Commission Information Collection Activities (FERC-725B(5)); Comment Request; Extension, 19124-19126 [2023-06600]

Download as PDF 19124 Federal Register / Vol. 88, No. 61 / Thursday, March 30, 2023 / Notices must file in accordance with Rules 211 and 214 of the Commission’s Regulations (18 CFR 385.211 and 385.214) on or before 5:00 p.m. Eastern time on the specified comment date. Protests may be considered, but intervention is necessary to become a party to the proceeding. The filings are accessible in the Commission’s eLibrary system (https:// elibrary.ferc.gov/idmws/search/ fercgensearch.asp) by querying the docket number. eFiling is encouraged. More detailed information relating to filing requirements, interventions, protests, service, and qualifying facilities filings can be found at: https://www.ferc.gov/ docs-filing/efiling/filing-req.pdf. For other information, call (866) 208–3676 (toll free). For TTY, call (202) 502–8659. Dated: March 24, 2023. Debbie-Anne A. Reese, Deputy Secretary. [FR Doc. 2023–06601 Filed 3–29–23; 8:45 am] BILLING CODE 6717–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission [Docket No. RD23–3–000] Commission Information Collection Activities (FERC–725B(5)); Comment Request; Extension Federal Energy Regulatory Commission, Department of Energy. ACTION: Notice of information collection and request for comments. AGENCY: In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comment on the currently approved information collection, FERC– 725B(5), (Mandatory Reliability Standards, Critical Infrastructure Protection (CIP–003–9)—Temporary Placeholder for FERC–725B that is pending approval at OMB. DATES: Comments on the collection of information are due May 30, 2023. ADDRESSES: You may submit copies of your comments (identified by Docket No. RD23–3–000) by one of the following methods: Electronic filing through https:// www.ferc.gov, is preferred. • Electronic Filing: Documents must be filed in acceptable native applications and print-to-PDF, but not in scanned or picture format. • For those unable to file electronically, comments may be filed lotter on DSK11XQN23PROD with NOTICES1 SUMMARY: VerDate Sep<11>2014 17:22 Mar 29, 2023 Jkt 259001 by USPS mail or by hand (including courier) delivery: Æ Mail via U.S. Postal Service Only: Addressed to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE, Washington, DC 20426. Æ Hand (including courier) Delivery: Deliver to: Federal Energy Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852. Instructions: All submissions must be formatted and filed in accordance with submission guidelines at: https:// www.ferc.gov. For user assistance, contact FERC Online Support by email at ferconlinesupport@ferc.gov, or by phone at (866) 208–3676 (toll-free). Docket: Users interested in receiving automatic notification of activity in this docket or in viewing/downloading comments and issuances in this docket may do so at https://www.ferc.gov. FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by email at DataClearance@FERC.gov, telephone at (202) 502–8663. SUPPLEMENTARY INFORMATION: Title: FERC–725B(5) (Mandatory Reliability Standards, Critical Infrastructure Protection (CIP–003–9))— Temporary Placeholder for FERC–725B that is pending approval at OMB. OMB Control No.: 1902–NEW. Type of Request: New collection request for FERC–725B(5)—temporary placeholder for FERC–725B information collection requirements with changes to the reporting requirements. Abstract: On August 8, 2005, Congress enacted the Energy Policy Act of 2005.1 The Energy Policy Act of 2005 added a new section 215 to the Federal Power Act (FPA),2 which requires a Commission-certified Electric Reliability Organization to develop mandatory and enforceable Reliability Standards,3 including requirements for cybersecurity protection, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the Electric Reliability Organization subject to Commission oversight, or the 1 Energy Policy Act of 2005, Public Law 109–58, sec. 1261 et seq., 119 Stat. 594 (2005). 2 16 U.S.C. 824o. 3 Section 215 of the FPA defines Reliability Standard as a requirement, approved by the Commission, to provide for reliable operation of existing bulk-power system facilities, including cybersecurity protection, and the design of planned additions or modifications to such facilities to the extent necessary to provide for reliable operation of the Bulk-Power System. However, the term does not include any requirement to enlarge such facilities or to construct new transmission capacity or generation capacity. Id. at 824o(a)(3). PO 00000 Frm 00074 Fmt 4703 Sfmt 4703 Commission can independently enforce Reliability Standards. On February 3, 2006, the Commission issued Order No. 672,4 implementing FPA section 215. The Commission subsequently certified the North American Electric Reliability Corporation (NERC) as the Electric Reliability