Commission Information Collection Activities (Ferc-725b) Comment Request; Extension, 51131-51133 [2021-19784]

Download as PDF Federal Register / Vol. 86, No. 175 / Tuesday, September 14, 2021 / Notices (8) Annual Estimated Reporting and Recordkeeping Cost Burden: $58,115,655. Statutory Authority: 42 U.S.C. 2201. Signing Authority This document of the Department of Energy was signed on August 26, 2021, by John R. Bashista, Director, Office of Acquisition Management and Senior Procurement Executive, pursuant to delegated authority from the Secretary of Energy. That document with the original signature and date is maintained by DOE. For administrative purposes only, and in compliance with requirements of the Office of the Federal Register, the undersigned DOE Federal Register Liaison Officer has been authorized to sign and submit the document in electronic format for publication, as an official document of the Department of Energy. This administrative process in no way alters the legal effect of this document upon publication in the Federal Register. Signed in Washington, DC, on September 8, 2021. Treena V. Garrett, Federal Register Liaison Officer, U.S. Department of Energy. [FR Doc. 2021–19731 Filed 9–13–21; 8:45 am] BILLING CODE 6450–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission [Docket No. IC21–26–000] Commission Information Collection Activities (Ferc–725b) Comment Request; Extension Federal Energy Regulatory Commission. ACTION: Notice of information collection and request for comments. AGENCY: In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comment on the currently approved information collection, FERC– 725B, (Mandatory Reliability Standards, Critical Infrastructure Protection (CIP), which will be submitted to the Office of Management and Budget (OMB) for review. tkelley on DSK125TN23PROD with NOTICES SUMMARY: Comments on the collection of information are due October 14, 2021. ADDRESSES: Send written comments on FERC–725B to OMB through www.reginfo.gov/public/do/PRAMain. Attention: Federal Energy Regulatory DATES: VerDate Sep<11>2014 21:55 Sep 13, 2021 Jkt 253001 Commission Desk Officer. Please identify the OMB Control Number (1902–0248) in the subject line of your comments. Comments should be sent within 30 days of publication of this notice to www.reginfo.gov/public/do/ PRAMain. Please submit copies of your comments to the Commission. You may submit copies of your comments (identified by Docket No. IC21–26–000) by one of the following methods: Electronic filing through http:// www.ferc.gov, is preferred. • Electronic Filing: Documents must be filed in acceptable native applications and print-to-PDF, but not in scanned or picture format. • For those unable to file electronically, comments may be filed by USPS mail or by hand (including courier) delivery. Æ Mail via U.S. Postal Service Only: Addressed to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE, Washington, DC 20426. Æ Hand (including courier) Delivery: Deliver to: Federal Energy Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852. Instructions: OMB submissions must be formatted and filed in accordance with submission guidelines at www.reginfo.gov/public/do/PRAMain. Using the search function under the ‘‘Currently Under Review’’ field, select Federal Energy Regulatory Commission; click ‘‘submit,’’ and select ‘‘comment’’ to the right of the subject collection. FERC submissions must be formatted and filed in accordance with submission guidelines at: http://www.ferc.gov. For user assistance, contact FERC Online Support by email at ferconlinesupport@ ferc.gov, or by phone at: (866) 208–3676 (toll-free). Docket: Users interested in receiving automatic notification of activity in this docket or in viewing/downloading comments and issuances in this docket may do so at https://www.ferc.gov/ferconline/overview. FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by email at DataClearance@FERC.gov, telephone at (202) 502–8663. SUPPLEMENTARY INFORMATION: Title: FERC–725B (Mandatory Reliability Standards, Critical Infrastructure Protection (CIP)). OMB Control No.: 1902–0248. Type of Request: Three-year extension of the FERC–725B information collection requirements with no changes to the reporting requirements. PO 00000 Frm 00034 Fmt 4703 Sfmt 4703 51131 Abstract: On August 8, 2005, Congress enacted the Energy Policy Act of 2005.1 The Energy Policy Act of 2005 added a new section 215 to the FPA,2 which requires a Commission-certified Electric Reliability Organization to develop mandatory and enforceable Reliability Standards,3 including requirements for cybersecurity protection, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the Electric Reliability Organization subject to Commission oversight, or the Commission can independently enforce Reliability Standards. On February 3, 2006, the Commission issued Order No. 672,4 implementing FPA section 215. The Commission subsequently