending on a public utility's existing attributes; namely the 
hardware, system configuration, and operating practices that contribute 
to its overall cybersecurity posture, and the specific characteristics 
of the proposed cybersecurity investments, proposed cybersecurity 
investments may or may not materially enhance the cybersecurity posture 
of the Bulk-Power System by enhancing the applicants' cybersecurity 
posture substantially above levels required by CIP Reliability 
Standards to warrant incentives. Under Sec.  35.48(e)(2) of the 
Commission's regulations, we propose that an

[[Page 8319]]

applicant must describe its current cybersecurity posture, desired 
cybersecurity posture, and the quantified risk factors being addressed 
through the proposed incentive actions. An application must include 
full and detailed explanations of how proposed cybersecurity 
investments will materially enhance the cybersecurity of the Bulk-Power 
System by enhancing the applicants' cybersecurity posture substantially 
above levels required by CIP Reliability Standards, to the benefit of 
ratepayers. In assessing whether an application meets the standard for 
granting incentives under this NOPR, we propose that the Commission 
would review the stated expenditures and level of risk mitigated in 
comparison to the public utility's pre-incentivized network 
configuration. This judgement will be made on a case-by-case basis. The 
application would need to detail the specific components to be 
installed, network deployment, sensor configuration, and enterprise 
data incorporation as described in the four-step review process, 
discussed below.
    56. Consistent with incentive requests under the NERC CIP 
Incentives Approach, an applicant seeking incentives under the NIST 
Framework Approach would be required to provide detail on the 
investments or expenses for which it seeks incentives. For capital 
investments, applicants would describe: (1) The required network 
components; (2) how the sensors connect to the network; (3) how the 
sensors deployment recognizes the specific attributes of the network; 
(4) the costs of all investments; and (5) when the costs are expected 
to be incurred.
3. ROE Adder
    57. Under Sec.  35.48(e)(3) of the proposed regulations, applicants 
requesting an ROE adder of 200 basis points must include the 
anticipated cost of the capital investment and identify the Commission-
jurisdictional rate schedules under which they will recover the ROE 
adder.
4. Regulatory Asset Incentive
    58. For expenses that the applicant seeks to receive regulatory 
asset treatment associated with either ROE incentive-eligible projects 
based on either the NERC CIP Incentives Approach or the NIST Framework 
Approach, under Sec.  35.48(e)(4) of the proposed regulations, the 
applicant must describe and estimate the nature of such expenses, their 
costs, and when they are expected to be incurred.\71\ Applicants would 
be expected to provide a narrative explanation of how such expenses 
meet the description of the Med/High Incentive, the Hub-Spoke Incentive 
and/or the NIST Framework Approach. Applicants would then describe 
whether the expenses are: (1) Expenses associated with third-party 
provision of hardware, software, and computing networking services; (2) 
expenses for training to implement new cybersecurity enhancements; or 
(3) other transition expenses, such as risk assessments \72\ by third 
parties or internal system reviews, and initial responses to findings 
of such assessments. An applicant would also be required to describe 
the cost, location, and timing of all eligible capital investments and 
the cost and timing of all deferred expenses.
---------------------------------------------------------------------------

    \71\ We reiterate that applicants' ongoing costs of operating a 
more cybersecure system are not eligible for such incentive 
treatment under this NOPR.
    \72\ NIST, Framework for Improving Critical Infrastructure 
Cybersecurity, Version 1.1, at 26 (Apr. 16, 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
---------------------------------------------------------------------------

E. Implementation

1. Incentive Duration
    59. We propose to add Sec.  35.48(d) to the Commission's 
regulations to allow a public utility granted an incentive under this 
NOPR to receive that incentive for the lesser of: (1) The depreciation 
life of the underlying asset; (2) 10 years from when the cybersecurity 
improvements enter service; (3) when the investments or activities that 
serve as the basis of that incentive become mandatory pursuant to a 
Reliability Standard approved by the Commission; or (4) when the public 
utility no longer meets the requirements for receiving the 
incentive.\73\ We are seeking to incentivize cybersecurity assets that 
primarily include equipment or system modifications that typically have 
short depreciation lives. The cybersecurity incentives identified in 
this NOPR are intended to apply to technology and systems investments 
and not to more long-lived assets like physical structures. Thus, we 
believe that most public utilities granted cybersecurity incentives 
under this NOPR should receive those incentives for the depreciation 
life of the asset. However, for investments with useful lives exceeding 
10 years, we propose that the incentive end at the conclusion of 10 
years from when the cybersecurity incentives enter service. Although it 
is possible that specific components of cybersecurity investments may 
feature longer useful lives than 10 years, given the evolving nature of 
cybersecurity threats, we find that 10 years is a reasonable 
expectation of the principal benefits of the cybersecurity investments, 
which should correspond to the investment duration.
---------------------------------------------------------------------------

    \73\ FPA section 205 filings revising cost of service rates to 
implement incentives must contain language limiting incentive 
duration to the lesser of these three eventualities.
---------------------------------------------------------------------------

