[Federal Register Volume 75, Number 206 (Tuesday, October 26, 2010)]
[Notices]
[Pages 65618-65620]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-26988]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. IC11-725B-000]


Commission Information Collection Activities (FERC-725B); Comment 
Request; Extension

October 19, 2010.
AGENCY: Federal Energy Regulatory Commission, Energy.

ACTION: Notice of proposed information collection and request for 
comments.

-----------------------------------------------------------------------

SUMMARY: In compliance with the requirements of section 3506(c)(2)(A) 
of the Paperwork Reduction Act of 1995, 44 U.S.C. 3506(c)(2)(A) (2006), 
(Pub. L. 104-13), the Federal Energy Regulatory Commission (Commission 
or FERC) is soliciting public comment on the proposed information 
collection described below.

DATES: Comments in consideration of the collection of information are 
due December 27, 2010.

ADDRESSES: Commenters must send an original of their comments to: 
Federal Energy Regulatory Commission, Secretary of the Commission, 888 
First Street, NE., Washington, DC 20426. Comments may be filed either 
on paper or on CD/DVD, and should refer to Docket No. IC11-725B-000. 
Documents must be prepared in an acceptable filing format and in 
compliance with Commission submission guidelines at http://www.ferc.gov/help/submission-guide.asp. eFiling and eSubscription are 
not available for Docket No. IC11-725B-000, due to a system issue.
    All comments and FERC issuances may be viewed, printed or 
downloaded remotely through FERC's eLibrary at http://www.ferc.gov/docs-filing/elibrary.asp, by searching on Docket No. IC11-725B. For 
user assistance, contact FERC Online Support by e-mail at 
[email protected], or by phone at: (866) 208-3676 (toll-free), 
or (202) 502-8659 for TTY.

FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by e-mail 
at [email protected], telephone at (202) 502-8663, and fax at 
(202) 273-0873.

SUPPLEMENTARY INFORMATION: The information collected by the FERC-725B, 
Reliability Standards for Critical Infrastructure Protection (OMB 
Control No. 1902-0248), is required to implement the statutory 
provisions of section 215 of the Federal Power Act (FPA) (16 U.S.C. 
824o). On August 8, 2005, the Electricity Modernization Act of 2005, 
which is Title XII, Subtitle A,

[[Page 65619]]

of the Energy Policy Act of 2005 (EPAct 2005), was enacted into law.\1\ 
EPAct 2005 added a new section 215 to the FPA, requiring a Commission-
certified Electric Reliability Organization (ERO) to develop mandatory 
and enforceable Reliability Standards, which are subject to Commission 
review and approval. Once approved, the Reliability Standards may be 
enforced in the United States by the ERO subject to Commission 
oversight, or the Commission can independently enforce Reliability 
Standards.\2\
---------------------------------------------------------------------------

    \1\ Energy Policy Act of 2005, Public Law No. 109-58, Title XII, 
Subtitle A, 119 Stat. 594, 941 (2005), 16 U.S.C. 824o.
    \2\ 16 U.S.C. 824o(e)(3).
---------------------------------------------------------------------------

    On February 3, 2006, the Commission issued Order No. 672, 
implementing section 215 of the FPA. Pursuant to Order No. 672, the 
Commission certified one organization, North American Electric 
Reliability Corporation (NERC), as the ERO. The Reliability Standards 
developed by the ERO and approved by the Commission apply to users, 
owners and operators of the Bulk-Power System, as set forth in each 
Reliability Standard.
    On January 18, 2008, the Commission issued order 706, approving 
eight Critical Infrastructure Protection (CIP) Reliability Standards 
submitted by the NERC for Commission approval.\3\ The CIP Reliability 
Standards require certain users, owners, and operators of the Bulk-
Power System to comply with specific requirements to safeguard critical 
cyber assets.\4\ These standards help protect the nation's Bulk-Power 
System against potential disruptions from cyber attacks.\5\
---------------------------------------------------------------------------