certified NERC as the Electric Reliability Organization. The Reliability Standards developed by NERC become mandatory and enforceable after Commission approval and apply to users, owners, and operators of the Bulk-Power System, as set forth in each Reliability Standard.5 The CIP Reliability Standards require entities to comply with specific requirements to safeguard critical cyber assets. These standards are results-based and do not specify a technology or method to achieve compliance, instead leaving it up to the entity to decide how best to comply. On January 18, 2008, the Commission issued Order No. 706,6 approving the initial eight CIP Reliability Standards, CIP version 1 Standards, submitted by 1 Energy Policy Act of 2005, Public Law 109–58, sec. 1261 et seq., 119 Stat. 594 (2005). 2 16 U.S.C. 824o. 3 FPA section 215 defines Reliability Standard as a requirement, approved by the Commission, to provide for reliable operation of existing bulkpower system facilities, including cybersecurity protection, and the design of planned additions or modifications to such facilities to the extent necessary to provide for reliable operation of the Bulk-Power System. However, the term does not include any requirement to enlarge such facilities or to construct new transmission capacity or generation capacity. Id. at 824o(a)(3). 4 Rules Concerning Certification of the Elec. Reliability Org.; and Procedures for the Establishment, Approval, and Enf’t of Elec. Reliability Standards, Order No. 672, 71 FR 8661 (Feb. 17, 2006), 114 FERC ¶ 61,104, order on reh’g, Order No. 672–A, 71 FR 19814 (Apr. 28, 2006), 114 FERC ¶ 61,328 (2006). 5 NERC uses the term ‘‘registered entity’’ to identify users, owners, and operators of the BulkPower System responsible for performing specified reliability functions with respect to NERC Reliability Standards. See, e.g., Version 4 Critical Infrastructure Protection Reliability Standards, Order No. 761, 77 FR 24594 (Apr. 25, 2012), 139 FERC ¶ 61,058, at P 46, order denying clarification and reh’g, 140 FERC ¶ 61,109 (2012). Within the NERC Reliability Standards are various subsets of entities responsible for performing various specified reliability functions. We collectively refer to these as ‘‘entities.’’ 6 Order No. 706, 122 FERC ¶ 61,040 at P 1. E:\FR\FM\14SEN1.SGM 14SEN1 51132 Federal Register / Vol. 86, No. 175 / Tuesday, September 14, 2021 / Notices tkelley on DSK125TN23PROD with NOTICES NERC. Subsequently, the Commission has approved multiple versions of the CIP Reliability Standards submitted by NERC, partly to address the evolving nature of cyber-related threats to the Bulk-Power System. On November 22, 2013, the Commission issued Order No. 791,7 approving CIP version 5 Standards, the last major revision to the CIP Reliability Standards. The CIP version 5 Standards implement a tiered approach to categorize assets, identifying them as high, medium, or low risk to the operation of the Bulk Electric System (BES) 8 if compromised. High impact systems include large control centers. Medium impact systems include smaller control centers, ultrahigh voltage transmission, and large substations and generating facilities. The remainder of the BES Cyber Systems 9 are categorized as low impact systems. Most requirements in the CIP Reliability Standards apply to high and medium impact systems; however, a technical controls requirement in Reliability standard CIP–003, described below, applies only to low impact systems. Since 2013, the Commission has approved new and modified CIP Reliability Standards that address specific issues such as supply chain risk management, cyber incident reporting, 7 Version 5 Critical Infrastructure Protection Reliability Standards, Order No. 791, 78 FR 72755 (Dec. 13, 2013), 145 FERC ¶ 61,160 (2013), order on reh’g, Order No. 791–A, 146 FERC ¶ 61,188 (2014). 8 In general, NERC defines BES to include all Transmission Elements operated at 100 kV or higher and Real Power and Reactive Power resources connected at 100 kV or higher. This does not include facilities used in the local distribution of electric energy. See NERC, Bulk Electric System Definition Reference Document, Version 3, at page iii (August 2018). In Order No. 693, the Commission found that NERC’s definition of BES is narrower than the statutory definition of Bulk-Power System. The Commission decided to rely on the NERC definition of BES to provide certainty regarding the applicability of Reliability Standards to specific entities. See Mandatory Reliability Standards for the Bulk-Power System, Order No. 693, 72 FR 16415 (Apr. 4, 2007), 118 FERC ¶ 61,218, at PP 75, 79, 491, order on reh’g, Order No. 693–A, 72 FR 49717 (July 25, 2007), 120 FERC ¶ 61,053 (2007). 9 NERC defines BES Cyber System as ‘‘[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.’’ NERC, Glossary of Terms Used in NERC Reliability Standards, at 5 (2020), https://www.nerc.com/files/glossary_of_ terms.pdf (NERC Glossary of Terms). NERC defines BES Cyber Asset as A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, mis-operation, or nonoperation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. Id. at 4. VerDate Sep<11>2014 21:55 Sep 13, 2021 Jkt 253001 communications between control centers, and the physical security of critical transmission facilities.10 The CIP Reliability Standards currently consist of 13 standards specifying a set of requirements that entities must follow to ensure the cyber and physical security of the Bulk-Power System. • CIP–002–5.1a Bulk Electric System Cyber System Categorization: Requires entities to identify and categorize BES Cyber Assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. • CIP–003–8 Security Management Controls: Requires entities to specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. • CIP–004–6 Personnel and Training: Requires entities to minimize the risk against compromise that could lead to mis-operation or instability in the BES from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems. • CIP–005–6 Electronic Security Perimeter(s): Requires entities to manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. • CIP–006–6 Physical Security of Bulk Electric System Cyber Systems: Requires entities to manage physical access to BES Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. • CIP–007–6 System Security Management: Requires entities to manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. • CIP–008–6 Incident Reporting and Response Planning: Requires entities to 10 See, e.g., Order No. 791, 78 FR 72755; Revised Critical Infrastructure Protection Reliability Standards, Order No. 822, 81 FR 4177 (Jan. 26, 2016), 154 FERC ¶ 61,037, reh’g denied, Order No. 822–A, 156 FERC ¶ 61,052 (2016); Revised Critical Infrastructure Protection Reliability Standard CIP– 003–7—Cyber Security—Security Management Controls, Order No. 843, 163 FERC ¶ 61,032 (2018). PO 00000 Frm 00035 Fmt 4703 Sfmt 4703 mitigate the risk to the reliable operation of the BES as the result of a cybersecurity incident by specifying incident response requirements. • CIP–009–6 Recovery Plans for Bulk Electric System Cyber Systems: Requires entities to recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES. • CIP–010–3 Configuration Change Management and Vulnerability Assessments: Requires entities to prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the BES. • CIP–011–2 Information Protection: Requires entities to prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to mis-operation or instability in the BES. • CIP–012–1 Communications Between Control Centers: 11 Requires entities to protect the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between Control Centers. • CIP–013–1 Supply Chain Risk Management: Requires entities to mitigate cybersecurity risks to the reliable operation of the BES by implementing security controls for supply chain risk management of BES Cyber Systems. • CIP–014–2 Physical Security: Requires the Transmission Owner to perform a risk assessment, consisting of a transmission analysis, to determine which of those Transmission stations and Transmission Substations and conduct an assessment of potential threats and vulnerabilities to those Transmission stations, Transmission substations, and primary control centers using a tailored evaluation process. The CIP Reliability Standards, viewed as a whole, implement a defense-indepth approach to protecting the security of BES Cyber Systems at all impact levels.12 The CIP Reliability Standards are objective-based and allow entities to choose compliance approaches best tailored to their systems.13 11 CIP–012–1: Communications Between Control Centers will be subject to enforcement by July 1, 2022. 12 Order No. 822, 154 FERC ¶ 61,037 at 32. 13 Order No. 706, 122 FERC ¶ 61,040 at 72. E:\FR\FM\14SEN1.SGM 14SEN1 51133 Federal Register / Vol. 86, No. 175 / Tuesday, September 14, 2021 / Notices FERC–725B—(MANDATORY RELIABILITY STANDARDS FOR CRITICAL INFRASTRUCTURE PROTECTION [CIP] RELIABILITY STANDARDS) AFTER ADDING FILERS FROM CYBERSECURITY INCENTIVES INVESTMENT ACTIVITY [Submitted as a separate IC within FERC–725B] CIP–003–8 17 ....................... CIP–003–8 19 ....................... CIP–003–8 20 ....................... CIP–002–5.1a, CIP–004–6, CIP–005–6, CIP–006–6, CIP–007–6, CIP–008–6, CIP–009–6, CIP–010–3, CIP–011–2. CIP–013–1 .......................... CIP–014–2 .......................... CIP–012–1 .......................... Total Burden of FERC– 725B. Number and type of respondent 14 Annual number of responses per respondent) Total number of responses Average burden per response (hours) 15 & Cost per response Total annual burden (hours) & total annual cost 16 ($) (1) (2) (1) * (2) = (3) (4) (3) * (4) = (5) 18 1,149 300 1 1 1 344,700 1,149 343 343 1.5 hrs.; $127.53 ................. 20 hrs.; $1,700.40 ............... 1 hr.; $85.02 ....................... 