Commission Information Collection Activities (FERC-725B(5)), 37525-37527 [2023-12241]
Download as PDF
<![CDATA[
Federal Register / Vol. 88, No. 110 / Thursday, June 8, 2023 / Notices
DOE has decided not to prepare a
special environmental analysis.
5. Further Information
The CAISO Order, Amendment
Number 1, Amendment Number 2, and
other documents referenced herein can
be found on the Department’s website at
Federal Power Act Section 202(c):
CAISO September 2022 | Department of
Energy. The reports required by the
Amended CAISO Order will be posted
to the Department’s website when they
become available.
Signing Authority
This document of the Department of
Energy was signed on May 15, 2023, by
Puesh M. Kumar, Director for the Office
of Cybersecurity, Energy Security, and
Emergency Response, pursuant to
delegated authority from the Secretary
of Energy. That document with the
original signature and date is
maintained by DOE. For administrative
purposes only, and in compliance with
requirements of the Office of the Federal
Register, the undersigned DOE Federal
Register Liaison Officer has been
authorized to sign and submit the
document in electronic format for
publication, as an official document of
the Department of Energy. This
administrative process in no way alters
the legal effect of this document upon
publication in the Federal Register.
Signed in Washington, DC, on June 2,
2023.
Treena V. Garrett,
Federal Register Liaison Officer, U.S.
Department of Energy.
[FR Doc. 2023–12214 Filed 6–7–23; 8:45 am]
BILLING CODE 6450–01–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
[Docket No. RD23–3–000]
Commission Information Collection
Activities (FERC–725B(5))
Federal Energy Regulatory
Commission, Department of Energy.
ACTION: Notice of information collection
and request for comments.
AGENCY:
In compliance with the
requirements of the Paperwork
Reduction Act of 1995, the Federal
Energy Regulatory Commission
(Commission or FERC) is soliciting
public comment on the currently
approved information collection, FERC–
725B(5), (Mandatory Reliability
Standards, Critical Infrastructure
Protection (CIP–003–9)- Temporary
ddrumheller on DSK120RN23PROD with NOTICES1
SUMMARY:
VerDate Sep<11>2014
16:15 Jun 07, 2023
Jkt 259001
Placeholder for FERC–725B that is
pending approval at OMB.
No Comments were received on the
60-day notice published on March 30,
2023.
Comments on the collection of
information are due July 10, 2023.
ADDRESSES: Send written comments on
FERC–725B(5), Mandatory Reliability
Standards, Critical Infrastructure
Protection (CIP–003–9) to OMB through
www.reginfo.gov/public/do/PRAMain.
Attention: Federal Energy Regulatory
Commission Desk Officer. Please
identify the OMB Control No: 1902–
NEW(FERC–725B(5)) in the subject line
of your comments. Comments should be
sent within 30 days of publication of
this notice to www.reginfo.gov/public/
do/PRAMain.
Please submit copies of your
comments to the Commission. You may
submit copies of your comments
(identified by Docket No. RD23–3–000)
by one of the following methods:
Electronic filing through https://
www.ferc.gov, is preferred.
• Electronic Filing: Documents must
be filed in acceptable native
applications and print-to-PDF, but not
in scanned or picture format.
• For those unable to file
electronically, comments may be filed
by USPS mail or by hand (including
courier) delivery.
Æ Mail via U.S. Postal Service Only:
Addressed to: Federal Energy
Regulatory Commission, Secretary of the
Commission, 888 First Street NE,
Washington, DC 20426.
Æ Hand (including courier) delivery:
Deliver to: Federal Energy Regulatory
Commission, Secretary of the
Commission, 12225 Wilkins Avenue,
Rockville, MD 20852.
Instructions: OMB submissions must
be formatted and filed in accordance
with submission guidelines at
www.reginfo.gov/public/do/PRAMain.
Using the search function under the
‘‘Currently Under Review’’ field, select
Federal Energy Regulatory Commission;
click ‘‘submit,’’ and select ‘‘comment’’
to the right of the subject collection.
FERC submissions must be formatted
and filed in accordance with submission
guidelines at: https://www.ferc.gov. For
user assistance, contact FERC Online
Support by email at ferconlinesupport@
ferc.gov, or by phone at: (866) 208–3676
(toll-free).
Docket: Users interested in receiving
automatic notification of activity in this
docket or in viewing/downloading
comments and issuances in this docket
may do so at https://www.ferc.gov/ferconline/overview.
DATES:
PO 00000
Frm 00021
Fmt 4703
Sfmt 4703
37525
FOR FURTHER INFORMATION CONTACT:
Ellen Brown may be reached by email
at DataClearance@FERC.gov, telephone
at (202) 502–8663.