Organization. The Reliability Standards developed by NERC become mandatory and enforceable after Commission approval and apply to users, owners, and operators of the Bulk-Power System, as set forth in each Reliability Standard.5 The CIP Reliability Standards require entities to comply with specific requirements to safeguard bulk electric system (BES) Cyber Systems 6 and their associated BES Cyber Assets. These standards are results-based and do not specify a technology or method to achieve compliance, instead leaving it up to the entity to decide how best to comply. The Commission has approved multiple versions of the CIP Reliability Standards submitted by NERC, partly to address the evolving nature of cyberrelated threats to the Bulk-Power System. High impact systems include large control centers. Medium impact systems include smaller control centers, ultra-high voltage transmission, and large substations and generating 4 Rules Concerning Certification of the Elec. Reliability Org.; and Procedures for the Establishment, Approval, and Enf’t of Elec. Reliability Standards, Order No. 672, 71 FR 8661 (Feb. 17, 2006), 114 FERC ¶ 61,104, order on reh’g, Order No. 672–A, 71 FR 19814 (Apr. 28, 2006), 114 FERC ¶ 61,328 (2006). 5 NERC uses the term ‘‘registered entity’’ to identify users, owners, and operators of the BulkPower System responsible for performing specified reliability functions with respect to NERC Reliability Standards. See, e.g., Version 4 Critical Infrastructure Protection Reliability Standards, Order No. 761, 77 FR 24594 (Apr. 25, 2012), 139 FERC ¶ 61,058, at P 46, order denying clarification and reh’g, 140 FERC ¶ 61,109 (2012). Within the NERC Reliability Standards are various subsets of entities responsible for performing various specified reliability functions. We collectively refer to these as ‘‘entities.’’ 6 NERC defines BES Cyber System as ‘‘[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.’’ NERC, Glossary of Terms Used in NERC Reliability Standards, at 5 (2020), https://www.nerc.com/files/glossary_of_ terms.pdf (NERC Glossary of Terms). NERC defines BES Cyber Asset as A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, mis-operation, or nonoperation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. Id. at 4. E:\FR\FM\30MRN1.SGM 30MRN1 Federal Register / Vol. 88, No. 61 / Thursday, March 30, 2023 / Notices facilities. The remainder of the BES Cyber Systems are categorized as low impact systems. Most requirements in the CIP Reliability Standards apply to high and medium impact systems; however, a technical controls requirement in Reliability standard CIP– 003, described below, applies only to low impact systems. The Commission is currently revising CIP–003 on this submission of Docket No. RD23–3–000 to update CIP–003–8 to CIP–003–9. The FERC–725B information collection requirements are subject to review by the Office of Management and Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 1995.7 OMB’s regulations require approval of certain information collection requirements imposed by agency rules.8 Upon approval of a collection of information, OMB will assign an OMB control number and expiration date. Respondents subject to the filing requirements will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number. The Commission solicits comments on the Commission’s need for this information, whether the information will have practical utility, the accuracy of the burden estimates, ways to enhance the quality, utility, and clarity of the information to be collected or retained, and any suggested methods for minimizing respondents’ burden, including the use of automated information techniques. Reliability Standard CIP–003–9 Security Management Controls: requires entities to specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to mis-operation or instability on the Bulk-Power System. Specifically, the Reliability Standard CIP–003–9 is revised to add requirements for entities to adopt mandatory security controls for vendor electronic remote access used at low impact BES Cyber Systems. It is part of the implementation of the Congressional mandate of the Energy Policy Act of 2005 to develop mandatory and enforceable Reliability Standards to better ensure the reliability of the nation’s Bulk-Power System. Type of Respondents: Business or other for profit, and not for profit institutions. Estimate of Annual Burden: 9 The Commission bases its paperwork burden estimates on the changes in 19125 paperwork burden presented by the proposed revision to CIP Reliability Standard CIP–003–9 as compared to the current Commission-approved Reliability Standard CIP–003–8. As discussed above, the immediate order addresses the area of modification to the CIP Reliability Standards: adopting mandatory security controls for vendor electronic remote access used at low impact BES Cyber Systems. The CIP Reliability