    60. In addition, we propose that, where cybersecurity investments 
are mandatory, cybersecurity incentives are inappropriate and would 
only serve to increase ratepayer costs. However, where NERC publicly 
announces that it is considering making certain cybersecurity 
activities or investments mandatory, through issuing a standard 
authorization request, public utilities may receive incentives until 
the requirements become mandatory. For a public utility that requests 
regulatory asset treatment for costs normally recorded to expenses, if 
such expenditures become mandatory, we propose that the public utility 
must recover the unamortized portion of expenses through expenses in 
rates with no further earning of an incentive return on the regulatory 
asset.
2. Informational Filing and Verification
    61. In order to ensure that a public utility receiving incentive 
rate treatment has implemented the requirements for the incentive and 
to ensure that it continues to adhere to these requirements, we propose 
to add Sec.  35.48(f) to the Commission's regulations to require public 
utilities to submit annual informational filings with the 
Commission.\74\ We propose specific reporting requirements for each of 
the NERC CIP Incentives Approach and the NIST Framework Approach below.
---------------------------------------------------------------------------

    \74\ These reporting requirements also apply to non-public 
utilities that receive cybersecurity incentives through their 
Commission-jurisdictional rates.
---------------------------------------------------------------------------

    62. The Transmission Incentives NOPR proposes additional reporting 
requirements for recipients of transmission incentives under FPA 
section 219.\75\ Such additional reporting is likewise appropriate for 
cybersecurity upgrades receiving incentives. Accordingly, we propose to 
add Sec.  35.48(f) to require that, within 120 days of the completion 
of cybersecurity upgrades for which an applicant is granted incentives, 
an incentives recipient must make an informational filing and 
subsequent informational filings annually thereafter. The annual 
informational filings must detail the specific investments that were 
made

[[Page 8320]]

pursuant to the Commission's approval and the corresponding FERC 
account(s) used. In addition, the annual informational filings must 
describe what parts of its network were upgraded or expanded (i.e., 
which substations, control centers, automated and continuous monitoring 
equipment) in addition to the nature (i.e., describing hardware 
purchase) and actual cost of the various capital investments. For 
incentives where the Commission allows deferral of expenses as 
regulatory assets, annual informational filings should describe such 
expenses in sufficient detail to demonstrate that such expenses are 
specifically related to implementing the cybersecurity incentives 
described in this NOPR and not for ongoing costs including system 
maintenance, surveillance, and other labor costs, either in the form of 
employee salaries or third-party service contracts.
---------------------------------------------------------------------------

    \75\ Transmission Incentives NOPR, 166 FERC ] 61,208 at P 115.
---------------------------------------------------------------------------

    63. We preliminarily find that the proposed reporting requirements 
are necessary to provide the Commission with an understanding of the 
costs of various types of cybersecurity investments in order to more 
precisely target future incentives or other policies. However, based on 
the qualities of such investments, as well as the likely higher 
sensitivity of the information, we propose to require different 
reporting requirements under this proposal than those proposed under 
the Transmission Incentives NOPR.
    64. Several aspects of cybersecurity necessitate reporting 
different information that the Commission has required for conventional 
transmission facilities receiving incentives pursuant to FPA section 
219. First, cybersecurity investments are not observable. Unlike 
conventional transmission facilities, such as a new transmission line, 
it is not readily apparent if, and when, such investments are completed 
and serving customers. Therefore, it is important to confirm the 
completion of cybersecurity investments by establishing additional 
reporting requirements. Second, certain cybersecurity investments may 
require public utilities to undertake subsequent actions or make 
expenditures to maintain the status for which they receive incentives. 
Annual reports enable public utilities to demonstrate that they have 
undertaken such actions or expenditures.
    65. Finally, we propose that both the initial and annual 
informational filings provide a summary of the costs incurred to 
achieve the higher level of security, including supporting 
documentation that provides a narrative explanation of the nature of 
the expenses proposed for deferred cost recovery, and inclusion in rate 
base as a regulatory asset, including the specific accounts (under the 
Commission's Uniform System of Accounts) initially charged for the 
incurred expenses.
    66. Also, the Commission may conduct periodic verification to 
assess cybersecurity investments and expenses for which it has approved 
incentives. The Commission could perform such verifications through 
multiple means (i.e., directing further informational filings, audits, 
etc.). The annual informational filings will inform the Commission on 
how and when the additional verification is warranted.
a. NERC CIP Incentives Approach
    67. To demonstrate that a public utility has implemented the 
requirements for the Med/High incentive and to ensure that the 
recipient continues to adhere to these requirements, we propose that 
the informational filing would describe implementation of the enhanced 
security controls, as applicable, in all the topics covered by the CIP 
Reliability Standards. Below is a table of currently effective and 
Commission-approved CIP Reliability Standards and examples of 
supporting documentation a public utility may provide to demonstrate 
incentive adherence to each CIP Reliability Standard. For the first 
informational filing, we would expect the public utility to provide 
documents, as indicated below, plus any additional documentation needed 
to demonstrate voluntary application of identified CIP Reliability 
Standards to facilities that are not currently subject to those 
requirements.\76\ For each subsequent annual informational filing, the 
public utility would only need to provide an updated version of the 
supporting documentation showing any changes from the prior 
informational filing as well as information on any period of time 
during the reported year where the public utility ceased to voluntarily 
apply identified CIP Reliability Standards to facilities that are not 
currently subject to those requirements.
---------------------------------------------------------------------------