SUPPLEMENTARY INFORMATION:
Title: FERC–725B(5) (Mandatory
Reliability Standards, Critical
Infrastructure Protection (CIP–003–9))—
Temporary Placeholder for FERC–725B
that is pending approval at OMB
OMB Control No.: 1902–NEW.
Type of Request: New collection
request for FERC–725B(5)—temporary
placeholder for FERC–725B information
collection requirements with changes to
the reporting requirements.
Abstract: On August 8, 2005, Congress
enacted the Energy Policy Act of 2005.1
The Energy Policy Act of 2005 added a
new section 215 to the Federal Power
Act (FPA),2 which requires a
Commission-certified Electric
Reliability Organization to develop
mandatory and enforceable Reliability
Standards,3 including requirements for
cybersecurity protection, which are
subject to Commission review and
approval. Once approved, the Reliability
Standards may be enforced by the
Electric Reliability Organization subject
to Commission oversight, or the
Commission can independently enforce
Reliability Standards.
On February 3, 2006, the Commission
issued Order No. 672,4 implementing
FPA section 215. The Commission
subsequently certified the North
American Electric Reliability
Corporation (NERC) as the Electric
Reliability Organization. The Reliability
Standards developed by NERC become
mandatory and enforceable after
Commission approval and apply to
users, owners, and operators of the
Bulk-Power System, as set forth in each
Reliability Standard.5 The CIP
1 Energy Policy Act of 2005, Public Law 109–58,
sec. 1261 et seq., 119 Stat. 594 (2005).
2 16 U.S.C. 824o.
3 Section 215 of the FPA defines Reliability
Standard as a requirement, approved by the
Commission, to provide for reliable operation of
existing bulk-power system facilities, including
cybersecurity protection, and the design of planned
additions or modifications to such facilities to the
extent necessary to provide for reliable operation of
the Bulk-Power System. However, the term does not
include any requirement to enlarge such facilities
or to construct new transmission capacity or
generation capacity. Id. at 824o(a)(3).
4 Rules Concerning Certification of the Elec.
Reliability Org.; and Procedures for the
Establishment, Approval, and Enf’t of Elec.
Reliability Standards, Order No. 672, 71 FR 8661
(Feb. 17, 2006), 114 FERC ¶ 61,104, order on reh’g,
Order No. 672–A, 71 FR 19814 (Apr. 28, 2006), 114
FERC ¶ 61,328 (2006).
5 NERC uses the term ‘‘registered entity’’ to
identify users, owners, and operators of the BulkPower System responsible for performing specified
reliability functions with respect to NERC
E:\FR\FM\08JNN1.SGM
Continued
08JNN1
37526
Federal Register / Vol. 88, No. 110 / Thursday, June 8, 2023 / Notices
Reliability Standards require entities to
comply with specific requirements to
safeguard bulk electric system (BES)
Cyber Systems 6 and their associated
BES Cyber Assets. These standards are
results-based and do not specify a
technology or method to achieve
compliance, instead leaving it up to the
entity to decide how best to comply.
The Commission has approved
multiple versions of the CIP Reliability
Standards submitted by NERC, partly to
address the evolving nature of cyberrelated threats to the Bulk-Power
System. High impact systems include
large control centers. Medium impact
systems include smaller control centers,
ultra-high voltage transmission, and
large substations and generating
facilities. The remainder of the BES
Cyber Systems are categorized as low
impact systems. Most requirements in
the CIP Reliability Standards apply to
high and medium impact systems;
however, a technical controls
requirement in Reliability standard CIP–
003, described below, applies only to
low impact systems.
The Commission is currently revising
CIP–003 on this submission of Docket
No. RD23–3–000 to update CIP–003–8
to CIP–003–9.
The FERC–725B information
collection requirements are subject to
review by the Office of Management and
Budget (OMB) under section 3507(d) of
the Paperwork Reduction Act of 1995.7
OMB’s regulations require approval of
certain information collection
requirements imposed by agency rules.8
Upon approval of a collection of
information, OMB will assign an OMB
control number and expiration date.
Respondents subject to the filing
requirements will not be penalized for
failing to respond to these collections of
information unless the collections of
information display a valid OMB
control number. The Commission
solicits comments on the Commission’s
need for this information, whether the
information will have practical utility,
the accuracy of the burden estimates,
ways to enhance the quality, utility, and
clarity of the information to be collected
or retained, and any suggested methods
for minimizing respondents’ burden,
including the use of automated
information techniques.
