FERC-725B (OMB Control Nos. 1902-0248)
Final Rule (issued 4/25/2018) in Docket RM17-11-000
RIN: 1902-AF44
Supporting Statement for
FERC-725B (Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards)
as modified by the Final Rule in Docket RM17-11
The Federal Energy Regulatory Commission (Commission or FERC) requests that the Office of Management and Budget (OMB) review and approve FERC-725B (Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards as modified by the Final Rule in RM17-11-0001. The reporting requirements in the FERC-725B are also contained in FERC’s regulations in 18 Code of Federal Regulations (CFR) Part 40.
CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY
Pursuant to Section 215 of the Federal Power Act (FPA),2 the Commission approves Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security – Security Management Controls). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted Reliability Standard CIP-003-7 in response to directives in Order No. 822.3 The Commission also approves the associated violation risk factors and violation severity levels, implementation plan and effective dates mandated by NERC. In addition, the Commission approves the modified definitions of Transient Cyber Asset and Removable Media as well as the retirement of the definitions for Low Impact External Routable Connectivity (LERC) and Low Impact Electronic Access Point (LEAP) in the NERC Glossary of Terms Used in NERC Reliability Standards (NERC Glossary). Further, the Commission approves the retirement of Reliability Standard CIP-003-6.
Reliability Standard CIP-003-7 addresses the directives in Order No. 822 by:
Clarifying the obligations pertaining to electronic access control for low impact BES [Bulk Electric System] Cyber Systems;4 and
Adopting mandatory security controls for transient electronic devices (e.g. thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems.
In addition, by requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances for low impact BES Cyber Systems, the Reliability Standard aligns the treatment of low impact BES Cyber Systems with that of high and medium impact BES Cyber Systems, which currently include a requirement for declaring and responding to CIP Exceptional Circumstances. Accordingly, we propose to approve Reliability Standard CIP-003-7 because the modifications improve the base-line cybersecurity posture of responsible entities compared to the current Commission-approved CIP Reliability Standards.
HOW, BY WHOM, AND FOR WHAT PURPOSE THE INFORMATION IS TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION
The CIP-003-7 Reliability Standard enhances security controls for low impact BES Cyber Systems by improving electronic access controls and creating security controls for transient electronic assets (TCAs) used at low impact BES Cyber Systems. The NERC Compliance Registry, as of September 2017, identifies approximately 1,320 U.S. entities that are subject to mandatory compliance with Reliability Standards. Of this total, we estimate that 1,100 entities (reliability coordinators, generator operators, generator owners, interchange coordinators or authorities, transmission operators, balancing authorities, transmission owners, and certain distribution providers) would be subject to Reliability Standard CIP-003-7.
These entities would be subject to the increased burden related to:
creation of plans to provide security controls for TCAs to mitigate the risk of malicious code being introduced to low impact BES Cyber System;
the ongoing review and updating of the plans and documentation that the planned security controls are implemented for TCAs at low impact BES Cyber System;
modification of plans to provide electronic security controls for low impact BES Cyber Systems; and
the ongoing review and updating of the plans/documentation for methodology regarding how planned security controls are implemented for low impact BES Cyber System.
The consequences of not creating or maintaining the documents would prevent:
the implementation and maintenance of electronic access controls for low impact BES Cyber Systems; and
the mitigation of the risk of malicious code being introduced to low impact BES Cyber System from TCAs.
DESCRIBE ANY CONSIDERATION OF THE USE OF IMPROVED TECHNOLOGY TO REDUCE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN.
This collection does not require industry to file the information with the Commission. However, FERC-725B does contain information collection and record retention requirements for which using current technology is an option.
The information technology to meet the information collection requirements is not specifically covered in the Reliability Standard.
DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2
The Commission periodically reviews filing requirements concurrent with OMB review or as the Commission deems necessary to eliminate duplicative filing and to minimize the filing burden. The Commission is unaware of any other source of information related to bulk-electric system physical security.