    \76\ The information requested is similar to the information 
FERC staff reviews during a NERC CIP Reliability Standards audit.
    \77\ CIP-002 actions are not eligible for the incentive since it 
is a mandatory requirement for all BES assets.
    \78\ CIP-012-1: Communications between Control Centers will be 
subject to enforcement on July 1, 2022.

                           Supporting Documentation Demonstrating Incentive Adherence
----------------------------------------------------------------------------------------------------------------
                 Topic                             Standard                           Documentation
----------------------------------------------------------------------------------------------------------------
BES Cyber System Categorization.......  CIP-002 \77\..................  List of the categorization of BES Cyber
                                                                         Systems included in the incentive.
Management Controls...................  CIP-003.......................  Senior Management approval of revised
                                                                         cyber security policies; updates to
                                                                         delegation procedures.
Personnel and Training................  CIP-004.......................  Cyber security training program and
                                                                         quarterly reinforcement; personnel risk
                                                                         assessment program; access management
                                                                         program, and timely access revocation
                                                                         processes.
Electronic Security Perimeters........  CIP-005.......................  Establishment of ESPs and management of
                                                                         electronic access points; remote access
                                                                         management.
Physical Security of BES Cyber Systems  CIP-006.......................  Physical security plans; visitor control
                                                                         program; PACS maintenance and testing
                                                                         procedures.
Systems Security Management...........  CIP-007.......................  Ports and services management; security
                                                                         patch management; malicious code
                                                                         prevention methods; security event
                                                                         monitoring; system access controls.
Incident Reporting and Response.......  CIP-008.......................  Cyber security incident response plan,
                                                                         implementation, and testing procedures.
Backup and Recovery Plans.............  CIP-009.......................  System recovery plans, implementation,
                                                                         and testing procedures.
Configuration Change Management.......  CIP-010.......................  System baseline configurations;
                                                                         configuration monitoring; vulnerability
                                                                         assessment processes.
Information Protection................  CIP-011.......................  Information protection procedures; cyber
                                                                         asset reuse and disposal methods.
Communications between Control Centers  CIP-012 \78\..................  Plans mitigating the risks posed by
                                                                         unauthorized disclosure and
                                                                         unauthorized modification of Real-time
                                                                         Assessment and Real-time monitoring
                                                                         data while being transmitted between
                                                                         any applicable Control Centers; and
                                                                         evidence of the associated security
                                                                         protections implemented and used.

[[Page 8321]]

 
Supply Chain Risk Management..........  CIP-013.......................  Supply chain security risk management
                                                                         plan, implementation, and testing
                                                                         procedures.
----------------------------------------------------------------------------------------------------------------

    68. To demonstrate that a public utility has implemented the 
requirements for the Hub-Spoke incentive, we propose that the 
informational filing describe the reconfiguration and assets added to 
the communication paths to/from locations containing low impact BES 
Cyber Systems. For the first annual informational filing, we propose 
that the public utility provide documents demonstrating these changes. 
For any subsequent annual informational filing, the public utility 
would only need to provide an updated version of any supporting 
documentation if a change occurred for the previous informational 
filing, as well as information on any failure to maintain the 
communication paths, and any mitigating actions the public utility 
undertook to resolve the problem.
b. NIST Framework Approach
    69. We propose that the reporting requirements to implement 
proposed Sec.  35.48(f) of its regulations for the NIST Framework 
Approach differ from those under the NERC CIP Incentives Approach. The 
Commission would review the informational filings to determine if the 
proposed changes meet the requirements for incentives by focusing on 
four areas: Acquisition and installation, system connectivity, security 
application, and relevance to entity monitoring/response actions. For 
each subsequent annual informational filing, the public utility would 
only need to provide an updated version of the supporting documentation 
showing any changes from the prior informational filing, as well as 
information on any period of time during the reported year where the 
public utility ceased to continuously implement specific requirements 
consistent with the Commission's order approving the application.
    70. Step 1 of the review process addresses the acquisition and 
installation of required network components (i.e., high-fidelity 
sensors) that meet the proposed security enhancements subject to 
incentives. The Commission would require a public utility to confirm 
that funds have been expended on the necessary equipment through 
documentation such as purchase orders, receipts, licensing agreements, 
and installation documentation with specified time periods.
    71. Step 2 of the review process addresses the attainment of 
necessary training and personnel for the implementation of the 
incentivized action. Training and additional personnel must be 
necessary and limited to the implementation of the cybersecurity 
equipment within the affected networks. The Commission would require a 
public utility to verify training and personnel actions through 
documentation such as third-party contractor agreements, training 
program curricula, and official job descriptions.
    72. Step 3 of the review process addresses network and sensor node 
recognition optimization of system deployment, and strategic 
configuration. This step describes how the sensors are connected to a 
network and how they substantively improve the visibility and security 
of the affected networks. The public utility could demonstrate this 
network and sensor node recognition through such items as configuration 
files, system logs, configuration settings, and a description of its 
location on the affected network.
    73. Step 4 of the review process addresses the incorporation of 
sensor nodes in the enterprise level incident monitoring and response 
plan. This step verifies that the incentivized action is being 
incorporated into monitoring and response actions to impact overall 
network security. The utility would need to attest that the information 
would be included in operational activities such as incident response 
plans, playbooks, and Standard Operating Procedures.
3. Confidentiality Considerations
    74. We recognize that the Commission's cybersecurity incentives 
policy must balance the need to maintain the confidentiality of 
cybersecurity systems and protocols with the need for transparency in 
rates when awarding incentive rates to public utilities for 
cybersecurity investments. The Commission balances these considerations 
through its confidential \79\ and Critical Energy/Electric 
Infrastructure Information (CEII) filing regulations.\80\ These 
regulations recognize that intervenors in a Commission proceeding, such 
as a proceeding establishing incentive rates, may need access to 
information that the applicant believes should be withheld from 
disclosure to the general public, in order to participate effectively 
in the proceeding. Therefore, the Commission's regulations provide for 
any person who is a participant in a proceeding or has filed a motion 
to intervene or notice of intervention to make a written request to the 
filer for a copy of the complete, non-public version of the document.
---------------------------------------------------------------------------

