FERC-725B, Revisions in RD24-3, Adding Voluntary Requests for Cybersecurity Incentives to Mandatory Reliability Standards for Critical Infrastructure Protection
FERC-725B, Revisions in
RD24-3, Adding Voluntary Requests for Cybersecurity Incentives to
Mandatory Reliability Standards for Critical Infrastructure
Protection
Revision of a currently approved collection
No
Regular
09/06/2024
Requested
Previously Approved
36 Months From Approved
06/30/2026
242,567
241,101
2,247,984
2,168,901
0
0
Revisions in RD24-3 NERC states that
proposed Reliability Standard CIP-012-2 improves upon and expands
the protections required by Reliability Standard CIP-012-1 by
requiring responsible entities to mitigate the risk posed by loss
of availability of communication links and Real-time Assessment and
Real-time monitoring data transmitted between Control Centers.
Proposed Reliability Standard CIP-012-2 adds two new provisions to
Requirement R1 that address availability by requiring (1)
protections for the availability of data in transit and (2)
protections to initiate recovery of lost (i.e., unavailable)
communication links. NERC also requests approval of the associated
implementation plan, the associated violation risk factors and
violation severity levels, and retirement of Reliability Standard
CIP-012-1 immediately prior to the effective date of CIP-012-2. The
24-month implementation period is proposed to afford responsible
entities sufficient time to implement the new controls and
coordinate with other responsible entities that own or operate
Control Centers as required in proposed Reliability Standard
CIP-012-2. The information collection in the final rule implements
section 219A of the Federal Power Act (FPA) (16 U.S.C. 824s-1),
which requires the Commission to encourage utilities to: (1) invest
in advanced cybersecurity technology, and (2) participate in
information sharing regarding cybersecurity threats. The final rule
includes information collection activities for voluntary submission
of requests for cybersecurity incentives, and annual informational
filings that would be mandatory for utilities receiving such
incentives. In order to obtain Commission approval, the
cybersecurity measures proposed by a utility must materially
improve cybersecurity through either an investment in advanced
cybersecurity technology or participation in a cybersecurity threat
information sharing program(s); and must not be already mandated by
Critical Infrastructure Protection (CIP) Reliability Standards, or
otherwise mandated by local, state, or Federal law. As previously
approved, the information collection at FERC-725B implements CIP
Reliability Standards that require entities to comply with specific
requirements to safeguard critical cyber assets. Neither the final
rule nor the additional burdens in this information collection
request would affect the previously approved mandatory CIP
Reliability Standards.
US Code:
16
USC 824s-1 Name of Law: Federal Power Act
US Code: 16
USC 824d Name of Law: Federal Power Act
US Code: 16
USC 824o Name of Law: Federal Power Act
US Code: 16 USC 824s-1 Name of Law: Federal
Power Act
All of the estimated burdens
described above in Discussion # 12 are program changes to
FERC-725B. The estimated annual burdens would add average annual
number (for Years 1-3) of responses and burden for one-time and
ongoing burden will total: •1,460 responses (one-time) + 730
responses (ongoing) (There was already 724 responses from RD22-2
and +6 was added+ totaling 730 responses) •79,083 burden hours
[78,353 hours (one-time) + 730 hours (ongoing)] to FERC-725B.
$216,182
No
No
No
No
No
No
No
Vincent Le 202 502-6204
vincent.le@ferc.gov
No
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.