    \3\ CIP-002-1, CIP-003-1, CIP-004-1, CIP-005-1, CIP-006-1, CIP-
007-1, CIP-008-1, and CIP-009-1.
    \4\ In addition, in accordance with section 215(d)(5) of the 
FPA, the Commission proposed to direct NERC to develop modifications 
to the CIP Reliability Standards to address specific concerns 
identified by the Commission.
    \5\ For a description of the CIP Reliability Standards, see the 
Critical Infrastructure Protection Section at NERC's Web site at 
http://www.nerc.com/page.php?cid=2/20.
---------------------------------------------------------------------------

    The eight CIP Reliability Standards address the following topics:
     Critical Cyber Asset Identification.
     Security Management Controls.
     Personnel and Training.
     Electronic Security Perimeters.
     Physical Security of Critical Cyber Assets.
     Systems Security Management.
     Incident Reporting and Response Planning.
     Recovery Plans for Critical Cyber Assets.
    The CIP Reliability Standards include one actual reporting 
requirement and several recordkeeping requirements. Specifically, CIP-
008-1 requires responsible entities to report cyber security incidents 
to the Electricity Sector-Information Sharing and Analysis Center (ES-
ISAC). In addition, the eight CIP Reliability Standards require 
responsible entities to develop various policies, plans, programs, and 
procedures. For example, each responsible entity must develop and 
document a risk-based assessment methodology to identify critical 
assets, which is then used to develop a list of critical cyber assets 
(CIP-002-1). A responsible entity that identifies any critical cyber 
assets must also document: A cyber security policy (CIP-003-1); a 
security awareness program (CIP-004-1, Requirement R1); a personnel 
risk assessment program (CIP-004-1, Requirement R3); an electronic 
security perimeter and processes for control of electronic access to 
all electronic access points to the perimeter (CIP-005-1, Requirements 
R1 and R2); a physical security plan (CIP-006-1); procedures for 
securing certain cyber assets (CIP-007-1); and recovery plans for 
critical cyber assets (CIP-008-1). To demonstrate compliance with the 
CIP Reliability Standards, responsible entities are required to 
maintain various lists and access logs. All responsible entities are 
required to be auditably compliant with the CIP Reliability Standards 
by the end of 2010, including all required documentation.
    The CIP Reliability Standards do not require a responsible entity 
to report to the Commission, ERO or Regional Entities, the various 
policies, plans, programs and procedures. However, a showing of the 
documented policies, plans, programs and procedures is required to 
demonstrate compliance with the CIP Reliability Standards.
    Action: The Commission is requesting a three-year extension of the 
FERC-725B reporting requirements, with no changes.
    Burden Statement: The extent of the reporting burden is influenced 
by the number of identified critical assets and related critical cyber 
assets pursuant to CIP-002. An entity identifying one or more critical 
cyber assets, including assets located at remote locations, will likely 
require more resources to demonstrate compliance with the CIP 
Reliability Standards compared to an entity that identifies no critical 
assets. The Commission has developed estimates using data from NERC's 
compliance registry as well as a 2009 survey that was conducted by NERC 
to asses the number of entities reporting Critical Cyber Assets.