    \79\ Section 388.112 of the Commission's regulations specifies 
that any person submitting a document to the Commission may request 
privileged treatment for some or all of the information contained in 
a particular document that it claims is exempt from the mandatory 
public disclosure requirements of the Freedom of Information Act and 
that should be withheld from public disclosure. In particular, Sec.  
388.112(b)(2) sets forth procedures for filing and obtaining access 
to material that is filed as privileged in any proceeding to which a 
right to intervention exists and specifies that if a person files 
material as privileged in such proceeding, that person must include 
a proposed form of protective agreement with the filing, or identify 
a protective agreement that has already been filed in the proceeding 
that applies to the filed material. 18 CFR 388.112.
    \80\ Section 388.113 governs the procedures for submitting, 
designating, handling, sharing, and disseminating CEII submitted to 
or generated by the Commission. Section 388.113(d)(1)(iii) provides 
for the person filing material as CEII in a proceeding to which a 
right to intervention exists to include a proposed form of 
protective agreement. 18 CFR 388.113.
---------------------------------------------------------------------------

    75. Accordingly, we propose that, if a public utility applying for 
incentive rate treatment under this rule is concerned that the 
information contained in an application for incentives could lead to 
the disclosure of confidential information or CEII related to its 
cybersecurity systems, the public utility could request protection of 
its information pursuant to these procedures. The Commission's 
practice, however, is not to allow for the filing of an FPA section 205 
rate application under seal. Under this proposal, to the extent an 
applicant seeks confidential treatment, we expect that the applicant's 
request for such treatment will be specific and limited. If an 
applicant requests portions of the application be protected, we expect 
that the public portion of an application should contain sufficient 
information for ratepayers to judge the rate impact and scope of the 
proposed incentives, including the general approach adopted. The 
Commission will address such requests

[[Page 8322]]

for protection on a case by case basis.\81\ We request comments on the 
specific and limited types of information that would be appropriate for 
applicants to shield from public disclosure, and any other specific 
modifications or additions to the Commission's generally applicable 
filing regulations that may be appropriate for the incentives filings 
proposed in this NOPR.
---------------------------------------------------------------------------

    \81\ An applicant or any other person may object to disclosure 
generally or to a particular requester, and in such cases the non-
public document will not be provided to the requester until ordered 
by the Commission or a decisional authority. 18 CFR 
388.112(b)(2)(iv), 388.113(g)(4).
---------------------------------------------------------------------------

V. Information Collection Statement

    76. The information collection requirements contained in this NOPR 
are subject to review by the Office of Management and Budget (OMB) 
under section 3507(d) of the Paperwork Reduction Act of 1995.\82\ OMB's 
regulations require approval of certain information collection 
requirements imposed by agency rules.\83\ Upon approval of a collection 
of information, OMB will assign an OMB control number and expiration 
date. Respondents subject to the filing requirements of this rule will 
not be penalized for failing to respond to these collections of 
information unless the collections of information display a valid OMB 
control number.
---------------------------------------------------------------------------

    \82\ 44 U.S.C. 3507(d).
    \83\ 5 CFR 1320.11.
---------------------------------------------------------------------------

