[Federal Register Volume 76, Number 67 (Thursday, April 7, 2011)]
[Notices]
[Pages 19333-19334]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-8248]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. IC11-725B-001]


Commission Information Collection Activities (FERC-725B); Comment 
Request; Submitted for OMB Review

AGENCY: Federal Energy Regulatory Commission, DOE.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: In compliance with the requirements of section 3507 of the 
Paperwork Reduction Act of 1995, 44 U.S.C. 3507, the Federal Energy 
Regulatory Commission (Commission or FERC) has submitted the 
information collection described below to the Office of Management and 
Budget (OMB) for review of the information collection requirements. Any 
interested person may file comments directly with OMB and should 
address a copy of those comments to the Commission as explained below. 
The Commission issued a Notice in the Federal Register (75 FR 65618, 
10/26/2010) requesting public comments. FERC received no comments on 
the FERC-725B and has made this notation in its submission to OMB. OMB 
only makes a decision after the 30-day comment period for this notice 
has expired.

DATES: Comments on the collection of information are due by May 9, 
2011.

ADDRESSES: Address comments on the collection of information to the 
Office of Management and Budget, Office of Information and Regulatory 
Affairs, Attention: Federal Energy Regulatory Commission Desk Officer. 
Comments to OMB should be filed electronically, c/o [email protected] and include OMB Control Number 1902-0248 for 
reference. The Desk Officer may be reached by telephone at 202-395-
4638.
    A copy of the comments should also be sent to: Federal Energy 
Regulatory Commission, Secretary of the Commission, 888 First Street, 
NE., Washington, DC 20426. Comments may be filed either on paper or on 
CD/DVD, and should refer to Docket No. IC11-725B-001. Documents must be 
prepared in an acceptable filing format and in compliance with 
Commission submission guidelines at http://www.ferc.gov/help/submission-guide.asp. eFiling and eSubscription are not available for 
Docket No. IC11-725B-001, due to a system issue.
    All comments may be viewed, printed or downloaded remotely via the 
Internet through FERC's homepage using the ``eLibrary'' link. For user 
assistance, contact [email protected] or toll-free at (866) 
208-3676, or for TTY, contact (202) 502-8659.

FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by e-mail 
at [email protected], by telephone at (202) 502-8663, and by fax 
at (202) 273-0873.

SUPPLEMENTARY INFORMATION: The information collected by the FERC-725B, 
Reliability Standards for Critical Infrastructure Protection (OMB 
Control No. 1902-0248), is required to implement the statutory 
provisions of section 215 of the Federal Power Act (FPA) (16 U.S.C. 
824o). On January 18, 2008, the Commission issued order 706, approving 
eight Critical Infrastructure Protection (CIP) Reliability Standards 
submitted by the North American Electric Reliability Corporation (NERC) 
for Commission approval.\1\
---------------------------------------------------------------------------

    \1\ CIP-002-1, CIP-003-1, CIP-004-1, CIP-005-1, CIP-006-1, CIP-
007-1, CIP-008-1, and CIP-009-1.
---------------------------------------------------------------------------

    The CIP Reliability Standards require certain users, owners, and 
operators of the Bulk-Power System to comply with specific requirements 
to safeguard critical cyber assets.\2\ These standards help protect the 
nation's Bulk-Power System against potential disruptions from cyber 
attacks.\3\ The CIP Reliability Standards include one actual reporting 
requirement and several recordkeeping requirements. Specifically, CIP-
008-1 requires responsible entities to report cyber security incidents 
to the Electricity Sector-Information Sharing and Analysis Center (ES-
ISAC). In addition, the eight CIP Reliability Standards require 
responsible entities to develop various policies, plans, programs, and 
procedures.\4\
---------------------------------------------------------------------------

    \2\ In addition, in accordance with section 215(d)(5) of the 
FPA, the Commission proposed to direct NERC to develop modifications 
to the CIP Reliability Standards to address specific concerns 
identified by the Commission.
    \3\ For a description of the CIP Reliability Standards, see the 
Critical Infrastructure Protection Section on NERC's Web site at 
http://www.nerc.com/page.php?cid=2[verbarrm]20.
    \4\ The October notice issued in this docket contains more 
information on the reporting requirements and can be found at http://elibrary.ferc.gov/idmws/File_list.asp?document_id=13857625. The 
full text of the standards can be found on NERC's Web site at http:/
/www.nerc.com/page.php?cid=2[verbarrm]20.
---------------------------------------------------------------------------

    The CIP Reliability Standards do not require a responsible entity 
to report to the Commission, ERO or Regional Entities, the various 
policies, plans, programs and procedures. However, a showing of the 
documented policies, plans, programs and procedures is required to 
demonstrate compliance with the CIP Reliability Standards.
    Action: The Commission is requesting a three-year extension of the 
existing collection with no changes to the requirements.
    Burden Statement: The extent of the reporting burden is influenced 
by the number of identified critical assets and related critical cyber 
assets pursuant to CIP-002. An entity identifying one or more critical 
cyber assets, including assets located at remote locations, will likely 
require more resources to demonstrate compliance with the CIP 
Reliability Standards compared to an entity that identifies no critical 
assets. The Commission has developed

[[Page 19334]]

estimates using data from NERC's compliance registry as well as a 2009 
survey that was conducted by NERC to asses the number of entities 
reporting Critical Cyber Assets.

