FERC-725(1A) (OMB No. 1902-0225)
Final Rule in Docket No. RM15-14-002; RIN: 1902-AF07
(7/21/2016)
Supporting Statement for
FERC-725(1A), Refinements to Policies and procedures for Market-Based Rates for Wholesale Sales of Electric Energy, Capacity and Ancillary Services by Public Utilities; and Requirements for Sellers and Virtual/FTR Participants for Analytics and Surveillance Purposes
As modified by the Final Rule in Docket No. RM15-14-002
The Federal Energy Regulatory Commission (Commission or FERC) requests that the Office of Management and Budget (OMB) review and approve FERC-725(1A), Revised Critical Infrastructure Protection Reliability Standards
Justification
CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY
The requirements for the ERO to develop Reliability Standards and to provide data to the Commission are included in the existing FERC-725 (OMB Control No. 1901-0225). FERC-725 includes information used by the Commission to implement the statutory provisions of section 215 of the FPA. FERC-725 includes the burden, reporting and recordkeeping requirements associated with: (a) Self-Assessment and ERO Application, (b) Reliability Assessments, (c) Reliability Standards Development, (d) Reliability Compliance, (e) Stakeholder Survey, and (f) Other Reporting. In addition, the final rule will not result in a substantive increase in burden because this requirement to develop standards is covered under FERC-725. However, there is another unrelated item which is currently pending OMB review under FERC-725, and only one item per OMB Control No. can be pending OMB review at a time. Therefore, the requirements in this Final Rule in RM15-14-002 are being submitted under a new temporary or interim collection number (FERC-725(1A)) to ensure timely submittal to OMB. FERC will use ‘placeholder’ estimates of 1 response and 1 burden hour for the burden calculation.
On August 8, 2005, The Electricity Modernization Act of 2005, which is Title XII of the Energy Policy Act of 2005 (EPAct 2005), was enacted into law.1 EPAct 2005 added a new section 215 to the Federal Power Act (FPA), which requires a Commission-certified ERO to develop mandatory and enforceable Reliability Standards2, which are subject to Commission review and approval. Section 215 of the Federal Power Act (FPA) requires a Commission-certified ERO to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently.3 Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,4 and subsequently certified NERC.5
EPAct gave FERC new authorities (codified in 16 USC 824o) and described expectations of the Commission-approved ERO. FERC may certify one ERO if FERC determines that the ERO:
“(1)has the ability to develop and enforce ... reliability standards that provide for an adequate level of reliability of the bulk-power system; and
(2)has established rules that—
(A)assure its independence of the users and owners and operators of the bulk-power system, while assuring fair stakeholder representation ...
(C)provide fair and impartial procedures for enforcement of reliability standards ...
(D)provide for reasonable notice and opportunity for public comment, due process, openness, and balance of interests in developing reliability standards….”
FERC has jurisdiction within the U.S. over the ERO and “any regional entities, and all users, owners and operators of the bulk-power system... for purposes of approving reliability standards established under this section and enforcing compliance with this section. All users, owners and operators of the bulk-power system shall comply with reliability standards that take effect under this section.”
HOW, BY WHOM, AND FOR WHAT PURPOSE THE INFORMATION IS TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION
Pursuant to section 215(d)(5) of the Federal Power Act (FPA),6 the Commission directs NERC to develop a new or modified Reliability Standard for supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations. NERC is directed to develop a forward-looking, objective-based Reliability Standard to provide security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.7 The new or modified Reliability Standard should address the following security objectives, (1) software integrity and authenticity; (2) vendor remote access; (3) information system planning; and (4) vendor risk management and procurement controls. In making this directive, the Commission does not require NERC to impose any specific controls nor does the Commission require NERC to propose “one-size-fits-all” requirements. The new or modified Reliability Standard should require responsible entities to meet the four objectives, or some equally efficient and effective set of objectives, while providing flexibility to responsible entities as to how to meet those objectives.