Reliability Standard CIP–003–9
Security Management Controls: requires
entities to specify consistent and
sustainable security management
controls that establish responsibility
and accountability to protect BES Cyber
Systems against compromise that could
lead to mis-operation or instability on
the Bulk-Power System. Specifically,
the Reliability Standard CIP–003–9 is
being revised to add requirements for
entities to adopt mandatory security
controls for vendor electronic remote
access used at low impact BES Cyber
Systems. It is part of the implementation
of the Congressional mandate of the
Energy Policy Act of 2005 to develop
mandatory and enforceable Reliability
Standards to better ensure the reliability
of the nation’s Bulk-Power System.
Type of Respondents: Business or
other for profit, and not for profit
institutions.
Estimate of Annual Burden: 9
The Commission bases its paperwork
burden estimates on the changes in
paperwork burden presented by the
proposed revision to CIP Reliability
Standard CIP–003–9 as compared to the
current Commission-approved
Reliability Standard CIP–003–8. As
discussed above, the immediate order
addresses the area of modification to the
CIP Reliability Standards: adopting
mandatory security controls for vendor
electronic remote access used at low
impact BES Cyber Systems.
The CIP Reliability Standards, viewed
as a whole, implement a defense-indepth approach to protecting the
security of BES Cyber Systems at all
impact levels.10 The CIP Reliability
Standards are objective-based and allow
entities to choose compliance
approaches best tailored to their
systems.11 The NERC Compliance
Registry, as of January 4, 2023, identifies
approximately 1,592 U.S. entities that
are subject to mandatory compliance
with Reliability Standards. Of this total,
we estimate that 1,579 entities will face
an increased paperwork burden under
Reliability Standard CIP 003–9,
estimating that a majority of these
entities will have one or more low
impact BES Cyber Systems. Based on
these assumptions, the Commission
estimates the total annual burden and
cost as follows:
RD23–3–000 COMMISSION ORDER
[Mandatory reliability standards for critical infrastructure protection reliability standards CIP–003–9]
ddrumheller on DSK120RN23PROD with NOTICES1
Create vendor remote access policy (onetime) 13.
Updates and reviews of vendor remote access policy (ongoing).
Total burden for FERC–725B(5) under
CIP–003–9.
Number of
respondents
Annual
number of
responses per
respondent
Total number
of responses
Average burden
& cost per
response 12
Total annual
burden hours &
total annual cost
Cost per
respondent
($)
(1)
(2)
(1) * (2) = (3)
(4)
(3) * (4) = (5)
(5) ÷ (1)
1,579
1
1,579
60 hrs. $5,340
94,740 hrs. $8,431,860 .............
1,579
1
1,579
5,527 hrs. (rounded) $491,903
........................
........................
3,158
3.5 hrs.
$311.50.
.........................
Reliability Standards. See, e.g., Version 4 Critical
Infrastructure Protection Reliability Standards,
Order No. 761, 77 FR 24594 (Apr. 25, 2012), 139
FERC ¶ 61,058, at P 46, order denying clarification
and reh’g, 140 FERC ¶ 61,109 (2012). Within the
NERC Reliability Standards are various subsets of
entities responsible for performing various specified
reliability functions. We collectively refer to these
as ‘‘entities.’’
6 NERC defines BES Cyber System as ‘‘[o]ne or
more BES Cyber Assets logically grouped by a
responsible entity to perform one or more reliability
tasks for a functional entity.’’ NERC, Glossary of
Terms Used in NERC Reliability Standards, at 5
(2020), https://www.nerc.com/files/glossary_of_
VerDate Sep<11>2014
16:15 Jun 07, 2023
Jkt 259001
terms.pdf (NERC Glossary of Terms). NERC defines
BES Cyber Asset as ‘‘A Cyber Asset that if rendered
unavailable, degraded, or misused would, within 15
minutes of its required operation, mis-operation, or
non-operation, adversely impact one or more
Facilities, systems, or equipment, which, if
destroyed, degraded, or otherwise rendered
unavailable when needed, would affect the reliable
operation of the Bulk Electric System. Redundancy
of affected Facilities, systems, and equipment shall
not be considered when determining adverse
impact. Each BES Cyber Asset is included in one
or more BES Cyber Systems.’’
Id. at 4.
7 44 U.S.C. 3507(d) (2012).
PO 00000
Frm 00022
Fmt 4703
Sfmt 4703
100,267 hrs. $8,923,763 ...........
85
5,340
311.50
........................
CFR 1320.11 (2017).
is the total time, effort, or financial
resources expended by persons to generate,
maintain, retain, or disclose or provide information
to or for a Federal agency. For further explanation
of what is included in the information collection
burden, refer to Title 5 Code of Federal Regulations
1320.3.