Standards, viewed as a whole, implement a defense-indepth approach to protecting the security of BES Cyber Systems at all impact levels.10 The CIP Reliability Standards are objective-based and allow entities to choose compliance approaches best tailored to their systems.11 The NERC Compliance Registry, as of January 4, 2023, identifies approximately 1,592 U.S. entities that are subject to mandatory compliance with Reliability Standards. Of this total, we estimate that 1,579 entities will face an increased paperwork burden under Reliability Standard CIP 003–9, estimating that a majority of these entities will have one or more low impact BES Cyber Systems. Based on these assumptions, the Commission estimates the total annual burden and cost as follows: RD23–3–000 COMMISSION ORDER [Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards CIP–003–9] Number of respondents Annual number of responses per respondent Total number of responses Average burden & cost per response 12 Total annual burden hours & total annual cost Cost per respondent ($) (1) (2) (1) * (2) = (3) (4) (3) * (4) = (5) (5) ÷ (1) Create vendor remote access policy (onetime) 13. Updates and reviews of vendor remote access policy (ongoing). 1,579 1 1,579 60 hrs.; $5,340 ......... 94,740 hrs.; $8,431,860 .. $5,340 1,579 1 1,579 3.5 hrs.; $311.50 ...... 5,527 hrs. (rounded); $491,903. 311.50 Total burden for FERC–725B(5) under CIP–003–9. ........................ ........................ 3,158 ................................... 100,267 hrs.; $8,923,763 The one-time burden of 94,740 hours that only applies for Year 1 will be averaged over three years (94,740 hours ÷ 3 = 31,580 hours/year over three years). The number of responses is also averaged over three years (1,579 responses ÷ 3 = 526.33 responses/year). The ongoing burden of 5,527 hours/ year applies for only Years 2 and 7 44 U.S.C. 3507(d) (2012). CFR 1320.11 (2017). 9 ‘‘Burden’’ is the total time, effort, or financial resources expended by persons to generate, maintain, retain, or disclose or provide information to or for a Federal agency. For further explanation of what is included in the information collection burden, refer to Title 5 Code of Federal Regulations 1320.3. 10 Order No. 822, 154 FERC ¶ 61,037 at 32. lotter on DSK11XQN23PROD with NOTICES1 85 VerDate Sep<11>2014 17:22 Mar 29, 2023 Jkt 259001 ........................ beyond (5,527 hours (Year 2) + 5,527 hours (Year 3) ÷ 3 = 5,527 hours. Similarly, the number of responses is also averaged over three years ((1,579 responses (Year 2) + 1,579 (Year 3)) ÷ 3 = 1,57914). The responses and burden hours for Years 1–3 will total respectively as follows for Year 1 one-time burden: Year 1: 526.33 responses; 31,580 hours Year 2: 526.33 responses; 31,580 hours Year 3: 526.33 responses; 31,580 hours 11 Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 73 FR 7368 (Feb. 7, 2008), 122 FERC ¶ 61,040, at P 72 (2008); order on reh’g, Order No. 706–A, 123 FERC ¶ 61,174 (2008); order on clarification, Order No. 706–B, 126 FERC ¶ 61,229 (2009). 12 The loaded hourly wage figure (includes benefits) is based on the average of three occupational categories for 2022 found on the Bureau of Labor Statistics website (https:// www.bls.gov/oes/current/naics2_22.htm): Legal (Occupation Code: 23–0000): $145.35. Electrical Engineer (Occupation Code: 17–2071): $77.02. Office and Administrative Support (Occupation Code: 43–0000): $43.62 ($145.35 + $77.02 + $43.62) ÷ 3 = $88.66. The figure is rounded to $89.00 for use in calculating wage figures in this Commission Order. 13 This one-time burden applies in Year One only. PO 00000 Frm 00075 Fmt 4703 Sfmt 4703 The responses and burden hours for Years 1–3 will total respectively as follows for Ongoing and beyond: 1,579 responses and 5,527 hours E:\FR\FM\30MRN1.SGM 30MRN1 19126 Federal Register / Vol. 88, No. 61 / Thursday, March 30, 2023 / Notices The following shows the annual cost burden for each group, based on the burden hours in the table above: • Year 1: $8,431,860 (Onetime) • Years 2 and 3: $491,903 (Ongoing) The paperwork burden estimate includes costs associated with the initial development of a policy to address requirements relating to: (1) clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; (2) adopting mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems; and (3) requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. Further, the estimate reflects the assumption that costs incurred in year 1 will pertain to policy development, while costs in years 2 and 3 will reflect the burden associated with maintaining logs and other records to demonstrate ongoing compliance. Comments: Comments are invited on: (1) whether the collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency’s estimate of the burden and cost of the collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information collection; and (4) ways