The new or modified Reliability Standard is intended to mitigate the risks to bulk electric system facilities, systems, and equipment, which, if destroyed, degraded, or otherwise rendered unavailable as a result of a cybersecurity incident, would affect the reliable operation of the Bulk-Power System. The Commission finds that the record supports the development of mandatory requirements for the protection of the aspects of the supply chain that are within the control of responsible entities.
DESCRIBE ANY CONSIDERATION OF THE USE OF IMPROVED TECHNOLOGY TO REDUCE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN.
The information technology to meet the information collection requirements is not specifically covered in the Reliability Standard, leaving the decision up to NERC.
In general, the Commission supports the use of information technology to reduce burden.
DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2
The Commission periodically reviews filing requirements concurrent with OMB review or as the Commission deems necessary to eliminate duplicative filing and to minimize the filing burden.
The information collection requirements are unique to this Final Rule and to this information collection. The Commission does not know of any duplication in the requirements.
METHODS USED TO MINIMIZE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES
The Small Business Administration (SBA) revised its size standard (effective January 22, 2014) for electric utilities from a standard based on megawatt hours to a standard based on the number of employees, including affiliates. The jurisdiction of the North American Electric Reliability Corporation (NERC) includes users, owners, and operators of the bulk power system, which serves more than 334 million people. In addition, NERC’s current responsibilities include the development of Reliability Standards. Accordingly, the Commission certifies that the requirements in this Final Rule will not have a significant economic impact on a substantial number of small entities, and no regulatory flexibility analysis is required.
CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY
Changes in the bulk electric system cyber threat landscape, exemplified by recent malware campaigns targeting supply chain vendors, have highlighted a gap in the CIP Reliability Standards.8 To address this gap, we proposed to direct that NERC develop a forward-looking, objective-driven Reliability Standard that provides security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.9
Recognizing that developing supply chain management requirements would likely be a significant undertaking and require extensive engagement with stakeholders to define the scope, content, and timing of the Reliability Standard, the Commission sought comment on: (1) the general proposal to direct that NERC develop a Reliability Standard to address supply chain management; (2) the anticipated features of, and requirements that should be included in, such a standard; and (3) a reasonable timeframe for development of a Reliability Standard.10
This rulemaking requires NERC to develop or modify a Reliability Standards to address supply chain risk management and mitigate the risk of a cybersecurity incident affecting the reliable operation of the Bulk Power System.
EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION
The Commission does not require NERC to impose any specific controls nor does the Commission require NERC to propose “one-size-fits-all” requirements. The new or modified Reliability Standard which FERC is requiring NERC to develop should instead require responsible entities to meet the four objectives, or some equally efficient and effective set of objectives, while providing flexibility to responsible entities as to how to meet those objectives.
There are no special circumstances as described in 5 CFR 1320.5(d)(2) relating to this information collection.
DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND THE AGENCY'S RESPONSE TO THESE COMMENTS
Each FERC rulemaking (both proposed and final rules) is published in the Federal Register thereby providing public utilities and licensees, state commissions, Federal agencies, and other interested parties an opportunity to submit data, views, comments or suggestions concerning the proposed collections of data. The proposed rule was published in the Federal Register on ________________________.
On January 28, 2016, Commission staff led a Technical Conference to facilitate a dialogue on supply chain risk management issues that were identified by the Commission in the NOPR. The January 28 Technical Conference addressed: (1) the need for a new or modified Reliability Standard; (2) the scope and implementation of a new or modified Reliability Standard; and (3) the current supply chain risk management practices and collaborative efforts.