METHODS USED TO MINIMIZE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES
The Commission estimates one-time and ongoing increases in reporting burden on variety of NERC-registered entities (including Reliability Coordinators, Generator Operators, Generator Owners, Interchange Coordinators/Authorities, Transmission Operators, Balancing Authorities, Transmission Owners, and certain Distribution Providers) due to the changes in the revised Reliability Standard, with no other increase in the cost of compliance (when compared with the current standards). Approximately 857 of the 1,100 balancing authorities are expected to meet the Small Business Administration’s definition for a small entity.
This Reliability Standard does not contain provisions for minimizing the burden of the collection for small entities. All the requirements in the Reliability Standard apply to every applicable entity. However, small entities generally can reduce their burden by taking part in a joint registration organization or a coordinated function registration. These options allow an entity the ability to share its compliance burden with other similar entities. Detailed information regarding these options is available in NERC’s Rules of Procedure at Section 1502, Paragraph 2, available at NERCs website.
CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY
The consequences of not creating the documents would prevent 1) the implementation of electronic access controls for low impact BES Cyber Systems and 2) the mitigation of the risk of malicious code being introduced to low impact BES Cyber System from TCAs.
The frequency of modifying or updating the documentation of the plans occurs only when the entities change or modify their security controls for the low impact BES Cyber Systems or TCA used at low impact BES Cyber Systems.
The frequency of documentation that the security controls were implemented and remain implemented, that the entities defined in their plans, is entirely based upon the frequency of the entities using TCA at low impact BES Cyber Systems or otherwise stated in their plans to maintain the security controls that the entity designed or the modification of low impact BES Cyber Systems that impact the security controls.
EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION
FERC-725B information collection has no special circumstances.
DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND THE AGENCY'S RESPONSE TO THESE COMMENTS
Each FERC rulemaking (both proposed and final rules) is published in the Federal Register thereby providing public utilities and licensees, state commissions, Federal agencies, and other interested parties an opportunity to submit data, views, comments or suggestions concerning the proposed collections of data.
The Commission solicited comments at the NOPR stage5. None of the comments received pertained to paperwork burden.
The Final Rule was published6 in the Federal Register on 4/25/2018.
EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS
No payments or gifts have been made to respondents.
DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS
According to the NERC Rules of Procedure7, “…a Receiving Entity shall keep in confidence and not copy, disclose, or distribute any Confidential Information or any part thereof without the permission of the Submitting Entity, except as otherwise legally required.” This serves to protect confidential information submitted to NERC or Regional Entities.
Responding entities do not submit the information collected due to the Reliability Standards to FERC. Rather, they submit the information to NERC, the regional entities, or maintain it internally. Since there are no submissions made to FERC, FERC provides no specific provisions in order to protect confidentiality.
PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE, SUCH AS SEXUAL BEHAVIOR AND ATTITUDES, RELIGIOUS BELIEFS, AND OTHER MATTERS THAT ARE COMMONLY CONSIDERED PRIVATE
These collections do not contain any questions of a sensitive nature.
ESTIMATED BURDEN OF COLLECTION OF INFORMATION
NERC’s revisions to Reliability Standard CIP-003-7 will result in one-time and ongoing increases to burden in the reporting requirements imposed on Reliability Coordinators, Generator Operators, Generator Owners, Interchange Coordinators/Authorities, Transmission Operators, Balancing Authorities, Transmission Owners, and certain Distribution Providers.