to minimize the burden of the collection of information on those who are to respond, including the use of automated collection techniques or other forms of information technology. Federal Energy Regulatory Commission, Department of Energy. In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comment on the currently approved information collection, FERC Form No. 73, (Oil Pipeline Service Life Data), which will be submitted to the Office of Management and Budget (OMB) for review. No Comments were received on the 60-day notice published on January 19, 2023. DATES: Comments on the collection of information are due May 1, 2023. ADDRESSES: Send written comments on FERC–73 to OMB through www.reginfo.gov/public/do/PRAMain. Attention: Federal Energy Regulatory Commission Desk Officer. Please identify the OMB Control Number (1902–0019) in the subject line of your comments. Comments should be sent within 30 days of publication of this notice to www.reginfo.gov/public/do/ PRAMain. Please submit copies of your comments to the Commission. You may submit copies of your comments (identified by Docket No. IC23–4–000) by one of the following methods: Electronic filing through https:// www.ferc.gov, is preferred. • Electronic Filing: Documents must be filed in acceptable native applications and print-to-PDF, but not in scanned or picture format. • For those unable to file electronically, comments may be filed by USPS mail or by hand (including courier) delivery. Æ Mail via U.S. Postal Service Only: Addressed to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE, Washington, DC 20426. Æ Hand (including courier) delivery: Deliver to: Federal Energy Regulatory Commission, Secretary of the Commission, 12225 Wilkins Avenue, Rockville, MD 20852. Instructions: OMB submissions must be formatted and filed in accordance with submission guidelines at www.reginfo.gov/public/do/PRAMain. Using the search function under the ‘‘Currently Under Review’’ field, select Federal Energy Regulatory Commission; click ‘‘submit,’’ and select ‘‘comment’’ to the right of the subject collection. FERC submissions must be formatted and filed in accordance with submission 1 ‘‘Burden’’ is the total time, effort, or financial resources expended by persons to generate, maintain, retain, or disclose or provide information to or for a Federal agency. For further explanation Dated: March 24, 2023. Debbie-Anne A. Reese, Deputy Secretary. [FR Doc. 2023–06600 Filed 3–29–23; 8:45 am] BILLING CODE 6717–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission [Docket No. IC23–4–000] lotter on DSK11XQN23PROD with NOTICES1 Notice of information collection and request for comments. ACTION: Commission Information Collection Activities (FERC–73) Comment Request; Extension AGENCY: VerDate Sep<11>2014 17:22 Mar 29, 2023 Jkt 259001 SUMMARY: PO 00000 Frm 00076 Fmt 4703 Sfmt 4703 guidelines at: https://www.ferc.gov. For user assistance, contact FERC Online Support by email at ferconlinesupport@ ferc.gov, or by phone at: (866) 208–3676 (toll-free). Docket: Users interested in receiving automatic notification of activity in this docket or in viewing/downloading comments and issuances in this docket may do so at https://www.ferc.gov/ferconline/overview. FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by email at DataClearance@FERC.gov, telephone at (202) 502–8663. SUPPLEMENTARY INFORMATION: Title: FERC Form No. 73, Oil Pipeline Service Life Data. OMB Control No.: 1902–0019. Type of Request: Three-year extension of the FERC Form No. 73 information collection requirements with no changes to the current reporting requirements. Abstract: The Commission collects FERC Form No. 73 information as part of its authority under the Interstate Commerce Act, 49 U.S.C. 60501, et al. FERC Form No. 73 contains necessary information for the review of oil pipeline companies’ proposed depreciation rates, as regulated entities are required to provide service life data illustrating the remaining physical life of an oil pipeline’s properties. This is used to calculate the company’s cost of service and its transportation rates to access customers. The Commission implements these filing reviews under the purview of 18 CFR part 357.3, FERC Form No. 73, Oil Pipeline Data for Depreciation Analysis, and 18 CFR part 347. Parts 357.3 and 347 require an oil pipeline company to submit information under FERC Form No. 73 when: (1) requesting approval for new or changed depreciation rates of an oil pipeline; or (2) being directed by the Commission to file the service life data during an investigation of its book depreciation rates. Type of Respondent: Oil pipeline companies. Estimate of Annual Burden:1 The Commission estimates the annual public reporting burden for the information collection as below: of what is included in the information collection burden, refer to 5 CFR 1320.3. E:\FR\FM\30MRN1.SGM 30MRN1