Twenty-four entities representing industry, government, vendors, and academia participated in the January 28 Technical Conference through written comments and/or presentations.11
Certain commenters argue that the Commission’s proposal to direct NERC to develop mandatory reliability standards to address supply chain risks could exceed the Commission’s jurisdiction under FPA section 215. Trade Associations state that the NOPR discussion “appears to suggest a new mandate, over and above Section 215 for energy security, integrity, quality, and supply chain resilience, and the future acquisition of products and services”.12 Trade Associations assert that the Commission’s NOPR proposal does not provide a reasoning that connects energy security and integrity with reliable operations for Bulk-Power System reliability. Trade associations, therefore, seek clarification that the Commission does not intend to define energy security as a new policy mandate.13
None of the comments were related to the burden estimates or other PRA issues, but were instead responses to the Commission’s jurisdiction under FPA section 215
EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS
The Commission does not make payments or provide gifts to respondents related to this collection.
DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS
In Docket RM15-14-002, FERC is requiring NERC to develop or modify a Reliability Standard. Reliability Standards are developed in an open and inclusive format as described by NERC14:
“NERC Reliability Standards are developed using an industry-driven, ANSI-accredited process that ensures the process is open to all persons who are directly and materially affected by the reliability of the North American bulk power system; transparent to the public; demonstrates the consensus for each standard; fairly balances the interests of all stakeholders; provides for reasonable notice and opportunity for comment; and enables the development of standards in a timely manner.”
After completion of the standards development and approval process, NERC will submit the proposed standard to the Commission for review and approval, a submittal which is normally publicly available.
The Commission generally does not consider the proposed standard which NERC is being required to develop or modify to be confidential. However, certain actions have confidentiality provisions which prevent the disclosure of information relating to enforcement actions and critical energy infrastructure information. The following provision may be used to prevent disclosure of confidential information: 18 CFR § 388.112.
In addition,18 C.F.R. 388.112 provides that “any person submitting a document to the Commission may request privileged treatment by claiming that some or all of the information contained in a particular document is exempt from the mandatory public disclosure requirements of the Freedom of Information Act, 5 U.S.C. 552, and should be withheld from public disclosure.”
Finally, 18 CFR § 388.113 of the Commission’s rules and regulations governs access to critical energy infrastructure information (CEII). Under 18 CFR § 388.113(b), the Commission may restrict access to previously filed documents as well as Commission-generated documents which contain CEII information.15
PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE, SUCH AS SEXUAL BEHAVIOR AND ATTITUDES, RELIGIOUS BELIEFS, AND OTHER MATTERS THAT ARE COMMONLY CONSIDERED PRIVATE
This collection does not contain any questions of a sensitive nature.
ESTIMATED BURDEN OF COLLECTION OF INFORMATION
The Commission estimates the annual additional reporting burden and cost to be zero, as this is part of the scope of what NERC’s responsibilities are under the current FERC-725. Because this final rule is being submitted under a temporary and new information collection number (FERC-725(1A)), for the purpose of submittal to OMB, FERC is reporting one respondent and one hour of burden.
Long-term, the staff plans to administratively move the requirements and associated burden of FERC-725(1A)) to FERC-725. The requirements for the ERO to develop Reliability Standards and to provide data to the Commission are included in the existing FERC-725. FERC-725 includes information used by the Commission to implement the statutory provisions of section 215 of the FPA. FERC-725 includes the burden, reporting and recordkeeping requirements associated with: (a) Self-Assessment and ERO Application, (b) Reliability Assessments, (c) Reliability Standards Development, (d) Reliability Compliance, (e) Stakeholder Survey, and (f) Other Reporting.
ESTIMATE OF THE TOTAL ANNUAL COST BURDEN TO RESPONDENTS
There are no start-up or other non-labor costs.
Total Capital and Start-up cost: $0
Total Operation, Maintenance, and Purchase of Services: $0
ESTIMATED ANNUALIZED COST TO FEDERAL GOVERNMENT
Any involvement by the Commission is covered under the FERC-725 collection (OMB Control No. 1902-0225) and is not part of this request or package. The Commission bases its estimate of the “Data Processing and Analysis” cost to the Federal Government on salaries and benefits for professional and clerical support. This estimated cost represents staff analysis, decision making, and review of any actual filings made in response to the information collection.