----------------------------------------------------------------------------------------------------------------
                                                                                Average No.  of
                                                   No. of      Average No.  of   Burden  hours    Total  annual
               Data collection                respondents \6\   responses  per   per  response        hours
                                                                  respondent          \7\
                                                         (1)              (2)              (3)   (1) x (2) x (3)
----------------------------------------------------------------------------------------------------------------
FERC-725B...................................
Estimate of U.S. Entities that have                      345                1              320          110,400
 identified Critical Cyber Assets...........
Estimate of U.S. Entities that have not                1,156                1                8            9,248
 identified Critical Cyber Assets...........
                                             -------------------------------------------------------------------
    Totals..................................           1,501   ...............  ...............         119,648
----------------------------------------------------------------------------------------------------------------
\6\ The NERC Compliance Registry as of 9/28/2010 indicated that 2,079 entities were registered for NERC's
  compliance program. Of these, 2,057 were identified as being U.S. entities. Staff concluded that of the 2,057
  U.S. entities, only 1,501 were registered for at least one CIP related function. According to an April 7, 2009
  memo to industry, NERC's VP and Chief Security officer noted that only 31% of entities responded to an earlier
  survey and reported that they had at least one Critical Asset, and only 23% reported having a Critical Cyber
  Asset. Staff applied the 23% reporting to the 1,501 figure to obtain an estimate.
\7\ This figure relates to NERC's audit schedule which requires NERC to engage in a compliance Audit once every
  3 to 5 years. For simplicity, staff has divided the total number of hours by 3 to reflect the amount of time
  annually spent preparing documents. Staff assumed that each CIP audit or spot check would require four
  individuals 6 weeks to prepare and demonstrate compliance with CIP standards for entities that have identified
  Critical Cyber Assets. Staff estimated that entities that do not have Critical Cyber Assets would still be
  required to demonstrate compliance with CIP-002, which would require one individual approximately three days
  to execute.


[[Page 65620]]

    The total estimated annual cost burden to respondents is:
     Entities that have identified Critical Assets = 110,400 
hours@$96 = $10,598,400.
     Entities that have not identified Critical Assets = 9,248 
hours@$96 = $887,808.
    The hourly rate of $96 is the average cost of legal services ($230 
per hour), technical employees ($40 per hour) and administrative 
support ($18 per hour), based on hourly rates from the Bureau of Labor 
Statistics (BLS) and the 2009 Billing Rates and Practices Survey 
Report.\8\
---------------------------------------------------------------------------

    \8\ Bureau of Labor Statistics figures were obtained from http://www.bls.gov/oes/current/naics2_22.htm, and 2009 Billing Rates 
figure were obtained from http://www.marylandlawyerblog.com/2009/07/average_hourly_rate_for_lawyer.html. Legal services were based 
on the national average billing rate (contracting out) from the 
above report and BLS hourly earnings (in-house personnel). It is 
assumed that 25% of respondents have in-house legal personnel.
---------------------------------------------------------------------------

    The reporting burden includes the total time, effort, or financial 
resources expended to generate, maintain, retain, disclose, or provide 
the information including: (1) Reviewing instructions; (2) developing, 
acquiring, installing, and utilizing technology and systems for the 
purposes of collecting, validating, verifying, processing, maintaining, 
disclosing and providing information; (3) adjusting the existing ways 
to comply with any previously applicable instructions and requirements; 
(4) training personnel to respond to a collection of information; (5) 
searching data sources; (6) completing and reviewing the collection of 
information; and (7) transmitting or otherwise disclosing the 
information.
    The estimate of cost for respondents is based upon salaries for 
professional and clerical support, as well as direct and indirect 
overhead costs. Direct costs include all costs directly attributable to 
providing this information, such as administrative costs and the cost 
for information technology. Indirect or overhead costs are costs 
incurred by an organization in support of its mission. These costs 
apply to activities which benefit the whole organization rather than 
any one particular function or activity.
    Comments are invited on: (1) Whether the proposed collection of 
information is necessary for the proper performance of the functions of 
the Commission, including whether the information will have practical 
utility; (2) the accuracy of the agency's estimate of the burden of the 
proposed collection of information, including the validity of the 
methodology and assumptions used; (3) ways to enhance the quality, 
utility and clarity of the information to be collected; and (4) ways to 
minimize the burden of the collection of information on those who are 
to respond, including the use of appropriate automated, electronic, 
mechanical, or other technological collection techniques or other forms 
of information technology e.g. permitting electronic submission of 
responses.

Kimberly D. Bose,
Secretary.
[FR Doc. 2010-26988 Filed 10-25-10; 8:45 am]
BILLING CODE 6717-01-P