10 Order No. 822, 154 FERC ¶ 61,037 at 32.
11 Mandatory Reliability Standards for Critical
Infrastructure Protection, Order No. 706, 73 FR
7368 (Feb. 7, 2008), 122 FERC ¶ 61,040, at P 72
(2008); order on reh’g, Order No. 706–A, 123 FERC
¶ 61,174 (2008); order on clarification, Order No.
706–B, 126 FERC ¶ 61,229 (2009).
9 ‘‘Burden’’
E:\FR\FM\08JNN1.SGM
08JNN1
ddrumheller on DSK120RN23PROD with NOTICES1
Federal Register / Vol. 88, No. 110 / Thursday, June 8, 2023 / Notices
The one-time burden of 94,740 hours
that only applies for Year 1 will be
averaged over three years (94,740 hours
÷ 3 = 31,580 hours/year over three
years). The number of responses is also
averaged over three years (1,579
responses ÷ 3 = 526.33 responses/year).
The responses and burden hours for
Years 1–3 will total respectively as
follows for Year 1’s one-time burden:
Year 1: 526.33 responses; 31,580 hours
Year 2: 526.33 responses; 31,580 hours
Year 3: 526.33 responses; 31,580 hours
The responses and burden hours for
Years 1–3 will total respectively as
follows for Ongoing and beyond: 1,579
responses and 5,527 hours.
The following shows the annual cost
burden for each group, based on the
burden hours in the table above:
• Year 1: $8,431,860 (One-time)
• Years 2 and 3: $491,903 (Ongoing)
The paperwork burden estimate
includes costs associated with the initial
development of a policy to address
requirements relating to: (1) clarifying
the obligations pertaining to electronic
access control for low impact BES Cyber
Systems; (2) adopting mandatory
security controls for transient electronic
devices (e.g., thumb drives, laptop
computers, and other portable devices
frequently connected to and
disconnected from systems) used at low
impact BES Cyber Systems; and (3)
requiring responsible entities to have a
policy for declaring and responding to
CIP Exceptional Circumstances related
to low impact BES Cyber Systems.
Further, the estimate reflects the
assumption that costs incurred in year
1 will pertain to policy development,
while costs in years 2 and 3 will reflect
the burden associated with maintaining
logs and other records to demonstrate
ongoing compliance.
Comments: Comments are invited on:
(1) whether the collection of
information is necessary for the proper
performance of the functions of the
Commission, including whether the
information will have practical utility;
(2) the accuracy of the agency’s estimate
of the burden and cost of the collection
of information, including the validity of
the methodology and assumptions used;
(3) ways to enhance the quality, utility
and clarity of the information collection;
and (4) ways to minimize the burden of
the collection of information on those
who are to respond, including the use
12 The loaded hourly wage figure (includes
benefits) is based on the average of three
occupational categories for 2022 found on the
Bureau of Labor Statistics website (https://
www.bls.gov/oes/current/naics2_22.htm):
13 This one-time burden applies in Year One only.
VerDate Sep<11>2014
16:15 Jun 07, 2023
Jkt 259001
of automated collection techniques or
other forms of information technology.
Dated: June 2, 2023.
Kimberly D. Bose,
Secretary.
[FR Doc. 2023–12241 Filed 6–7–23; 8:45 am]
BILLING CODE 6717–01–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
Combined Notice of Filings #1
Take notice that the Commission
received the following exempt
wholesale generator filings:
Docket Numbers: EG23–174–000.
Applicants: Red Tailed Hawk Solar
LLC.
Description: Red Tailed Hawk Solar
LLC submits Notice of Self-Certification
of Exempt Wholesale Generator Status.
Filed Date: 6/1/23.
Accession Number: 20230601–5307.
Comment Date: 5 p.m. ET 6/22/23.
Docket Numbers: EG23–175–000.
Applicants: AEUG Union Solar LLC.
Description: AEUG Union Solar LLC
submits Notice of Self–Certification of
Exempt Wholesale Generator Status.
Filed Date: 6/1/23.
Accession Number: 20230601–5308.
Comment Date: 5 p.m. ET 6/22/23.
Take notice that the Commission
received the following Complaints and
Compliance filings in EL Dockets:
Docket Numbers: EL23–74–000.
Applicants: East Kentucky Power
Cooperative, Inc. v. PJM
Interconnection, L.L.C.
Description: Complaint of East
Kentucky Power Cooperative, Inc. v. PJM
Interconnection, L.L.C.
Filed Date: 5/31/23.
Accession Number: 20230531–5426.
Comment Date: 5 p.m. ET 6/30/23.