Agencies

[Federal Register Volume 88, Number 61 (Thursday, March 30, 2023)]
[Notices]
[Pages 19124-19126]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-06600]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. RD23-3-000]


Commission Information Collection Activities (FERC-725B(5)); 
Comment Request; Extension

AGENCY: Federal Energy Regulatory Commission, Department of Energy.

ACTION: Notice of information collection and request for comments.

-----------------------------------------------------------------------

SUMMARY: In compliance with the requirements of the Paperwork Reduction 
Act of 1995, the Federal Energy Regulatory Commission (Commission or 
FERC) is soliciting public comment on the currently approved 
information collection, FERC-725B(5), (Mandatory Reliability Standards, 
Critical Infrastructure Protection (CIP-003-9)--Temporary Placeholder 
for FERC-725B that is pending approval at OMB.

DATES: Comments on the collection of information are due May 30, 2023.

ADDRESSES: You may submit copies of your comments (identified by Docket 
No. RD23-3-000) by one of the following methods:
    Electronic filing through https://www.ferc.gov, is preferred.
     Electronic Filing: Documents must be filed in acceptable 
native applications and print-to-PDF, but not in scanned or picture 
format.
     For those unable to file electronically, comments may be 
filed by USPS mail or by hand (including courier) delivery:
    [cir] Mail via U.S. Postal Service Only: Addressed to: Federal 
Energy Regulatory Commission, Secretary of the Commission, 888 First 
Street NE, Washington, DC 20426.
    [cir] Hand (including courier) Delivery: Deliver to: Federal Energy 
Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852.
    Instructions: All submissions must be formatted and filed in 
accordance with submission guidelines at: https://www.ferc.gov. For user 
assistance, contact FERC Online Support by email at 
[email protected], or by phone at (866) 208-3676 (toll-free).
    Docket: Users interested in receiving automatic notification of 
activity in this docket or in viewing/downloading comments and 
issuances in this docket may do so at https://www.ferc.gov.

FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by email at 
[email protected], telephone at (202) 502-8663.

SUPPLEMENTARY INFORMATION: 
    Title: FERC-725B(5) (Mandatory Reliability Standards, Critical 
Infrastructure Protection (CIP-003-9))--Temporary Placeholder for FERC-
725B that is pending approval at OMB.
    OMB Control No.: 1902-NEW.
    Type of Request: New collection request for FERC-725B(5)--temporary 
placeholder for FERC-725B information collection requirements with 
changes to the reporting requirements.
    Abstract: On August 8, 2005, Congress enacted the Energy Policy Act 
of 2005.\1\ The Energy Policy Act of 2005 added a new section 215 to 
the Federal Power Act (FPA),\2\ which requires a Commission-certified 
Electric Reliability Organization to develop mandatory and enforceable 
Reliability Standards,\3\ including requirements for cybersecurity 
protection, which are subject to Commission review and approval. Once 
approved, the Reliability Standards may be enforced by the Electric 
Reliability Organization subject to Commission oversight, or the 
Commission can independently enforce Reliability Standards.
---------------------------------------------------------------------------

