In accordance
with 5 CFR 1320, the information collection is approved. OMB notes
that the additional burden requested in this ICR was developed
through a bottom-up process in which NERC entities developed the
CIP-003-7 Reliability Standard and associated information
collection burden.
Inventory as of this Action
Requested
Previously Approved
06/30/2021
36 Months From Approved
03/31/2019
222,882
0
1,415
1,928,744
0
1,569,410
0
0
0
The CIP-003-7 Reliability Standard
enhances security controls for low impact BES Cyber Systems by
improving electronic access controls and creating security controls
for transient electronic assets (TCAs) used at low impact BES Cyber
Systems. The NERC Compliance Registry, as of September 2017,
identifies approximately 1,320 U.S. entities that are subject to
mandatory compliance with Reliability Standards. Of this total, we
estimate that 1,100 entities (reliability coordinators, generator
operators, generator owners, interchange coordinators or
authorities, transmission operators, balancing authorities,
transmission owners, and certain distribution providers) would be
subject to Reliability Standard CIP-003-7. These entities would be
subject to the increased burden related to: • creation of plans to
provide security controls for TCAs to mitigate the risk of
malicious code being introduced to low impact BES Cyber System; •
the ongoing review and updating of the plans and documentation that
the planned security controls are implemented for TCAs at low
impact BES Cyber System; • modification of plans to provide
electronic security controls for low impact BES Cyber Systems; and
• the ongoing review and updating of the plans/documentation for
methodology regarding how planned security controls are implemented
for low impact BES Cyber System. The consequences of not creating
or maintaining the documents would prevent: • the implementation
and maintenance of electronic access controls for low impact BES
Cyber Systems; and • the mitigation of the risk of malicious code
being introduced to low impact BES Cyber System from TCAs.
The CIP-003-7 Reliability
Standard clarifies, consolidates, streamlines, and enhances the
previous Reliability Standard (CIP-003-6) and its related reporting
requirements that subject affected entities to the increased burden
of: • creation of plans to provide security controls for TCAs to
mitigate the risk of malicious code being introduced to low impact
BES Cyber System; • ongoing review and updating of the plans and
documentation that the planned security controls are implemented
for TCAs at low impact BES Cyber System; • modification of plans to
provide electronic security controls for low impact BES Cyber
Systems; and • ongoing review and updating of the plans and
documentation that the planned security controls are implemented
for low impact BES Cyber System. Other factors that impact the
burden are the frequency of: • the entity modifying or updating
their security controls for the low impact BES Cyber Systems or TCA
used at low impact BES Cyber Systems; • modification of low impact
BES Cyber Systems that impact the security controls; and • using
TCA at low impact BES Cyber Systems.
$5,723
No
No
No
No
No
No
Uncollected
Matthew Dale 202 502-6826
matthew.dale@ferc.gov
No
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.