    77. This NOPR will establish the Commission's regulations and 
policy with respect to the mechanics and implementation of the 
Commission's cybersecurity incentives policy and will require an annual 
report from the recipients of cybersecurity incentives in order to 
demonstrate compliance with the Commission's cybersecurity incentives 
regulations and policy.
    78. Interested persons may obtain information on the reporting 
requirements by contacting Ellen Brown, Office of the Executive 
Director, Federal Energy Regulatory Commission, 888 First Street NE, 
Washington, DC 20426 via email ([email protected]) or telephone 
((202) 502-8663).
    79. The Commission solicits comments on the Commission's need for 
this information, whether the information will have practical utility, 
the accuracy of the burden estimates, ways to enhance the quality, 
utility, and clarity of the information to be collected or retained, 
and any suggested methods for minimizing respondents' burden, including 
the use of automated information techniques.
    80. Please send comments concerning the collection of information 
and the associated burden estimates to: Office of Information and 
Regulatory Affairs, Office of Management and Budget, 725 17th Street 
NW, Washington, DC 20503 [Attention: Desk Officer for the Federal 
Energy Regulatory Commission]. Due to security concerns, comments 
should be sent electronically to the following email address: 
[email protected]. Comments submitted to OMB should refer to 
OMB Control Nos.
    81. Please submit a copy of your comments on the information 
collections to the Commission via the eFiling link on the Commission's 
website at https://www.ferc.gov. If you are not able to file comments 
electronically, please send a copy of your comments to: Federal Energy 
Regulatory Commission, Secretary of the Commission, 888 First Street 
NE, Washington, DC 20426. Comments on the information collection that 
are sent to FERC should refer to RM21-3-000.
    82. Title: Report of Cybersecurity Incentives Investment Activity.
    83. Action: Proposed revision of collections of information in 
accordance with RM21-XX-000.
    84. OMB Control Nos.: 1902-0248 (FERC-725B).
    85. Respondents for this Rulemaking: Public Utilities that seek 
incentive-based rate treatment for cybersecurity projects.
    86. Frequency of Information Collection: Annually beginning with 
the calendar year the Commission grants incentive-based rate treatment.
    87. Necessity of Information: Required to obtain or retain 
benefits.
    88. Internal Review: The Commission has reviewed the changes and 
has determined that such changes are necessary. These requirements 
conform to the Commission's need for efficient information collection, 
communication, and management within the energy industry. The 
Commission has specific, objective support for the burden estimates 
associated with the information collection requirements.
    89. The NERC Compliance Registry, as of October 02, 2020, 
identifies approximately 319 Transmission Owners in the U.S. that are 
subject to this proposed rulemaking.
    90. The Commission estimates that the NOPR would affect the burden 
\84\ and cost \85\ as follows:
---------------------------------------------------------------------------

    \84\ ``Burden'' is the total time, effort, or financial 
resources expended by persons to generate, maintain, retain, or 
disclose or provide information to or for a Federal agency. For 
further explanation of what is included in the information 
collection burden, refer to 5 CFR 1320.3.
    \85\ Commission staff estimates that respondents' hourly wages 
(including benefits) are comparable to those of FERC employees. 
Therefore, the hourly cost used in this analysis is $83.00 ($172,329 
per year).

                                                    Proposed Changes in NOPR in Docket No. RM21-3-000
--------------------------------------------------------------------------------------------------------------------------------------------------------
                   A                            B               C               D                          E                               F
Area of modification                          Number of          Annual          Annual  Average burden hours and cost per     Total estimated burden
                                            respondents       estimated       estimated   response.                             hours and total
                                                              number of       number of                                         estimated cost
                                                          responses per       responses                                        (column D x column E)
                                                             respondent     (column B x
                                                                              column C)
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                 Report of Cybersecurity Incentives Investment Activity
--------------------------------------------------------------------------------------------------------------------------------------------------------
Additional filers of Report of                       20               1              20  80 hours; $6,640....................  1,600 hours; $132,800.
 Cybersecurity Incentives Investment
 Activity (Annually and Ongoing).
Critical Infrastructure Protection              223,875               1         223,875  9.13 hours; $757.44.................  2,043,026 hours;
 Reliability Standards for FERC-725B                                                                                            $169,571,158.
 (unchanged).
                                        ----------------------------------------------------------------------------------------------------------------
    Total..............................  ..............  ..............         223,895  ....................................  2,044,626 hours;
                                                                                                                                $169,703,958.
--------------------------------------------------------------------------------------------------------------------------------------------------------

    91. For the purposes of estimating burden in this NOPR, in the 
table above, we conservatively estimate annual numbers of the different 
possible cybersecurity incentive requests as similar to the historical 
high experienced for incentives Orders issued under Section 219. For 
example, to date, the Commission has received

[[Page 8323]]

approximately 110 incentive requests since Order No. 679 was issued in 
2006, and has issued an average of 8 incentives Orders per year, with a 
single year high of 21 incentive Orders issued. This estimate is 
consistent with our expectation that the cybersecurity incentives are 
likely to attract significant interest from the industry. We seek 
comment on the estimates in the table above regarding the number of 
incentive requests.