The estimated changes to the burden and cost for FERC-725B due to the approved modifications in the Final Rule in RM17-11 follow:
RM17-11-000 Final Rule (Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards) |
||||||
|
Number
of Respondents |
Annual Number of Responses per Respondent (2) |
Total Number of Responses (1)*(2)=(3) |
Average Burden & Cost Per Response8 (4) |
Total Annual Burden Hours & Total Annual Cost (3)*(4)=(5) |
Cost per Respondent ($) (5)÷(1) |
Create low impact TCA assets plan (one-time)9 |
1,100
|
1 |
1,100 |
20 hrs.; $1,680 |
22,00010 hrs.; $1,848,000 |
$1,680
|
Updates and reviews of low impact TCA assets (ongoing)11 |
1,100 |
30012 |
330,000 |
1.5 hrs.13; $126 |
495,000 hrs.; $41,580,000 |
$37,800 |
Update/modify documentation to remove LERC and LEAP (one-time)8 |
1,100 |
1 |
1,100 |
20 hrs.; $1,680 |
22,0009 hrs.; $1,848,000 |
$1,680 |
Update paperwork for access control implementation in Section 214 and Section 315 (ongoing)10 |
1,100 |
1 |
1,100 |
20 hrs.; $1,680 |
22,0009 hrs.; $1,848,000 |
$1,680 |
TOTAL (one-time)8 |
|
2,200 |
|
44,00016 hrs.; $3,696,000 |
|
|
TOTAL (ongoing)10 |
|
331,100 |
|
517,00017 hrs.; $43,428,000 |
|
The one-time burden of 44,000 hours will be averaged over three years (44,000 hours ÷ 3 = 14,667 hours/year over three years). The number of responses is also averaged over three years (2200 responses ÷ 3 = 733.3 responses/year).
The ongoing burden of 517,000 hours/year applies for only Years 2 and beyond. Similarly, the number of responses is also averaged over three years (2200 responses (one-time) + (331,100 responses (Year 2) + 331,100 (Year 3)) ÷ 3 = 221,46718).
The responses and burden for Years 1-3 will total respectively as follows:
Year 1: 221,467 responses; 14,667 hours
Year 2: 221,467 responses; 14,667 hours + 517,000 hours = 531,667 hours
Year 3: 221,467 responses; 14,667 hours + 517,000 hours = 531,667 hours
For submission in ROCIS the averages over Years 1-3 are:
Annual burden approved by the Final Rule in RM17-11-000 is 359,33419 hours. [(14,667 hours + ((517,000 hours + 14,667 hours) * 2)) ÷ 3] = 359,33419 hours.
Annual number of responses approved by the Final Rule in RM17-11 is 221,467. [2200 responses (one-time) + (331,100 responses (Year 2) + 331,100 (Year 3)) ÷ 3 = 221,46718)]
ESTIMATE OF THE TOTAL ANNUAL COST BURDEN TO RESPONDENTS
There are no start-up or other non-labor costs.
Total Capital and Start-up cost: $0
Total Operation, Maintenance, and Purchase of Services: $0
All of the costs in the Final Rule are associated with burden hours (labor) and described in Questions #12 and #15 in this supporting statement.
ESTIMATED ANNUALIZED COST TO FEDERAL GOVERNMENT
The Regional Entities and NERC do most of the data processing, monitoring and compliance work for Reliability Standards; the burden and cost are included under the FERC-725 collection (OMB Control No. 1902-0225) and are not part of this request or package. Any involvement by the Commission is covered under the FERC-725 collection (OMB Control No. 1902-0225) and is not part of this request or package.
The estimated annualized cost to the Federal Government for FERC-725B follows:
FERC-725B |
Number of Employees (FTEs) |
Estimated Annual Federal Cost |
Analysis of Filings |
0 |
$0 |
Processing of Filings |
0 |
$0 |
Paperwork Reduction Act Administrative Cost20 |
|
$5,723 |
TOTAL |
|
$5,723 |
REASONS FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE
The CIP-003-721 Reliability Standard clarifies, consolidates, streamlines, and enhances the previous Reliability Standard (CIP-003-6) and its related reporting requirements that subject affected entities to the increased burden of:
creation of plans to provide security controls for TCAs to mitigate the risk of malicious code being introduced to low impact BES Cyber System;
ongoing review and updating of the plans and documentation that the planned security controls are implemented for TCAs at low impact BES Cyber System;
modification of plans to provide electronic security controls for low impact BES Cyber Systems; and
ongoing review and updating of the plans and documentation that the planned security controls are implemented for low impact BES Cyber System.
Other factors that impact the burden are the frequency of:
the entity modifying or updating their security controls for the low impact BES Cyber Systems or TCA used at low impact BES Cyber Systems;
modification of low impact BES Cyber Systems that impact the security controls; and
using TCA at low impact BES Cyber Systems.