600 21 hrs.; $51,012 ............ 517,050 hrs; $43,959,591 23,220 hrs.; $1,974,164.4 343 hrs.; $29,161.86 205,800 hrs., $17,497,116 23 724 1 1 1 343 321 724 30 hrs.; $2550.60 ................ 2 hrs.; $170.04 .................... 83 hrs.; $7,056.66 ............... 10,290 hrs.; $874,855.80 642 hrs.; $54,582.84 60,092 hrs., $5,109,021.84 ........................ ........................ 347,923 ............................................. 817,437 hrs.; $69,498,493.74 1,149 343 343 343 22 321 tkelley on DSK125TN23PROD with NOTICES Comments: Commentsare invited on: (1) Whether the collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency’s estimate of the burden and cost of the collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information collection; and (4) ways to minimize the burden of 14 The number of respondents is based on the NERC Compliance Registry as of June 22, 2021. Currently there are 1,508 unique NERC Registered, subtracting 16 Canadians Entities yields 1492 U.S. entities. 15 Of the average estimated 295.702 hours per response, 210 hours are for recordkeeping, and 85.702 hours are for reporting. 16 The estimates for cost per hour are $85.02/hour (averaged based on the following occupations):Manager (Occupational Code: 11– 0000): $97.89/hour; and • Electrical Engineer (Occupational Code 17–2071): $72.15/hour, from the Bureau of Labor and Statistics at http://bls.gov/ oes/current/naics3_221000.htm, as of June 2021. 17 Updates and reviews of low impact TCA assets (ongoing) 18 We estimate that 1,161 entities will face an increased paperwork burden under Reliability Standard CIP 003–8, estimating that a majority of these entities will have one or more low impact BES Cyber Systems. 19 Update paperwork for access control implementation in Section 2 and Section 3 (ongoing) 20 Modification and approval of cybersecurity policies for all CIP Standards 21 600 hr. estimate is based on ongoing burden estimate from Order No. 791, added to the 3-year audit burden split over 3 years: 600 = (640/3) + (408 ¥ (20 + 1)). (20 + 1) is the CIP–003–8 burden. 22 321 U.S. Transmission Owners in NERC Compliance Registry as of June 22, 2021. 23 The number of entities and the number of hours required are based on FERC Order No. 802 which approved CIP–012–1. VerDate Sep<11>2014 21:55 Sep 13, 2021 Jkt 253001 the collection of information on those who are to respond, including the use of automated collection techniques or other forms of information technology. Dated: September 8, 2021. Kimberly D. Bose, Secretary. [FR Doc. 2021–19784 Filed 9–13–21; 8:45 am] BILLING CODE 6717–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission [Docket No. ER21–2847–000] Montague Solar, LLC; Supplemental Notice That Initial Market-Based Rate Filing Includes Request for Blanket Section 204 Authorization This is a supplemental notice in the above-referenced proceeding of Montague Solar, LLC’s application for market-based rate authority, with an accompanying rate tariff, noting that such application includes a request for blanket authorization, under 18 CFR part 34, of future issuances of securities and assumptions of liability. Any person desiring to intervene or to protest should file with the Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, in accordance with Rules 211 and 214 of the Commission’s Rules of Practice and Procedure (18 CFR 385.211 and 385.214). Anyone filing a motion to intervene or protest must serve a copy of that document on the Applicant. Notice is hereby given that the deadline for filing protests with regard PO 00000 Frm 00036 Fmt 4703 Sfmt 4703 to the applicant’s request for blanket authorization, under 18 CFR part 34, of future issuances of securities and assumptions of liability, is September 28, 2021. The Commission encourages electronic submission of protests and interventions in lieu of paper, using the FERC Online links at http:// www.ferc.gov. To facilitate electronic service, persons with internet access who will eFile a document and/or be listed as a contact for an intervenor must create and validate an eRegistration account using the eRegistration link. Select the eFiling link to log on and submit the intervention or protests. Persons unable to file electronically may mail similar pleadings to the Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426. Hand delivered submissions in docketed proceedings should be delivered to Health and Human Services, 12225 Wilkins Avenue, Rockville, Maryland 20852. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the internet through the Commission’s Home Page (http:// www.ferc.gov) using the ‘‘eLibrary’’ link. Enter the docket number excluding the last three digits in the docket number field to access the document. At this time, the Commission has suspended access to the Commission’s Public Reference Room, due to the proclamation declaring a National Emergency concerning the Novel E:\FR\FM\14SEN1.SGM 14SEN1

