FERC-725B, (Final Rule in
RM21-3) Mandatory Reliability Standards for Critical Infrastructure
Protection [CIP] Reliability Standards)
Revision of a currently approved collection
No
Regular
02/17/2021
Requested
Previously Approved
36 Months From Approved
12/31/2021
223,895
224,800
2,044,626
2,119,709
0
0
NOPR 21-3 is set out to ensure that a
public utility receiving incentive rate treatment has implemented
the requirements for the incentive and to ensure that it continues
to adhere to these requirements, we propose to add § 35.48(f) to
the Commission’s regulations to require public utilities to submit
annual informational filings with the Commission. We propose
specific reporting requirements for each of the NERC CIP Incentives
Approach and the NIST Framework Approach The Transmission
Incentives NOPR proposes additional reporting requirements for
recipients of transmission incentives under FPA section 219. Such
additional reporting is likewise appropriate for cybersecurity
upgrades receiving incentives. Accordingly, we propose to add §
35.48(f) to require that, within 120 days of the completion of
cybersecurity upgrades for which an applicant is granted
incentives, an incentives recipient must make an informational
filing and subsequent informational filings annually thereafter.
The annual informational filings must detail the specific
investments that were made pursuant to the Commission’s approval
and the corresponding FERC account(s) used. In addition, the annual
informational filings must describe what parts of its network were
upgraded or expanded (i.e., which substations, control centers,
automated and continuous monitoring equipment) in addition to the
nature (i.e., describing hardware purchase) and actual cost of the
various capital investments. For incentives where the Commission
allows deferral of expenses as regulatory assets, annual
informational filings should describe such expenses in sufficient
detail to demonstrate that such expenses are specifically related
to implementing the cybersecurity incentives described in this NOPR
and not for ongoing costs including system maintenance,
surveillance, and other labor costs, either in the form of employee
salaries or third-party service contracts.We preliminarily find
that the proposed reporting requirements are necessary to provide
the Commission with an understanding of the costs of various types
of cybersecurity investments in order to more precisely target
future incentives or other policies. However, based on the
qualities of such investments, as well as the likely higher
sensitivity of the information, we propose to require different
reporting requirements under this proposal than those proposed
under the Transmission Incentives NOPR. Several aspects of
cybersecurity necessitate reporting different information that the
Commission has required for conventional transmission facilities
receiving incentives pursuant to FPA section 219. First,
cybersecurity investments are not observable. Unlike conventional
transmission facilities, such as a new transmission line, it is not
readily apparent if, and when, such investments are completed and
serving customers. Therefore, it is important to confirm the
completion of cybersecurity investments by establishing additional
reporting requirements. Second, certain cybersecurity investments
may require public utilities to undertake subsequent actions or
make expenditures to maintain the status for which they receive
incentives. Annual reports enable public utilities to demonstrate
that they have undertaken such actions or expenditures.Finally, we
propose that both the initial and annual informational filings
provide a summary of the costs incurred to achieve the higher level
of security, including supporting documentation that provides a
narrative explanation of the nature of the expenses proposed for
deferred cost recovery, and inclusion in rate base as a regulatory
asset, including the specific accounts (under the Commission’s
Uniform System of Accounts) initially charged for the incurred
expenses.
NOPR 21-3 has a voluntary
increase projected of 20 fillings per year that will increase the
current burden for all CIP standards
$6,475
No
No
No
No
No
No
No
Kayla Williams 410 786-5887
kayla.williams@cms.hhs.gov
No
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.
AD20-19-000 White papers.docx
Staff Presentation on Cybersecurity Incentives (RM21-3-000).pdf
CIP Incentives (NOPR RM21-3-000)