A summary of the current OMB-approved inventory and the changes to FERC-725B information collection due to the Final Rule in RM17-11 follows:
FERC-725B |
Total Request |
Previously Approved |
Change due to Adjustment in Estimate |
Change Due to Agency Discretion |
Annual Number of Responses |
222,881 |
1,415 |
0 |
221,467 |
Annual Time Burden22 |
1,928,744 |
1,569,410 |
0 |
359,334 |
Annual Cost Burden ($) |
$0 |
$0 |
$0 |
$0 |
TIME SCHEDULE FOR THE PUBLICATION OF DATA
There are no tabulating, statistical or tabulating analysis or publication plans for the collection of information.
DISPLAY OF THE EXPIRATION DATE
The expiration date is displayed in a table posted on ferc.gov at http://www.ferc.gov/docs-filing/info-collections.asp.
EXCEPTIONS TO THE CERTIFICATION STATEMENT
There are no exceptions.
1 The Final Rule (issued 4/19/2018) is available in FERC’s eLibrary system at https://elibrary-backup.ferc.gov/idmws/common/OpenNat.asp?fileID=14892826.
2 16 U.S.C. 824o.
3 Revised Critical Infrastructure Protection Reliability Standards, Order No. 822, 154 FERC ¶ 61,037, reh’g denied, Order No. 822-A, 156 FERC ¶ 61,052 (2016).
4 NERC defines “BES Cyber System” as one or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.
5 NOPR issued on 10/19/2017; published in Federal Register at 82 FR 49541 on 10/26/2017.
6 82 FR 17913
7 Section 1502, Paragraph 2, available at NERCs website
8 The loaded hourly wage figure (includes benefits) is based on the average of three occupational categories for 2016 found on the Bureau of Labor Statistics website (http://www.bls.gov/oes/current/naics2_22.htm):
Legal (Occupation Code: 23-0000): $143.68
Electrical Engineer (Occupation Code: 17-2071): $68.12
Office and Administrative Support (Occupation Code: 43-0000): $40.89
($143.68 + $68.12 + $40.89) ÷ 3 = $84.23. The figure is rounded to $84.00 for use in calculating wage figures in the Final Rule and this supporting statement.
9 This one-time burden applies in Year One only.
10 This figure is incorrectly presented as 6,875 hours in the Final Rule this supporting statement.
11 This ongoing burden applies in Year 2 and beyond.
12 We estimate that each entity will perform 25 updates per month. 25 updates *12 months = 300 updates (i.e. responses) per year.
13 The 1.5 hours of burden per response is comprised of three sub-categories:
Updates to managed low TCA assets: 15 minutes (0.25 hours) per response
Updates to unmanaged low TCA assets: 60 minutes (1 hour) per response
Reviews of low TCA applicable controls: 15 minutes (0.25 hours) per response.
14 Physical Security Controls.
15 Electronic Access Controls.
16 This figure is incorrectly presented as 13,750 hours in the Final Rule. The figure is corrected to 44,000 hours in this supporting statement. Its associated wage figure are correctly presented in the Final Rule and in this supporting statement.
17 This figure is incorrectly presented as 501,875 hours in the Final Rule. The figure is corrected to 517,000 hours in this supporting statement. Its associated wage figure are correctly presented in the Final Rule and in this supporting statement.
18 This figure is rounded up from 221,466.6.
19 This figure is rounded up from 359,333.6.
20 The PRA Administrative Cost is a Federal Cost associated with preparing, issuing, and submitting materials necessary to comply with the Paperwork Reduction Act (PRA) for rulemakings, orders, or any other vehicle used to create, modify, extend, or discontinue an information collection. This average annual cost includes requests for extensions, all associated rulemakings (not just this Final Rule), and other changes to the collection.
21 RM17-11 Final Rule also proposed the retirement of CIP-003-6, a previous version of CIP-003-7.
22 The units of measurement applied to “annual time burden” are hours.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Title | RM17-11 Final Rule supporting statement |
Author | anthony.may@ferc.gov |
File Modified | 0000-00-00 |
File Created | 2021-01-21 |