VI. Environmental Analysis

    92. The Commission is required to prepare an Environmental 
Assessment or an Environmental Impact Statement for any action that may 
have a significant adverse effect on the human environment.\86\ We 
conclude that neither an Environmental Assessment nor an Environmental 
Impact Statement is required for this proposed rule under Sec.  
380.4(a)(15) of the Commission's regulations, which provides a 
categorical exemption for approval of actions under FPA sections 205 
and 206 relating to the filing of schedules containing all rates and 
charges for the transmission or sale of electric energy subject to the 
Commission's jurisdiction, plus the classification, practices, 
contracts, and regulations that affect rates, charges, classification, 
and services.\87\
---------------------------------------------------------------------------

    \86\ Regulations Implementing the National Environmental Policy 
Act of 1969, Order No. 486, 52 FR 47897 (Dec. 17, 1987), FERC Stats. 
& Regs. Preambles 1986-1990 ] 30,783 (1987) (cross referenced at 41 
FERC ] 61,284).
    \87\ 18 CFR 380.4(a)(15).
---------------------------------------------------------------------------

VII. Regulatory Flexibility Act

    93. The Regulatory Flexibility Act of 1980 \88\ generally requires 
a description and analysis of proposed and final rules that will have 
significant economic impact on a substantial number of small entities. 
The Small Business Administration (SBA) sets the threshold for what 
constitutes a small business. Under SBA's size standards,\89\ 
Transmission owners all fall under the category of Electric Bulk Power 
Transmission and Control (NAICS code 221121), with a size threshold of 
500 employees (including the entity and its associates).\90\
---------------------------------------------------------------------------

    \88\ 5 U.S.C. 601-612.
    \89\ 13 CFR 121.201
    \90\ The threshold for the number of employees indicates the 
maximum allowed for a concern and its affiliates to be considered 
small.
---------------------------------------------------------------------------

    94. We estimate that 319 transmission owners are reported in the 
NERC registry. Using the list of Transmission Owners from the NERC 
Registry (dated October 2, 2020), we estimate that approximately 6% of 
those entities may file for incentives.
    95. We estimate additional annual costs associated with the NOPR 
(as shown in the table above) of:
     $6,640 per filer for 20 new filers.
     These costs are only incurred on a voluntary basis.
    96. Therefore, the estimated additional annual cost per entity 
ranges from $0 to $132,800. According to SBA guidance, the 
determination of significance of impact ``should be seen as relative to 
the size of the business, the size of the competitor's business, the 
number of filers received annually (20), and the impact this regulation 
has on larger competitors.'' \91\ We do not consider the estimated cost 
to be a significant economic impact. As a result, we certify that the 
proposals in this NOPR will not have a significant economic impact on a 
substantial number of small entities.
---------------------------------------------------------------------------

    \91\ U.S. Small Business Administration, A Guide for Government 
Agencies How to Comply with the Regulatory Flexibility Act, at 18 
(May 2012), https://www.sba.gov/sites/default/files/advocacy/rfaguide_0512_0.pdf.
---------------------------------------------------------------------------

VIII. Comment Procedures

    97. The Commission invites interested persons to submit comments on 
the matters and issues proposed in this notice to be adopted, including 
any related matters or alternative proposals that commenters may wish 
to discuss. Comments are due April 6, 2021. Also, reply comments are 
due May 6, 2021. Comments must refer to Docket No. RM20-3-000, and must 
include the commenter's name, the organization they represent, if 
applicable, and their address in their comments.
    98. The Commission encourages comments to be filed electronically 
via the eFiling link on the Commission's website at https://www.ferc.gov. The Commission accepts most standard word processing 
formats. Documents created electronically using word processing 
software should be filed in native applications or print-to-PDF format 
and not in a scanned format. Commenters filing electronically do not 
need to make a paper filing.
    99. Commenters that are not able to file comments electronically 
may mail or hand-deliver an original of their comments. Mailed comments 
should be addressed to: Federal Energy Regulatory Commission, Secretary 
of the Commission, 888 First Street NE, Washington, DC 20426. Hand-
delivered comments should be delivered to: Federal Energy Regulatory 
Commission, 12225 Wilkins Avenue, Rockville, Maryland 20852. All 
comments will be placed in the Commission's public files and may be 
viewed, printed, or downloaded remotely as described in the Document 
Availability section below. Commenters on this proposal are not 
required to serve copies of their comments on other commenters.

IX. Document Availability

    100. In addition to publishing the full text of this document in 
the Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
internet through the Commission's Home Page (https://www.ferc.gov). At 
this time, the Commission has suspended access to the Commission's 
Public Reference Room due to the President's March 13, 2020 
proclamation declaring a National Emergency concerning the Novel 
Coronavirus Disease (COVID-19).
    101. From the Commission's Home Page on the internet, this 
information is available on eLibrary. The full text of this document is 
available on eLibrary in PDF and Microsoft Word format for viewing, 
printing, and/or downloading. To access this document in eLibrary, type 
the docket number excluding the last three digits of this document in 
the docket number field.
    102. User assistance is available for eLibrary and the Commission's 
website during normal business hours from the Commission's Online 
Support at 202-502-6652 (toll free at 1-866-208-3676) or email at 
[email protected], or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at 
[email protected].