    \1\ Energy Policy Act of 2005, Public Law 109-58, sec. 1261 et 
seq., 119 Stat. 594 (2005).
    \2\ 16 U.S.C. 824o.
    \3\ Section 215 of the FPA defines Reliability Standard as a 
requirement, approved by the Commission, to provide for reliable 
operation of existing bulk-power system facilities, including 
cybersecurity protection, and the design of planned additions or 
modifications to such facilities to the extent necessary to provide 
for reliable operation of the Bulk-Power System. However, the term 
does not include any requirement to enlarge such facilities or to 
construct new transmission capacity or generation capacity. Id. at 
824o(a)(3).
---------------------------------------------------------------------------

    On February 3, 2006, the Commission issued Order No. 672,\4\ 
implementing FPA section 215. The Commission subsequently certified the 
North American Electric Reliability Corporation (NERC) as the Electric 
Reliability Organization. The Reliability Standards developed by NERC 
become mandatory and enforceable after Commission approval and apply to 
users, owners, and operators of the Bulk-Power System, as set forth in 
each Reliability Standard.\5\ The CIP Reliability Standards require 
entities to comply with specific requirements to safeguard bulk 
electric system (BES) Cyber Systems \6\ and their associated BES Cyber 
Assets. These standards are results-based and do not specify a 
technology or method to achieve compliance, instead leaving it up to 
the entity to decide how best to comply.
---------------------------------------------------------------------------

    \4\ Rules Concerning Certification of the Elec. Reliability 
Org.; and Procedures for the Establishment, Approval, and Enf't of 
Elec. Reliability Standards, Order No. 672, 71 FR 8661 (Feb. 17, 
2006), 114 FERC ] 61,104, order on reh'g, Order No. 672-A, 71 FR 
19814 (Apr. 28, 2006), 114 FERC ] 61,328 (2006).
    \5\ NERC uses the term ``registered entity'' to identify users, 
owners, and operators of the Bulk-Power System responsible for 
performing specified reliability functions with respect to NERC 
Reliability Standards. See, e.g., Version 4 Critical Infrastructure 
Protection Reliability Standards, Order No. 761, 77 FR 24594 (Apr. 
25, 2012), 139 FERC ] 61,058, at P 46, order denying clarification 
and reh'g, 140 FERC ] 61,109 (2012). Within the NERC Reliability 
Standards are various subsets of entities responsible for performing 
various specified reliability functions. We collectively refer to 
these as ``entities.''
    \6\ NERC defines BES Cyber System as ``[o]ne or more BES Cyber 
Assets logically grouped by a responsible entity to perform one or 
more reliability tasks for a functional entity.'' NERC, Glossary of 
Terms Used in NERC Reliability Standards, at 5 (2020), https://www.nerc.com/files/glossary_of_terms.pdf (NERC Glossary of Terms). 
NERC defines BES Cyber Asset as
    A Cyber Asset that if rendered unavailable, degraded, or misused 
would, within 15 minutes of its required operation, mis-operation, 
or non-operation, adversely impact one or more Facilities, systems, 
or equipment, which, if destroyed, degraded, or otherwise rendered 
unavailable when needed, would affect the reliable operation of the 
Bulk Electric System. Redundancy of affected Facilities, systems, 
and equipment shall not be considered when determining adverse 
impact. Each BES Cyber Asset is included in one or more BES Cyber 
Systems.
    Id. at 4.
---------------------------------------------------------------------------

    The Commission has approved multiple versions of the CIP 
Reliability Standards submitted by NERC, partly to address the evolving 
nature of cyber-related threats to the Bulk-Power System. High impact 
systems include large control centers. Medium impact systems include 
smaller control centers, ultra-high voltage transmission, and large 
substations and generating