----------------------------------------------------------------------------------------------------------------
                                                                                      Average
                                                     Number of        Average        number of
                 Data collection                    respondents      number of     burden hours    Total annual
                                                        \5\        responses per   per response        hours
                                                                    respondent          \6\
----------------------------------------------------------------------------------------------------------------
                                                             (1)             (2)             (3)     (1) x (2) x
                                                                                                             (3)
----------------------------------------------------------------------------------------------------------------
FERC-725B:
    Estimate of U.S. Entities that have                      345               1             320         110,400
     identified Critical Cyber Assets...........
    Estimate of U.S. Entities that have not                1,156               1               8           9,248
     identified Critical Cyber Assets...........
    New U.S. Entities that have to come into                  *6               1           1,176           7,056
     compliance with the CIP Standards \7\......
                                                 ---------------------------------------------------------------
        Totals..................................           1,501  ..............  ..............         126,704
----------------------------------------------------------------------------------------------------------------
* not included in the 1,501 total because it is assumed that on average, six entities per year will no longer
  have to comply with the CIP standards.

    The total estimated annual cost burden to respondents is:
---------------------------------------------------------------------------

    \5\ The NERC Compliance Registry as of 9/28/2010 indicated that 
2079 entities were registered for NERC's compliance program. Of 
these, 2057 were identified as being U.S. entities. Staff concluded 
that of the 2057 U.S. entities, only 1501 were registered for at 
least one CIP related function. According to an April 7, 2009 memo 
to industry, NERC's VP and Chief Security officer noted that only 
31% of entities responded to an earlier survey and reported that 
they had at least one Critical Asset, and only 23% reported having a 
Critical Cyber Asset. Staff applied the 23% reporting to the 1501 
figure to obtain an estimate. The 6 new entities listed here are 
assumed to match a similar set of 6 entities that would drop out in 
an existing year. Thus, the net estimate of respondents remains at 
1501 per year.
    \6\ This figure relates to NERC's audit schedule which requires 
NERC to engage in a compliance Audit once every 3 to 5 years. For 
simplicity, staff has divided the total number of hours by 3 to 
reflect the amount of time annually spent preparing documents. Staff 
assumed that each CIP audit or spot check would require four 
individuals 6 weeks to prepare and demonstrate compliance with CIP 
standards for entities that have identified Critical Cyber Assets. 
Staff estimated that entities that do not have Critical Cyber Assets 
would still be required to demonstrate compliance with CIP-002, 
which would require one individual approximately three days to 
execute.
    \7\ This category of respondents (with the corresponding burden) 
was not included in the 60-day public notice due to an oversight by 
Commission staff.
---------------------------------------------------------------------------

     Entities that have identified Critical Assets = 110,400 
hours@$96 = $10,598,400.
     Entities that have not identified Critical Assets = 9,248 
hours@$96 = $887,808.
     Storage Costs for Entities that have identified Critical 
Assets \8\ = 315 Entities@$15.25 = $4,804.
---------------------------------------------------------------------------

    \8\ This cost category was not included in the 60-day public 
notice due to an oversight by Commission staff.

The hourly rate of $96 is the average cost of legal services ($230 per 
hour), technical employees ($40 per hour) and administrative support 
($18 per hour), based on hourly rates from the Bureau of Labor 
Statistics (BLS) and the 2009 Billing Rates and Practices Survey 
Report.\9\ The $15.25 rate for storage costs for each entity is an 
estimate based on the average costs to service and store 1 GB of data 
to demonstrate compliance with the CIP standards.\10\
---------------------------------------------------------------------------

    \9\ Bureau of Labor Statistics figures were obtained from http://www.bls.gov/oes/current/naics2_22.htm, and 2009 Billing Rates 
figure were obtained from http://www.marylandlawyerblog.com/2009/07/average_hourly_rate_for_lawyer.html. Legal services were based 
on the national average billing rate (contracting out) from the 
above report and BLS hourly earnings (in-house personnel). It is 
assumed that 25% of respondents have in-house legal personnel.
    \10\ Based on the aggregate cost of an IBM advanced data 
protection server.
---------------------------------------------------------------------------

    The reporting burden includes the total time, effort, or financial 
resources expended to generate, maintain, retain, disclose, or provide 
the information including: (1) Reviewing instructions; (2) developing, 
acquiring, installing, and utilizing technology and systems for the 
purposes of collecting, validating, verifying, processing, maintaining, 
disclosing and providing information; (3) adjusting the existing ways 
to comply with any previously applicable instructions and requirements; 
(4) training personnel to respond to a collection of information; (5) 
searching data sources; (6) completing and reviewing the collection of 
information; and (7) transmitting, or otherwise disclosing the 
information.
    Comments are invited on: (1) Whether the proposed collection of 
information is necessary for the proper performance of the functions of 
the Commission, including whether the information will have practical 
utility; (2) the accuracy of the agency's estimates of the burden of 
the proposed collection of information, including the validity of the 
methodology and assumptions used; (3) ways to enhance the quality, 
utility and clarity of the information to be collected; and (4) ways to 
minimize the burden of the collections of information on those who are 
to respond, including the use of appropriate automated, electronic, 
mechanical, or other technological collection techniques or other forms 
of information technology, e.g. permitting electronic submission of 
responses.

    Dated: March 31, 2011.
Kimberly D. Bose,
Secretary.
[FR Doc. 2011-8248 Filed 4-6-11; 8:45 am]
BILLING CODE 6717-01-P