List of Subjects in 18 CFR Part 35

    Electric power rates, Electric utilities, Reporting and 
recordkeeping requirements.

    By direction of the Commission. Chairman Danly and Commissioner 
Glick are concurring with a joint separate statement attached. 
Commissioner Clements is not participating.

    Issued: December 17, 2020.
Kimberly D. Bose,
Secretary.

    In consideration of the foregoing, the Commission is proposing to 
amend part 35, chapter I, title 18, Code of Federal Regulations, as 
follows.

PART 35--FILING OF RATE SCHEDULES AND TARIFFS

0
1. The authority citation for part 35 continues to read as follows:

    Authority: 16 U.S.C. 791a-825r, 2601-2645; 31 U.S.C. 9701; 42 
U.S.C. 7101-7352.

0
2. Section 35.48 is added to read as follows:

[[Page 8324]]

Subpart K--Cybersecurity Investment Provisions


Sec.  35.48  Cybersecurity investment.

    (a) Purpose. This section establishes rules for incentive-based 
rate treatments for voluntarily making cybersecurity investments by a 
public utility as described in this subpart.
    (b) Incentive-based rate treatments for cybersecurity investment. 
The Commission will authorize incentive-based rate treatments for a 
public utility that makes cybersecurity investments under this subpart 
that materially enhance the cybersecurity posture of the Bulk-Power 
System by enhancing the applicants' cybersecurity posture substantially 
above levels required by Critical Infrastructure Protection Reliability 
Standards, provided that the proposed incentive is just and reasonable 
and not unduly discriminatory or preferential. A public utility may 
request one or both of the following incentive approaches for those 
eligible cybersecurity investments:
    (1) Critical Infrastructure Protection Incentive Approach. A public 
utility may receive incentive rate treatment for voluntarily applying 
Critical Infrastructure Protection Reliability Standards to bulk 
electric system facilities that are not currently subject to those 
requirements. A public utility will receive a rebuttable presumption 
that the investments made pursuant to this Critical Infrastructure 
Protection Incentive Approach materially enhance the cybersecurity 
posture of the Bulk-Power System to merit an incentive for such 
cybersecurity investments. A public utility may receive incentive rate 
treatment for the investments as follows:
    (i) Increasing the Critical Infrastructure Protection Reliability 
Standard security controls for facilities identified as low or medium 
impact bulk electric system Cyber Systems by applying the requirements 
for medium or high impact systems to low impact systems, and/or the 
requirements for high impact systems to medium impact systems; or
    (ii) Ensuring all external routable connectivity to and from the 
low impact system connect to a high or medium impact bulk electric 
system Cyber System and the cyber communication security controls 
required for the medium or high impact bulk electric system Cyber 
System must be implemented on the low impact system.
    (2) National Institute of Standards and Technology Framework 
Approach. A public utility may receive incentive rate treatment for 
implementing certain security controls, identified from time to time 
through a Commission issuance, that are included in the National 
Institute of Standards and Technology Framework.
    (c) Types of incentive-based rate treatments for cybersecurity 
investment. For purposes of paragraph (b) of this section, incentive-
based rate treatment shall be for those eligible cybersecurity 
investments and means any of the following:
    (1) An increase in rate of return on equity of 200 basis points;
    (2) Deferred cost recovery; or
    (3) Any other incentives approved by the Commission, pursuant to 
the requirements of this section that are deemed to be just and 
reasonable and not unduly discriminatory or preferential.
    (d) Incentive duration.
    (1) A return on equity incentive rate treatment approved pursuant 
to this section may last the earlier of:
    (i) The depreciation life of the underlying asset;
    (ii) 10 years from when the cybersecurity improvements enter 
service;
    (iii) when the investments or activities that serve as the basis of 
that incentive become mandatory pursuant to a Reliability Standard 
approved by the Commission;
    (iv) or when the public utility no longer meets the requirements 
for receiving the incentive.
    (2) A deferred regulatory asset whose costs are typically expensed 
should be amortized over a five-year period.
    (e) Incentive Applications. For the purpose of paragraphs (b) and 
(c) of this section, a public utility's request for one or more 
incentive based-rate treatments, to be made in a filing pursuant to 
section 205 of the Federal Power Act, must include a detailed 
explanation of the proposed rate treatment and include the following 
information:
    (1) For applications under the Critical Infrastructure Protection 
Incentive Approach:
    (i) The Bulk Electric System assets for which the public utility is 
requesting the incentive;
    (ii) The geographical location of the Bulk Electric System assets;
    (iii) The function the Bulk Electric System assets support;
    (iv) The incentive method the public utility is requesting for each 
of the Bulk Electric System assets;
    (v) The current and new impact ratings of the Bulk Electric System 
assets if they change because of the incentive; and
    (vi) A list of the Bulk Electric System Cyber Systems associated 
with each of the Bulk Electric System assets including details on their 
use.
    (2) For applications under the National Institute of Standards and 
Technology Framework Approach:
    (i) A description of the public utility's current cybersecurity 
posture;
    (ii) A description of the public utility's desired cybersecurity 
posture;
    (iii) A description of the quantified risk factors being addressed 
through the proposed incentive actions.
    (3) For applications requesting an increase in rate of return on 
equity of 200 basis points:
    (i) The anticipated cost of the capital investment; and
    (ii) The identity of the Commission jurisdictional rate schedule(s) 
under which it will recover the increased return on equity.
    (4) For applications requesting deferred cost recovery:
    (i) A description of any expenses, including whether the expenses 
are:
    (A) Expenses associated with third-party provision of hardware, 
software, and computing networking services;
    (B) Expenses for training to implement new cybersecurity 
enhancements; or
    (C) Other transition expenses, such as risk assessments by third 
parties or internal system reviews, and initial responses to findings 
of such assessments.
    (ii) Estimates of the cost of such expenses;
    (iii) When the costs are expected to be incurred;
    (iv) A narrative explanation of how the expenses meet the requested 
Critical Infrastructure Protection Incentive Approach or National 
Institute of Standards and Technology Framework Approach.
    (f) Reporting requirements. A public utility that has received 
cybersecurity incentives under this section must, within 120 days of 
completion of upgrades for which it receives incentives, make an 
informational filing and must make subsequent informational filings 
annually thereafter detailing the specific investments that were made 
pursuant to the Commission's approval and the corresponding FERC 
account used. An incentive recipient must describe the parts of its 
network that it upgraded in addition to the nature and cost of the 
various capital investments. For incentives where the Commission allows 
deferral of expenses, annual informational filings should describe such 
expenses in sufficient detail to demonstrate that such expenses are 
specifically related to the cybersecurity investment granted incentives 
and not for ongoing services including system