[[Page 19125]]

facilities. The remainder of the BES Cyber Systems are categorized as 
low impact systems. Most requirements in the CIP Reliability Standards 
apply to high and medium impact systems; however, a technical controls 
requirement in Reliability standard CIP-003, described below, applies 
only to low impact systems.
    The Commission is currently revising CIP-003 on this submission of 
Docket No. RD23-3-000 to update CIP-003-8 to CIP-003-9. The FERC-725B 
information collection requirements are subject to review by the Office 
of Management and Budget (OMB) under section 3507(d) of the Paperwork 
Reduction Act of 1995.\7\ OMB's regulations require approval of certain 
information collection requirements imposed by agency rules.\8\ Upon 
approval of a collection of information, OMB will assign an OMB control 
number and expiration date. Respondents subject to the filing 
requirements will not be penalized for failing to respond to these 
collections of information unless the collections of information 
display a valid OMB control number. The Commission solicits comments on 
the Commission's need for this information, whether the information 
will have practical utility, the accuracy of the burden estimates, ways 
to enhance the quality, utility, and clarity of the information to be 
collected or retained, and any suggested methods for minimizing 
respondents' burden, including the use of automated information 
techniques.
---------------------------------------------------------------------------

    \7\ 44 U.S.C. 3507(d) (2012).
    \8\ 5 CFR 1320.11 (2017).
---------------------------------------------------------------------------

    Reliability Standard CIP-003-9 Security Management Controls: 
requires entities to specify consistent and sustainable security 
management controls that establish responsibility and accountability to 
protect BES Cyber Systems against compromise that could lead to mis-
operation or instability on the Bulk-Power System. Specifically, the 
Reliability Standard CIP-003-9 is revised to add requirements for 
entities to adopt mandatory security controls for vendor electronic 
remote access used at low impact BES Cyber Systems. It is part of the 
implementation of the Congressional mandate of the Energy Policy Act of 
2005 to develop mandatory and enforceable Reliability Standards to 
better ensure the reliability of the nation's Bulk-Power System.
    Type of Respondents: Business or other for profit, and not for 
profit institutions.
    Estimate of Annual Burden: 9
---------------------------------------------------------------------------

    \9\ ``Burden'' is the total time, effort, or financial resources 
expended by persons to generate, maintain, retain, or disclose or 
provide information to or for a Federal agency. For further 
explanation of what is included in the information collection 
burden, refer to Title 5 Code of Federal Regulations 1320.3.
---------------------------------------------------------------------------

    The Commission bases its paperwork burden estimates on the changes 
in paperwork burden presented by the proposed revision to CIP 
Reliability Standard CIP-003-9 as compared to the current Commission-
approved Reliability Standard CIP-003-8. As discussed above, the 
immediate order addresses the area of modification to the CIP 
Reliability Standards: adopting mandatory security controls for vendor 
electronic remote access used at low impact BES Cyber Systems.
    The CIP Reliability Standards, viewed as a whole, implement a 
defense-in-depth approach to protecting the security of BES Cyber 
Systems at all impact levels.\10\ The CIP Reliability Standards are 
objective-based and allow entities to choose compliance approaches best 
tailored to their systems.\11\ The NERC Compliance Registry, as of 
January 4, 2023, identifies approximately 1,592 U.S. entities that are 
subject to mandatory compliance with Reliability Standards. Of this 
total, we estimate that 1,579 entities will face an increased paperwork 
burden under Reliability Standard CIP 003-9, estimating that a majority 
of these entities will have one or more low impact BES Cyber Systems. 
Based on these assumptions, the Commission estimates the total annual 
burden and cost as follows:
---------------------------------------------------------------------------

    \10\ Order No. 822, 154 FERC ] 61,037 at 32.
    \11\ Mandatory Reliability Standards for Critical Infrastructure 
Protection, Order No. 706, 73 FR 7368 (Feb. 7, 2008), 122 FERC ] 
61,040, at P 72 (2008); order on reh'g, Order No. 706-A, 123 FERC ] 
61,174 (2008); order on clarification, Order No. 706-B, 126 FERC ] 
61,229 (2009).
    \12\ The loaded hourly wage figure (includes benefits) is based 
on the average of three occupational categories for 2022 found on 
the Bureau of Labor Statistics website (https://www.bls.gov/oes/current/naics2_22.htm):
    Legal (Occupation Code: 23-0000): $145.35.
    Electrical Engineer (Occupation Code: 17-2071): $77.02.
    Office and Administrative Support (Occupation Code: 43-0000): 
$43.62 ($145.35 + $77.02 + $43.62) / 3 = $88.66. The figure is 
rounded to $89.00 for use in calculating wage figures in this 
Commission Order.
    \13\ This one-time burden applies in Year One only.