Agencies

[Federal Register Volume 86, Number 175 (Tuesday, September 14, 2021)]
[Notices]
[Pages 51131-51133]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-19784]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. IC21-26-000]


Commission Information Collection Activities (Ferc-725b) Comment 
Request; Extension

AGENCY: Federal Energy Regulatory Commission.

ACTION: Notice of information collection and request for comments.

-----------------------------------------------------------------------

SUMMARY: In compliance with the requirements of the Paperwork Reduction 
Act of 1995, the Federal Energy Regulatory Commission (Commission or 
FERC) is soliciting public comment on the currently approved 
information collection, FERC-725B, (Mandatory Reliability Standards, 
Critical Infrastructure Protection (CIP), which will be submitted to 
the Office of Management and Budget (OMB) for review.

DATES: Comments on the collection of information are due October 14, 
2021.

ADDRESSES: Send written comments on FERC-725B to OMB through 
www.reginfo.gov/public/do/PRAMain. Attention: Federal Energy Regulatory 
Commission Desk Officer. Please identify the OMB Control Number (1902-
0248) in the subject line of your comments. Comments should be sent 
within 30 days of publication of this notice to www.reginfo.gov/public/do/PRAMain.
    Please submit copies of your comments to the Commission. You may 
submit copies of your comments (identified by Docket No. IC21-26-000) 
by one of the following methods:
    Electronic filing through http://www.ferc.gov, is preferred.
     Electronic Filing: Documents must be filed in acceptable 
native applications and print-to-PDF, but not in scanned or picture 
format.
     For those unable to file electronically, comments may be 
filed by USPS mail or by hand (including courier) delivery.
    [cir] Mail via U.S. Postal Service Only: Addressed to: Federal 
Energy Regulatory Commission, Secretary of the Commission, 888 First 
Street NE, Washington, DC 20426.
    [cir] Hand (including courier) Delivery: Deliver to: Federal Energy 
Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852.
    Instructions: OMB submissions must be formatted and filed in 
accordance with submission guidelines at www.reginfo.gov/public/do/PRAMain. Using the search function under the ``Currently Under Review'' 
field, select Federal Energy Regulatory Commission; click ``submit,'' 
and select ``comment'' to the right of the subject collection.
    FERC submissions must be formatted and filed in accordance with 
submission guidelines at: http://www.ferc.gov. For user assistance, 
contact FERC Online Support by email at [email protected], or 
by phone at: (866) 208-3676 (toll-free).
    Docket: Users interested in receiving automatic notification of 
activity in this docket or in viewing/downloading comments and 
issuances in this docket may do so at https://www.ferc.gov/ferc-online/overview.

FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by email at 
[email protected], telephone at (202) 502-8663.

SUPPLEMENTARY INFORMATION:
    Title: FERC-725B (Mandatory Reliability Standards, Critical 
Infrastructure Protection (CIP)).
    OMB Control No.: 1902-0248.
    Type of Request: Three-year extension of the FERC-725B information 
collection requirements with no changes to the reporting requirements.
    Abstract: On August 8, 2005, Congress enacted the Energy Policy Act 
of 2005.\1\ The Energy Policy Act of 2005 added a new section 215 to 
the FPA,\2\ which requires a Commission-certified Electric Reliability 
Organization to develop mandatory and enforceable Reliability 
Standards,\3\ including requirements for cybersecurity protection, 
which are subject to Commission review and approval. Once approved, the 
Reliability Standards may be enforced by the Electric Reliability 
Organization subject to Commission oversight, or the Commission can 
independently enforce Reliability Standards.
---------------------------------------------------------------------------

    \1\ Energy Policy Act of 2005, Public Law 109-58, sec. 1261 et 
seq., 119 Stat. 594 (2005).
    \2\ 16 U.S.C. 824o.
    \3\ FPA section 215 defines Reliability Standard as a 
requirement, approved by the Commission, to provide for reliable 
operation of existing bulk-power system facilities, including 
cybersecurity protection, and the design of planned additions or 
modifications to such facilities to the extent necessary to provide 
for reliable operation of the Bulk-Power System. However, the term 
does not include any requirement to enlarge such facilities or to 
construct new transmission capacity or generation capacity. Id. at 
824o(a)(3).
---------------------------------------------------------------------------

    On February 3, 2006, the Commission issued Order No. 672,\4\ 
implementing FPA section 215. The Commission subsequently certified 
NERC as the Electric Reliability Organization. The Reliability 
Standards developed by NERC become mandatory and enforceable after 
Commission approval and apply to users, owners, and operators of the 
Bulk-Power System, as set forth in each Reliability Standard.\5\ The 
CIP Reliability Standards require entities to comply with specific 
requirements to safeguard critical cyber assets. These standards are 
results-based and do not specify a technology or method to achieve 
compliance, instead leaving it up to the entity to decide how best to 
comply.
---------------------------------------------------------------------------