Take notice that the Commission
received the following electric rate
filings:
Docket Numbers: ER21–502–006.
Applicants: New York Independent
System Operator, Inc.
Description: Compliance filing:
NYISO Compliance Demand Curve reset
re: FERC’s May 2023 Order to be
effective 6/9/2023.
Filed Date: 6/2/23.
Accession Number: 20230602–5118.
Comment Date: 5 p.m. ET 6/16/23.
Docket Numbers: ER23–1591–001.
Applicants: Westlands Transmission,
LLC.
Description: Tariff Amendment:
Revised 2nd Amended TSA Castanea
Project (ER23–1591–) to be effective 4/
8/2023.
PO 00000
Frm 00023
Fmt 4703
Sfmt 4703
37527
Filed Date: 6/2/23.
Accession Number: 20230602–5177.
Comment Date: 5 p.m. ET 6/12/23.
Docket Numbers: ER23–1623–001.
Applicants: Mesquite Solar 4, LLC.
Description: Tariff Amendment: MS4
and MS5 Inter-Company SFA and InterPhase SFA Concurrence Amendments to
be effective 4/13/2023.
Filed Date: 6/2/23.
Accession Number: 20230602–5124.
Comment Date: 5 p.m. ET 6/12/23.
Docket Numbers: ER23–1624–001.
Applicants: Mesquite Solar 5, LLC.
Description: Tariff Amendment: MS4
and MS5 Inter-Company SFA and InterPhase SFA Concurrence Amendments to
be effective 4/13/2023.
Filed Date: 6/2/23.
Accession Number: 20230602–5126.
Comment Date: 5 p.m. ET 6/12/23.
Docket Numbers: ER23–1626–001.
Applicants: Mesquite Solar 5, LLC.
Description: Tariff Amendment: MS4
and MS5 Inter-Company SFA and InterPhase SFA Concurrence Amendments to
be effective 4/13/2023.
Filed Date: 6/2/23.
Accession Number: 20230602–5127.
Comment Date: 5 p.m. ET 6/12/23.
Docket Numbers: ER23–1627–001.
Applicants: Mesquite Solar 4, LLC.
Description: Tariff Amendment: MS4
and MS5 Inter-Company SFA and InterPhase SFA Concurrence Amendments to
be effective 4/13/2023.
Filed Date: 6/2/23.
Accession Number: 20230602–5125.
Comment Date: 5 p.m. ET 6/12/23.
Docket Numbers: ER23–2040–000.
Applicants: New York Independent
System Operator, Inc.
Description: § 205(d) Rate Filing:
NYISO 205: DER and Aggregation
market rule changes to be effective 12/
31/9998.
Filed Date: 6/1/23.
Accession Number: 20230601–5217.
Comment Date: 5 p.m. ET 6/22/23.
Docket Numbers: ER23–2041–000.
Applicants: AEP Texas Inc.
Description: § 205(d) Rate Filing:
AEPTX-Seven Flags BESS Generation
Interconnection Agreement to be
effective 5/19/2023.
Filed Date: 6/2/23.
Accession Number: 20230602–5033.
Comment Date: 5 p.m. ET 6/23/23.
Docket Numbers: ER23–2042–000.
Applicants: AEP Texas Inc.
Description: § 205(d) Rate Filing:
AEPTX-Monte Cristo Windpower
System Upgrade Agreement to be
effective 5/18/2023.
Filed Date: 6/2/23.
Accession Number: 20230602–5037.
Comment Date: 5 p.m. ET 6/23/23.
E:\FR\FM\08JNN1.SGM
08JNN1
]]>Agencies
[Federal Register Volume 88, Number 110 (Thursday, June 8, 2023)]
[Notices]
[Pages 37525-37527]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-12241]
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
[Docket No. RD23-3-000]
Commission Information Collection Activities (FERC-725B(5))
AGENCY: Federal Energy Regulatory Commission, Department of Energy.
ACTION: Notice of information collection and request for comments.
-----------------------------------------------------------------------
SUMMARY: In compliance with the requirements of the Paperwork Reduction
Act of 1995, the Federal Energy Regulatory Commission (Commission or
FERC) is soliciting public comment on the currently approved
information collection, FERC-725B(5), (Mandatory Reliability Standards,
Critical Infrastructure Protection (CIP-003-9)- Temporary Placeholder
for FERC-725B that is pending approval at OMB.
No Comments were received on the 60-day notice published on March
30, 2023.
DATES: Comments on the collection of information are due July 10, 2023.