FERC-725(1A) |
Number of Employees (FTEs) |
Estimated Annual Federal Cost |
Analysis and Data Processing of filings |
0 |
$0 |
Paperwork Reduction Act Administrative Cost16 |
|
$5,481.00 |
TOTAL |
|
$5,481.00 |
REASONS FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE
Our directive does not suggest a new mandate above and beyond FPA section 215(and current responsibilities already imposed on NERC as the ERO). The Commission’s directive to NERC to address supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations is not intended to “define ‘energy security’ as a new policy mandate” under the CIP Reliability Standards.17 Instead, our directive is meant to enhance bulk electric system cybersecurity by addressing the gap in the CIP Reliability Standards identified in the NOPR relating to supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations. These mandates are already represented in the current burden in FERC-725. Because FERC-725 is under review at OMB in an unrelated item (in Docket RM15-25), a new temporary information collection number used here, FERC-725(1A), is being assigned placeholder values of 1 respondent and 1 burden hour.
The following table shows total inventory.
FERC-725(1A) |
Total Request |
Previously Approved |
Change due to Adjustment in Estimate |
Change Due to Agency Discretion |
Annual Number of Responses |
1 |
0 |
0 |
+1 |
Annual Time Burden (Hr.) |
1 |
0 |
0 |
+1 |
Annual Cost Burden ($) |
0 |
0 |
0 |
0 |
TIME SCHEDULE FOR THE PUBLICATION OF DATA
There are no publication plans for the collection of information.
DISPLAY OF THE EXPIRATION DATE
The expiration date is displayed in a table posted on ferc.gov at http://www.ferc.gov/docs-filing/info-collections.asp.
EXCEPTIONS TO THE CERTIFICATION STATEMENT
There are no exceptions.
1 The Energy Policy Act of 2005 (EPAct), Pub. L. No 109-58, Title XII, Subtitle A, 119 Stat. 594, 941 (2005), codified at 16 U.S.C. 824o (2000).
2 The Federal Power Act (as modified by the EPAct) states “[t]he term “reliability standard” means a requirement, approved by the Commission under this section, to provide for reliable operation of the bulk-power system. The term includes requirements for the operation of existing bulk-power system facilities, including cybersecurity protection, and the design of planned additions or modifications to such facilities to the extent necessary to provide for reliable operation of the bulk-power system, but the term does not include any requirement to enlarge such facilities or to construct new transmission capacity or generation capacity.”
3 16 U.S.C. 824o(e).
4 Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ¶ 31,204, order on reh’g, Order No. 672‑A, FERC Stats. & Regs. ¶ 31,212 (2006).
5 North American Electric Reliability Corp., 116 FERC ¶ 61,062, order on reh’g and compliance, 117 FERC ¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
6 16 U.S.C. 824o(d)(5).
7 Revised Critical Infrastructure Protection Reliability Standards, Notice of Proposed Rulemaking, 80 Fed. Reg. 43,354 (July 22, 2015), 152 FERC ¶ 61,054, at P 66 (2015) (NOPR).
8 NOPR, 152 FERC ¶ 61,054 at P 63.
9 Id. P 66.
10 Id.
11 Written presentations at the January 28, 2016 Technical Conference and the Technical Conference transcript referenced in this final rule are accessible through the Commission’s eLibrary document retrieval system in Docket No. RM15-14-000.
12 Trade Associations NOPR Comments at 24.
13 Trade Associations NOPR Comments at 24.
14 http://www.nerc.com
15 18 CFR 388.112
16 The PRA Administrative Cost is a Federal Cost associated with preparing, issuing, and submitting materials necessary to comply with the Paperwork Reduction Act (PRA) for rulemakings, orders, or any other vehicle used to create, modify, extend, or discontinue an information collection. This average annual cost includes requests for extensions, all associated rulemakings (not just this Final Rule), and other changes to the collection.
17 See Trade Associations NOPR Comments at 24.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Title | Final Supporting Statement |
Author | Michele Chambers |
File Modified | 0000-00-00 |
File Created | 2021-01-23 |