    \4\ Rules Concerning Certification of the Elec. Reliability 
Org.; and Procedures for the Establishment, Approval, and Enf't of 
Elec. Reliability Standards, Order No. 672, 71 FR 8661 (Feb. 17, 
2006), 114 FERC ] 61,104, order on reh'g, Order No. 672-A, 71 FR 
19814 (Apr. 28, 2006), 114 FERC ] 61,328 (2006).
    \5\ NERC uses the term ``registered entity'' to identify users, 
owners, and operators of the Bulk-Power System responsible for 
performing specified reliability functions with respect to NERC 
Reliability Standards. See, e.g., Version 4 Critical Infrastructure 
Protection Reliability Standards, Order No. 761, 77 FR 24594 (Apr. 
25, 2012), 139 FERC ] 61,058, at P 46, order denying clarification 
and reh'g, 140 FERC ] 61,109 (2012). Within the NERC Reliability 
Standards are various subsets of entities responsible for performing 
various specified reliability functions. We collectively refer to 
these as ``entities.''
---------------------------------------------------------------------------

    On January 18, 2008, the Commission issued Order No. 706,\6\ 
approving the initial eight CIP Reliability Standards, CIP version 1 
Standards, submitted by

[[Page 51132]]

NERC. Subsequently, the Commission has approved multiple versions of 
the CIP Reliability Standards submitted by NERC, partly to address the 
evolving nature of cyber-related threats to the Bulk-Power System. On 
November 22, 2013, the Commission issued Order No. 791,\7\ approving 
CIP version 5 Standards, the last major revision to the CIP Reliability 
Standards. The CIP version 5 Standards implement a tiered approach to 
categorize assets, identifying them as high, medium, or low risk to the 
operation of the Bulk Electric System (BES) \8\ if compromised. High 
impact systems include large control centers. Medium impact systems 
include smaller control centers, ultra-high voltage transmission, and 
large substations and generating facilities. The remainder of the BES 
Cyber Systems \9\ are categorized as low impact systems. Most 
requirements in the CIP Reliability Standards apply to high and medium 
impact systems; however, a technical controls requirement in 
Reliability standard CIP-003, described below, applies only to low 
impact systems. Since 2013, the Commission has approved new and 
modified CIP Reliability Standards that address specific issues such as 
supply chain risk management, cyber incident reporting, communications 
between control centers, and the physical security of critical 
transmission facilities.\10\
---------------------------------------------------------------------------

    \6\ Order No. 706, 122 FERC ] 61,040 at P 1.
    \7\ Version 5 Critical Infrastructure Protection Reliability 
Standards, Order No. 791, 78 FR 72755 (Dec. 13, 2013), 145 FERC ] 
61,160 (2013), order on reh'g, Order No. 791-A, 146 FERC ] 61,188 
(2014).
    \8\ In general, NERC defines BES to include all Transmission 
Elements operated at 100 kV or higher and Real Power and Reactive 
Power resources connected at 100 kV or higher. This does not include 
facilities used in the local distribution of electric energy. See 
NERC, Bulk Electric System Definition Reference Document, Version 3, 
at page iii (August 2018). In Order No. 693, the Commission found 
that NERC's definition of BES is narrower than the statutory 
definition of Bulk-Power System. The Commission decided to rely on 
the NERC definition of BES to provide certainty regarding the 
applicability of Reliability Standards to specific entities. See 
Mandatory Reliability Standards for the Bulk-Power System, Order No. 
693, 72 FR 16415 (Apr. 4, 2007), 118 FERC ] 61,218, at PP 75, 79, 
491, order on reh'g, Order No. 693-A, 72 FR 49717 (July 25, 2007), 
120 FERC ] 61,053 (2007).
    \9\ NERC defines BES Cyber System as ``[o]ne or more BES Cyber 
Assets logically grouped by a responsible entity to perform one or 
more reliability tasks for a functional entity.'' NERC, Glossary of 
Terms Used in NERC Reliability Standards, at 5 (2020), https://www.nerc.com/files/glossary_of_terms.pdf (NERC Glossary of Terms). 
NERC defines BES Cyber Asset as
    A Cyber Asset that if rendered unavailable, degraded, or misused 
would, within 15 minutes of its required operation, mis-operation, 
or non-operation, adversely impact one or more Facilities, systems, 
or equipment, which, if destroyed, degraded, or otherwise rendered 
unavailable when needed, would affect the reliable operation of the 
Bulk Electric System. Redundancy of affected Facilities, systems, 
and equipment shall not be considered when determining adverse 
impact. Each BES Cyber Asset is included in one or more BES Cyber 
Systems.
     Id. at 4.
    \10\ See, e.g., Order No. 791, 78 FR 72755; Revised Critical 
Infrastructure Protection Reliability Standards, Order No. 822, 81 
FR 4177 (Jan. 26, 2016), 154 FERC ] 61,037, reh'g denied, Order No. 
822-A, 156 FERC ] 61,052 (2016); Revised Critical Infrastructure 
Protection Reliability Standard CIP-003-7--Cyber Security--Security 
Management Controls, Order No. 843, 163 FERC ] 61,032 (2018).
---------------------------------------------------------------------------