ADDRESSES: Send written comments on FERC-725B(5), Mandatory Reliability
Standards, Critical Infrastructure Protection (CIP-003-9) to OMB
through www.reginfo.gov/public/do/PRAMain. Attention: Federal Energy
Regulatory Commission Desk Officer. Please identify the OMB Control No:
1902-NEW(FERC-725B(5)) in the subject line of your comments. Comments
should be sent within 30 days of publication of this notice to
www.reginfo.gov/public/do/PRAMain.
Please submit copies of your comments to the Commission. You may
submit copies of your comments (identified by Docket No. RD23-3-000) by
one of the following methods:
Electronic filing through https://www.ferc.gov, is preferred.
Electronic Filing: Documents must be filed in acceptable
native applications and print-to-PDF, but not in scanned or picture
format.
For those unable to file electronically, comments may be
filed by USPS mail or by hand (including courier) delivery.
[cir] Mail via U.S. Postal Service Only: Addressed to: Federal
Energy Regulatory Commission, Secretary of the Commission, 888 First
Street NE, Washington, DC 20426.
[cir] Hand (including courier) delivery: Deliver to: Federal Energy
Regulatory Commission, Secretary of the Commission, 12225 Wilkins
Avenue, Rockville, MD 20852.
Instructions: OMB submissions must be formatted and filed in
accordance with submission guidelines at www.reginfo.gov/public/do/PRAMain. Using the search function under the ``Currently Under Review''
field, select Federal Energy Regulatory Commission; click ``submit,''
and select ``comment'' to the right of the subject collection.
FERC submissions must be formatted and filed in accordance with
submission guidelines at: https://www.ferc.gov. For user assistance,
contact FERC Online Support by email at [email protected], or
by phone at: (866) 208-3676 (toll-free).
Docket: Users interested in receiving automatic notification of
activity in this docket or in viewing/downloading comments and
issuances in this docket may do so at https://www.ferc.gov/ferc-online/overview.
FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by email at
[email protected], telephone at (202) 502-8663.
SUPPLEMENTARY INFORMATION:
Title: FERC-725B(5) (Mandatory Reliability Standards, Critical
Infrastructure Protection (CIP-003-9))--Temporary Placeholder for FERC-
725B that is pending approval at OMB
OMB Control No.: 1902-NEW.
Type of Request: New collection request for FERC-725B(5)--temporary
placeholder for FERC-725B information collection requirements with
changes to the reporting requirements.
Abstract: On August 8, 2005, Congress enacted the Energy Policy Act
of 2005.\1\ The Energy Policy Act of 2005 added a new section 215 to
the Federal Power Act (FPA),\2\ which requires a Commission-certified
Electric Reliability Organization to develop mandatory and enforceable
Reliability Standards,\3\ including requirements for cybersecurity
protection, which are subject to Commission review and approval. Once
approved, the Reliability Standards may be enforced by the Electric
Reliability Organization subject to Commission oversight, or the
Commission can independently enforce Reliability Standards.
---------------------------------------------------------------------------
\1\ Energy Policy Act of 2005, Public Law 109-58, sec. 1261 et
seq., 119 Stat. 594 (2005).
\2\ 16 U.S.C. 824o.
\3\ Section 215 of the FPA defines Reliability Standard as a
requirement, approved by the Commission, to provide for reliable
operation of existing bulk-power system facilities, including
cybersecurity protection, and the design of planned additions or
modifications to such facilities to the extent necessary to provide
for reliable operation of the Bulk-Power System. However, the term
does not include any requirement to enlarge such facilities or to
construct new transmission capacity or generation capacity. Id. at
824o(a)(3).
---------------------------------------------------------------------------
On February 3, 2006, the Commission issued Order No. 672,\4\
implementing FPA section 215. The Commission subsequently certified the
North American Electric Reliability Corporation (NERC) as the Electric
Reliability Organization. The Reliability Standards developed by NERC
become mandatory and enforceable after Commission approval and apply to
users, owners, and operators of the Bulk-Power System, as set forth in
each Reliability Standard.\5\ The CIP
[[Page 37526]]
Reliability Standards require entities to comply with specific
requirements to safeguard bulk electric system (BES) Cyber Systems \6\
and their associated BES Cyber Assets. These standards are results-
based and do not specify a technology or method to achieve compliance,
instead leaving it up to the entity to decide how best to comply.
---------------------------------------------------------------------------
\4\ Rules Concerning Certification of the Elec. Reliability
Org.; and Procedures for the Establishment, Approval, and Enf't of
Elec. Reliability Standards, Order No. 672, 71 FR 8661 (Feb. 17,
2006), 114 FERC ] 61,104, order on reh'g, Order No. 672-A, 71 FR
19814 (Apr. 28, 2006), 114 FERC ] 61,328 (2006).