                                                               RD23-3-000 Commission Order
                        [Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards CIP-003-9]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                        Annual number                                              Total annual burden
                                          Number of     of responses    Total number     Average burden & cost     hours & total annual      Cost per
                                         respondents   per respondent   of responses       per response \12\               cost           respondent ($)
                                                  (1)             (2)     (1) * (2) =  (4).....................  (3) * (4) = (5)........       (5) / (1)
                                                                                  (3)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Create vendor remote access policy              1,579               1           1,579  60 hrs.; $5,340.........  94,740 hrs.; $8,431,860          $5,340
 (one-time) \13\.
Updates and reviews of vendor remote            1,579               1           1,579  3.5 hrs.; $311.50.......  5,527 hrs. (rounded);            311.50
 access policy (ongoing).                                                                                         $491,903.
                                      ------------------------------------------------------------------------------------------------------------------
    Total burden for FERC-725B(5)      ..............  ..............           3,158  ........................  100,267 hrs.;            ..............
     under CIP-003-9.                                                                                             $8,923,763.
--------------------------------------------------------------------------------------------------------------------------------------------------------

    The one-time burden of 94,740 hours that only applies for Year 1 
will be averaged over three years (94,740 hours / 3 = 31,580 hours/year 
over three years). The number of responses is also averaged over three 
years (1,579 responses / 3 = 526.33 responses/year).
    The ongoing burden of 5,527 hours/year applies for only Years 2 and 
beyond (5,527 hours (Year 2) + 5,527 hours (Year 3) / 3 = 5,527 hours. 
Similarly, the number of responses is also averaged over three years 
((1,579 responses (Year 2) + 1,579 (Year 3)) / 3 = 1,579\14\).
    The responses and burden hours for Years 1-3 will total 
respectively as follows for Year 1 one-time burden:

Year 1: 526.33 responses; 31,580 hours
Year 2: 526.33 responses; 31,580 hours
Year 3: 526.33 responses; 31,580 hours

    The responses and burden hours for Years 1-3 will total 
respectively as follows for Ongoing and beyond: 1,579 responses and 
5,527 hours

[[Page 19126]]

    The following shows the annual cost burden for each group, based on 
the burden hours in the table above:

 Year 1: $8,431,860 (Onetime)
 Years 2 and 3: $491,903 (Ongoing)

    The paperwork burden estimate includes costs associated with the 
initial development of a policy to address requirements relating to: 
(1) clarifying the obligations pertaining to electronic access control 
for low impact BES Cyber Systems; (2) adopting mandatory security 
controls for transient electronic devices (e.g., thumb drives, laptop 
computers, and other portable devices frequently connected to and 
disconnected from systems) used at low impact BES Cyber Systems; and 
(3) requiring responsible entities to have a policy for declaring and 
responding to CIP Exceptional Circumstances related to low impact BES 
Cyber Systems. Further, the estimate reflects the assumption that costs 
incurred in year 1 will pertain to policy development, while costs in 
years 2 and 3 will reflect the burden associated with maintaining logs 
and other records to demonstrate ongoing compliance.
    Comments: Comments are invited on: (1) whether the collection of 
information is necessary for the proper performance of the functions of 
the Commission, including whether the information will have practical 
utility; (2) the accuracy of the agency's estimate of the burden and 
cost of the collection of information, including the validity of the 
methodology and assumptions used; (3) ways to enhance the quality, 
utility and clarity of the information collection; and (4) ways to 
minimize the burden of the collection of information on those who are 
to respond, including the use of automated collection techniques or 
other forms of information technology.

    Dated: March 24, 2023.
Debbie-Anne A. Reese,
Deputy Secretary.
[FR Doc. 2023-06600 Filed 3-29-23; 8:45 am]
BILLING CODE 6717-01-P


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.