    The CIP Reliability Standards currently consist of 13 standards 
specifying a set of requirements that entities must follow to ensure 
the cyber and physical security of the Bulk-Power System.
     CIP-002-5.1a Bulk Electric System Cyber System 
Categorization: Requires entities to identify and categorize BES Cyber 
Assets for the application of cyber security requirements commensurate 
with the adverse impact that loss, compromise, or misuse of those BES 
Cyber Systems could have on the reliable operation of the BES.
     CIP-003-8 Security Management Controls: Requires entities 
to specify consistent and sustainable security management controls that 
establish responsibility and accountability to protect BES Cyber 
Systems against compromise that could lead to mis-operation or 
instability in the BES.
     CIP-004-6 Personnel and Training: Requires entities to 
minimize the risk against compromise that could lead to mis-operation 
or instability in the BES from individuals accessing BES Cyber Systems 
by requiring an appropriate level of personnel risk assessment, 
training, and security awareness in support of protecting BES Cyber 
Systems.
     CIP-005-6 Electronic Security Perimeter(s): Requires 
entities to manage electronic access to BES Cyber Systems by specifying 
a controlled Electronic Security Perimeter in support of protecting BES 
Cyber Systems against compromise that could lead to mis-operation or 
instability in the BES.
     CIP-006-6 Physical Security of Bulk Electric System Cyber 
Systems: Requires entities to manage physical access to BES Cyber 
Systems by specifying a physical security plan in support of protecting 
BES Cyber Systems against compromise that could lead to mis-operation 
or instability in the BES.
     CIP-007-6 System Security Management: Requires entities to 
manage system security by specifying select technical, operational, and 
procedural requirements in support of protecting BES Cyber Systems 
against compromise that could lead to mis-operation or instability in 
the BES.
     CIP-008-6 Incident Reporting and Response Planning: 
Requires entities to mitigate the risk to the reliable operation of the 
BES as the result of a cybersecurity incident by specifying incident 
response requirements.
     CIP-009-6 Recovery Plans for Bulk Electric System Cyber 
Systems: Requires entities to recover reliability functions performed 
by BES Cyber Systems by specifying recovery plan requirements in 
support of the continued stability, operability, and reliability of the 
BES.
     CIP-010-3 Configuration Change Management and 
Vulnerability Assessments: Requires entities to prevent and detect 
unauthorized changes to BES Cyber Systems by specifying configuration 
change management and vulnerability assessment requirements in support 
of protecting BES Cyber Systems from compromise that could lead to mis-
operation or instability in the BES.
     CIP-011-2 Information Protection: Requires entities to 
prevent unauthorized access to BES Cyber System Information by 
specifying information protection requirements in support of protecting 
BES Cyber Systems against compromise that could lead to mis-operation 
or instability in the BES.
     CIP-012-1 Communications Between Control Centers: \11\ 
Requires entities to protect the confidentiality and integrity of Real-
time Assessment and Real-time monitoring data transmitted between 
Control Centers.
---------------------------------------------------------------------------

    \11\ CIP-012-1: Communications Between Control Centers will be 
subject to enforcement by July 1, 2022.
---------------------------------------------------------------------------

     CIP-013-1 Supply Chain Risk Management: Requires entities 
to mitigate cybersecurity risks to the reliable operation of the BES by 
implementing security controls for supply chain risk management of BES 
Cyber Systems.
     CIP-014-2 Physical Security: Requires the Transmission 
Owner to perform a risk assessment, consisting of a transmission 
analysis, to determine which of those Transmission stations and 
Transmission Substations and conduct an assessment of potential threats 
and vulnerabilities to those Transmission stations, Transmission 
substations, and primary control centers using a tailored evaluation 
process.
    The CIP Reliability Standards, viewed as a whole, implement a 
defense-in-depth approach to protecting the security of BES Cyber 
Systems at all impact levels.\12\ The CIP Reliability Standards are 
objective-based and allow entities to choose compliance approaches best 
tailored to their systems.\13\
---------------------------------------------------------------------------

    \12\ Order No. 822, 154 FERC ] 61,037 at 32.
    \13\ Order No. 706, 122 FERC ] 61,040 at 72.