\5\ NERC uses the term ``registered entity'' to identify users,
owners, and operators of the Bulk-Power System responsible for
performing specified reliability functions with respect to NERC
Reliability Standards. See, e.g., Version 4 Critical Infrastructure
Protection Reliability Standards, Order No. 761, 77 FR 24594 (Apr.
25, 2012), 139 FERC ] 61,058, at P 46, order denying clarification
and reh'g, 140 FERC ] 61,109 (2012). Within the NERC Reliability
Standards are various subsets of entities responsible for performing
various specified reliability functions. We collectively refer to
these as ``entities.''
\6\ NERC defines BES Cyber System as ``[o]ne or more BES Cyber
Assets logically grouped by a responsible entity to perform one or
more reliability tasks for a functional entity.'' NERC, Glossary of
Terms Used in NERC Reliability Standards, at 5 (2020), https://www.nerc.com/files/glossary_of_terms.pdf (NERC Glossary of Terms).
NERC defines BES Cyber Asset as ``A Cyber Asset that if rendered
unavailable, degraded, or misused would, within 15 minutes of its
required operation, mis-operation, or non-operation, adversely
impact one or more Facilities, systems, or equipment, which, if
destroyed, degraded, or otherwise rendered unavailable when needed,
would affect the reliable operation of the Bulk Electric System.
Redundancy of affected Facilities, systems, and equipment shall not
be considered when determining adverse impact. Each BES Cyber Asset
is included in one or more BES Cyber Systems.''
Id. at 4.
---------------------------------------------------------------------------
The Commission has approved multiple versions of the CIP
Reliability Standards submitted by NERC, partly to address the evolving
nature of cyber-related threats to the Bulk-Power System. High impact
systems include large control centers. Medium impact systems include
smaller control centers, ultra-high voltage transmission, and large
substations and generating facilities. The remainder of the BES Cyber
Systems are categorized as low impact systems. Most requirements in the
CIP Reliability Standards apply to high and medium impact systems;
however, a technical controls requirement in Reliability standard CIP-
003, described below, applies only to low impact systems.
The Commission is currently revising CIP-003 on this submission of
Docket No. RD23-3-000 to update CIP-003-8 to CIP-003-9.
The FERC-725B information collection requirements are subject to
review by the Office of Management and Budget (OMB) under section
3507(d) of the Paperwork Reduction Act of 1995.\7\ OMB's regulations
require approval of certain information collection requirements imposed
by agency rules.\8\ Upon approval of a collection of information, OMB
will assign an OMB control number and expiration date. Respondents
subject to the filing requirements will not be penalized for failing to
respond to these collections of information unless the collections of
information display a valid OMB control number. The Commission solicits
comments on the Commission's need for this information, whether the
information will have practical utility, the accuracy of the burden
estimates, ways to enhance the quality, utility, and clarity of the
information to be collected or retained, and any suggested methods for
minimizing respondents' burden, including the use of automated
information techniques.
---------------------------------------------------------------------------
\7\ 44 U.S.C. 3507(d) (2012).
\8\ 5 CFR 1320.11 (2017).
---------------------------------------------------------------------------
Reliability Standard CIP-003-9 Security Management Controls:
requires entities to specify consistent and sustainable security
management controls that establish responsibility and accountability to
protect BES Cyber Systems against compromise that could lead to mis-
operation or instability on the Bulk-Power System. Specifically, the
Reliability Standard CIP-003-9 is being revised to add requirements for
entities to adopt mandatory security controls for vendor electronic
remote access used at low impact BES Cyber Systems. It is part of the
implementation of the Congressional mandate of the Energy Policy Act of
2005 to develop mandatory and enforceable Reliability Standards to
better ensure the reliability of the nation's Bulk-Power System.
Type of Respondents: Business or other for profit, and not for
profit institutions.
Estimate of Annual Burden: \9\
---------------------------------------------------------------------------
\9\ ``Burden'' is the total time, effort, or financial resources
expended by persons to generate, maintain, retain, or disclose or
provide information to or for a Federal agency. For further
explanation of what is included in the information collection
burden, refer to Title 5 Code of Federal Regulations 1320.3.
---------------------------------------------------------------------------
The Commission bases its paperwork burden estimates on the changes
in paperwork burden presented by the proposed revision to CIP
Reliability Standard CIP-003-9 as compared to the current Commission-
approved Reliability Standard CIP-003-8. As discussed above, the
immediate order addresses the area of modification to the CIP
Reliability Standards: adopting mandatory security controls for vendor
electronic remote access used at low impact BES Cyber Systems.