[[Page 8325]]

maintenance, surveillance, and other labor costs.
    (1) A public utility that receives incentive-based rate treatment 
under the Critical Infrastructure Protection Incentive Approach must 
also describe in its informational filings implementation of the 
enhanced security controls, as applicable, in all the topics covered by 
the Critical Infrastructure Protection Reliability Standards. For the 
first informational filing, the public utility must provide 
documentation to demonstrate voluntary application of identified 
Critical Infrastructure Protection Reliability Standards to facilities 
that are not currently subject to those requirements. For subsequent 
annual informational filings, the public utility must provide an 
updated version of the supporting documentation showing any changes 
from the prior informational filing as well as information on any 
period of time during the reported year where the public utility ceased 
to voluntarily apply identified Critical Infrastructure Protection 
Reliability Standards to facilities that are not currently subject to 
those requirements.
    (2) A public utility that receives incentive-based rate treatments 
under the National Institute of Standards and Technology Framework 
Approach must also include information that demonstrates:
    (i) The acquisition and installation of required network 
components, including confirmation that funds have been expended on the 
necessary equipment through documentation such as purchase orders, 
receipts, licensing agreements, and installation documentation with 
specified time periods;
    (ii) Attainment of necessary training and personnel, including 
documentation such as third-party contractor agreements, training 
program curricula, and official job descriptions;
    (iii) Network and sensor node recognition optimization through such 
items as configuration files, system logs, configuration settings, and 
a description of its location on the affected network;
    (iv) Incorporation of sensor nodes in the enterprise level incident 
monitoring and response plan including attesting that the information 
would be included in operational activities such as incident response 
plans, playbooks, and Standard Operating Procedures.

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

Cybersecurity Incentives

DANLY, Chairman, and GLICK, Commissioner, concurring:
    1. Threats to the cybersecurity of the bulk power system are 
numerous and growing. Ensuring that the system is adequately protected 
against those threats is an issue of national importance and one that 
must remain a priority of this Commission. Accordingly, we support this 
notice of proposed rulemaking (NOPR) as a means for soliciting further 
comments on whether this particular incentives-based approach is a just 
and reasonable and not unduly discriminatory or preferential approach 
to improving public utilities' cybersecurity posture.
    2. We write separately to highlight two general issues that we 
believe require additional attention. The first issue is whether the 
Commission can better address cybersecurity threats by directing NERC 
to expand its critical infrastructure protection (CIP) standards to 
require some or all of the investments contemplated in this NOPR. 
Although we appreciate the appeal of an incentives-based approach, the 
importance of cybersecurity demands us to at least consider whether we 
should mandate the best practices contemplated in this NOPR rather than 
simply trying to induce public utilities to adopt them.
    3. The second issue goes to the heart of what the NOPR intends to 
achieve--whether public utilities are not adopting the contemplated 
measures because the existing financial incentives are insufficient. We 
encourage commenters to address whether--and, if so, why--additional 
measures, such as an elevated ROE or deferred cost recovery, are 
necessary to incentivize public utilities to adopt additional 
cybersecurity measures.
    For these reasons, we respectfully concur.

James P. Danly,

Chairman.

Richard Glick,

Commissioner.

[FR Doc. 2021-01986 Filed 2-4-21; 8:45 am]
BILLING CODE 6717-01-P