[[Page 51133]]



 FERC-725B--(Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards) After Adding Filers From Cybersecurity
                                                             Incentives Investment Activity
                                                      [Submitted as a separate IC within FERC-725B]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                             Number and     Annual number
                                               type of      of responses    Total number of    Average burden per response   Total annual burden (hours)
                                             respondent          per           responses         (hours) \15\ & Cost per    & total annual cost \16\ ($)
                                                \14\         respondent)                                response
                                                      (1)             (2)    (1) * (2) = (3)  (4).........................  (3) * (4) = (5)
--------------------------------------------------------------------------------------------------------------------------------------------------------
CIP-003-8 \17\...........................      \18\ 1,149             300            344,700  1.5 hrs.; $127.53...........  517,050 hrs; $43,959,591
CIP-003-8 \19\...........................           1,149               1              1,149  20 hrs.; $1,700.40..........  23,220 hrs.; $1,974,164.4
CIP-003-8 \20\...........................             343               1                343  1 hr.; $85.02...............  343 hrs.; $29,161.86
CIP-002-5.1a, CIP-004-6, CIP-005-6, CIP-              343               1                343  600 \21\ hrs.; $51,012......  205,800 hrs., $17,497,116
 006-6, CIP-007-6, CIP-008-6, CIP-009-6,
 CIP-010-3, CIP-011-2.
CIP-013-1................................             343               1                343  30 hrs.; $2550.60...........  10,290 hrs.; $874,855.80
CIP-014-2................................        \22\ 321               1                321  2 hrs.; $170.04.............  642 hrs.; $54,582.84
CIP-012-1................................        \23\ 724               1                724  83 hrs.; $7,056.66..........  60,092 hrs., $5,109,021.84
                                          --------------------------------------------------------------------------------------------------------------
    Total Burden of FERC-725B............  ..............  ..............            347,923  ............................  817,437 hrs.; $69,498,493.74
--------------------------------------------------------------------------------------------------------------------------------------------------------

    Comments: Comments are invited on: (1) Whether the collection of 
information is necessary for the proper performance of the functions of 
the Commission, including whether the information will have practical 
utility; (2) the accuracy of the agency's estimate of the burden and 
cost of the collection of information, including the validity of the 
methodology and assumptions used; (3) ways to enhance the quality, 
utility and clarity of the information collection; and (4) ways to 
minimize the burden of the collection of information on those who are 
to respond, including the use of automated collection techniques or 
other forms of information technology.
---------------------------------------------------------------------------

    \14\ The number of respondents is based on the NERC Compliance 
Registry as of June 22, 2021. Currently there are 1,508 unique NERC 
Registered, subtracting 16 Canadians Entities yields 1492 U.S. 
entities.
    \15\ Of the average estimated 295.702 hours per response, 210 
hours are for recordkeeping, and 85.702 hours are for reporting.
    \16\ The estimates for cost per hour are $85.02/hour (averaged 
based on the following occupations):Manager (Occupational Code: 11-
0000): $97.89/hour; and  Electrical Engineer (Occupational 
Code 17-2071): $72.15/hour, from the Bureau of Labor and Statistics 
at http://bls.gov/oes/current/naics3_221000.htm, as of June 2021.
    \17\ Updates and reviews of low impact TCA assets (ongoing)
    \18\ We estimate that 1,161 entities will face an increased 
paperwork burden under Reliability Standard CIP 003-8, estimating 
that a majority of these entities will have one or more low impact 
BES Cyber Systems.
    \19\ Update paperwork for access control implementation in 
Section 2 and Section 3 (ongoing)
    \20\ Modification and approval of cybersecurity policies for all 
CIP Standards
    \21\ 600 hr. estimate is based on ongoing burden estimate from 
Order No. 791, added to the 3-year audit burden split over 3 years: 
600 = (640/3) + (408 - (20 + 1)). (20 + 1) is the CIP-003-8 burden.
    \22\ 321 U.S. Transmission Owners in NERC Compliance Registry as 
of June 22, 2021.
    \23\ The number of entities and the number of hours required are 
based on FERC Order No. 802 which approved CIP-012-1.

    Dated: September 8, 2021.
Kimberly D. Bose,
Secretary.
[FR Doc. 2021-19784 Filed 9-13-21; 8:45 am]
BILLING CODE 6717-01-P