The CIP Reliability Standards, viewed as a whole, implement a
defense-in-depth approach to protecting the security of BES Cyber
Systems at all impact levels.\10\ The CIP Reliability Standards are
objective-based and allow entities to choose compliance approaches best
tailored to their systems.\11\ The NERC Compliance Registry, as of
January 4, 2023, identifies approximately 1,592 U.S. entities that are
subject to mandatory compliance with Reliability Standards. Of this
total, we estimate that 1,579 entities will face an increased paperwork
burden under Reliability Standard CIP 003-9, estimating that a majority
of these entities will have one or more low impact BES Cyber Systems.
Based on these assumptions, the Commission estimates the total annual
burden and cost as follows:
---------------------------------------------------------------------------
\10\ Order No. 822, 154 FERC ] 61,037 at 32.
\11\ Mandatory Reliability Standards for Critical Infrastructure
Protection, Order No. 706, 73 FR 7368 (Feb. 7, 2008), 122 FERC ]
61,040, at P 72 (2008); order on reh'g, Order No. 706-A, 123 FERC ]
61,174 (2008); order on clarification, Order No. 706-B, 126 FERC ]
61,229 (2009).
RD23-3-000 Commission Order
[Mandatory reliability standards for critical infrastructure protection reliability standards CIP-003-9]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annual number Average burden &
Number of of responses Total number cost per response Total annual burden hours & total Cost per
respondents per respondent of responses \12\ annual cost respondent ($)
(1) (2) (1) * (2) = (4)............... (3) * (4) = (5).................... (5) / (1)
(3)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Create vendor remote access 1,579 1 1,579 60 hrs. $5,340.... 94,740 hrs. $8,431,860............. 5,340
policy (one-time) \13\.
Updates and reviews of vendor 1,579 1 1,579 3.5 hrs. $311.50.. 5,527 hrs. (rounded) $491,903...... 311.50
remote access policy (ongoing).
Total burden for FERC-725B(5) .............. .............. 3,158 .................. 100,267 hrs. $8,923,763............ ..............
under CIP-003-9.
--------------------------------------------------------------------------------------------------------------------------------------------------------
[[Page 37527]]
The one-time burden of 94,740 hours that only applies for Year 1
will be averaged over three years (94,740 hours / 3 = 31,580 hours/year
over three years). The number of responses is also averaged over three
years (1,579 responses / 3 = 526.33 responses/year).
---------------------------------------------------------------------------
\12\ The loaded hourly wage figure (includes benefits) is based
on the average of three occupational categories for 2022 found on
the Bureau of Labor Statistics website (https://www.bls.gov/oes/current/naics2_22.htm):
\13\ This one-time burden applies in Year One only.
---------------------------------------------------------------------------
The responses and burden hours for Years 1-3 will total
respectively as follows for Year 1's one-time burden:
Year 1: 526.33 responses; 31,580 hours
Year 2: 526.33 responses; 31,580 hours
Year 3: 526.33 responses; 31,580 hours
The responses and burden hours for Years 1-3 will total
respectively as follows for Ongoing and beyond: 1,579 responses and
5,527 hours.
The following shows the annual cost burden for each group, based on
the burden hours in the table above:
Year 1: $8,431,860 (One-time)
Years 2 and 3: $491,903 (Ongoing)
The paperwork burden estimate includes costs associated with the
initial development of a policy to address requirements relating to:
(1) clarifying the obligations pertaining to electronic access control
for low impact BES Cyber Systems; (2) adopting mandatory security
controls for transient electronic devices (e.g., thumb drives, laptop
computers, and other portable devices frequently connected to and
disconnected from systems) used at low impact BES Cyber Systems; and
(3) requiring responsible entities to have a policy for declaring and
responding to CIP Exceptional Circumstances related to low impact BES
Cyber Systems. Further, the estimate reflects the assumption that costs
incurred in year 1 will pertain to policy development, while costs in
years 2 and 3 will reflect the burden associated with maintaining logs
and other records to demonstrate ongoing compliance.
Comments: Comments are invited on: (1) whether the collection of
information is necessary for the proper performance of the functions of
the Commission, including whether the information will have practical
utility; (2) the accuracy of the agency's estimate of the burden and
cost of the collection of information, including the validity of the
methodology and assumptions used; (3) ways to enhance the quality,
utility and clarity of the information collection; and (4) ways to
minimize the burden of the collection of information on those who are
to respond, including the use of automated collection techniques or
other forms of information technology.
Dated: June 2, 2023.
Kimberly D. Bose,
Secretary.
[FR Doc. 2023-12241 Filed 6-7-23; 8:45 am]
BILLING CODE 6717-01-P
