[Federal Register Volume 79, Number 227 (Tuesday, November 25, 2014)]
[Rules and Regulations]
[Pages 70069-70085]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-27908]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM14-15-000; Order No. 802]


Physical Security Reliability Standard

AGENCY: Federal Energy Regulatory Commission, Energy.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Energy Regulatory Commission (Commission) approves 
Reliability Standard CIP-014-1 (Physical Security). The North American 
Electric Reliability Corporation, the Commission-certified Electric 
Reliability Organization, submitted Reliability Standard CIP-014-1 for 
Commission approval in response to a Commission order issued on March 
7, 2014. The purpose of Reliability Standard CIP-014-1 is to enhance 
physical security measures for the most critical Bulk-Power System 
facilities and thereby lessen the overall vulnerability of the Bulk-
Power System against physical attacks. In addition, the Commission 
directs NERC to develop one modification to Reliability Standard CIP-
014-1 and submit an informational filing.

DATES:  This rule is effective January 26, 2015.

FOR FURTHER INFORMATION CONTACT: 
Regis Binder (Technical Information), Office of Electric Reliability, 
Division of Reliability Standards and Security, Federal Energy 
Regulatory Commission, 888 First Street NE., Washington, DC 20426, 
Telephone: (301) 665-1601, [email protected].

Matthew Vlissides (Legal Information), Office of the General Counsel, 
Federal Energy Regulatory Commission, 888 First Street NE., Washington, 
DC 20426, Telephone: (202) 502-8408, [email protected].

SUPPLEMENTARY INFORMATION: 

Order No. 802

Final Rule

(Issued November 20, 2014)
    1. Pursuant to section 215 of the Federal Power Act (FPA), the 
Commission approves Reliability Standard CIP-014-1 (Physical 
Security).\1\ The North American Electric Reliability Corporation 
(NERC), the Commission-certified Electric Reliability Organization 
(ERO), submitted Reliability Standard CIP-014-1 for Commission approval 
in response to a Commission order issued on March 7, 2014.\2\ The 
purpose of Reliability Standard CIP-014-1 is to enhance physical 
security measures for the most critical Bulk-Power System facilities 
and thereby lessen the overall vulnerability of the Bulk-Power System 
facilities against physical attacks. In addition to approving 
Reliability Standard CIP-014-1, as discussed below, the Commission 
directs NERC to submit an informational filing and, pursuant to FPA 
section 215(d)(5), directs NERC to develop a modification to 
Reliability Standard CIP-014-1.\3\
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824o.
    \2\ Reliability Standards for Physical Security Measures, 146 
FERC ] 61,166 (2014) (March 7 Order).
    \3\ 16 U.S.C. 824o(d)(5).
---------------------------------------------------------------------------

I. Background

A. Section 215 and Mandatory Reliability Standards

    2. Section 215 of the FPA requires the Commission to certify an ERO 
to develop mandatory and enforceable Reliability Standards, subject to 
Commission review and approval. Once approved, the Reliability 
Standards may be enforced in the United States by the ERO, subject to 
Commission oversight, or by the Commission independently.\4\
---------------------------------------------------------------------------

    \4\ Id. 824o(e).
---------------------------------------------------------------------------

B. March 7 Order

    3. In the March 7 Order, the Commission determined that physical 
attacks on the Bulk-Power System could adversely impact the reliable 
operation of the Bulk-Power System, resulting in instability, 
uncontrolled separation, or cascading failures. Moreover, the 
Commission observed that the then current Reliability Standards did not 
specifically require entities to take steps to reasonably protect 
against physical security attacks on the Bulk-Power System. 
Accordingly, to carry out section 215 of the FPA and to provide for the 
reliable operation of the Bulk-Power System, the Commission directed 
NERC, pursuant to FPA section 215(d)(5), to develop and file for 
approval proposed Reliability Standards that address threats and 
vulnerabilities to the physical security of critical facilities on the 
Bulk-Power System.
    4. The March 7 Order indicated that the Reliability Standards 
should require owners or operators of the Bulk-Power System to take at 
least three steps to address the risks that physical security attacks 
pose to the reliable operation of the Bulk-Power System. Specifically, 
the March 7 Order directed that the Reliability Standards should 
require: (1) Owners or operators of the Bulk-Power System to perform a 
risk assessment of their systems to identify their ``critical 
facilities''; (2) owners or operators of the identified critical 
facilities to evaluate the potential threats and vulnerabilities to 
those identified facilities; and (3) those owners or operators of 
critical facilities to develop and implement a security plan designed 
to protect against attacks to those identified critical facilities 
based on the assessment of the potential threats and vulnerabilities to 
their physical security.
    5. The March 7 Order stated that the risk assessment used by an 
owner or operator to identify critical facilities should be verified by 
an entity other than the owner or operator, such as by NERC, the 
relevant Regional Entity, a reliability coordinator, or another 
entity.\5\ In addition, the March 7 Order indicated that the 
Reliability Standards should include a procedure for the verifying 
entity, as well as the Commission, to add or remove facilities from an 
owner's or operator's list of critical facilities.\6\ The March 7 Order 
further stated that the determination of threats and vulnerabilities 
and the security plan should be reviewed by NERC, the relevant Regional 
Entity, the reliability coordinator, or another entity with appropriate 
expertise.
---------------------------------------------------------------------------

    \5\ March 7 Order, 146 FERC ] 61,166 at P 11.
    \6\ Id.
---------------------------------------------------------------------------

    6. The March 7 Order stated that, because the three steps of 
compliance with the contemplated Reliability Standards could contain 
sensitive or confidential information that, if released to the public, 
could jeopardize the reliable operation of the Bulk-Power System, NERC 
should include in the Reliability Standards a procedure that will 
ensure confidential treatment of sensitive or confidential information 
but still allow for the Commission, NERC and the Regional Entities to 
review and inspect any information that is needed

[[Page 70070]]

to ensure compliance with the Reliability Standards.\7\
---------------------------------------------------------------------------

    \7\ Id. P 10.
---------------------------------------------------------------------------

    7. The Commission directed NERC to submit the proposed Reliability 
Standards to the Commission for approval within 90 days of issuance of 
the March 7 Order (i.e., June 5, 2014).

C. NERC Petition

    8. On May 23, 2014, NERC petitioned the Commission to approve 
Reliability Standard CIP-014-1 and its associated violation risk 
factors and violation severity levels, implementation plan, and 
effective date.\8\ NERC maintains that the Reliability Standard is 
just, reasonable, not unduly discriminatory, or preferential, and in 
the public interest. In addition, NERC asserts that the proposed 
Reliability Standard complies with the Commission's directives in the 
March 7 Order.
---------------------------------------------------------------------------

    \8\ NERC explains that, to meet the 90-day deadline in the March 
7 Order, the NERC Standards Committee approved waivers to NERC's 
Standard Processes Manual to shorten the comment and ballot periods 
for the Standards Authorization Request and draft Reliability 
Standard. NERC Petition at 13-14. Reliability Standard CIP-014-1 is 
not attached to this Final Rule. The complete text of Reliability 
Standard CIP-014-1 is available on the Commission's eLibrary 
document retrieval system in Docket No. RM14-15-000 and is posted on 
the ERO's Web site, available at http://www.nerc.com.
---------------------------------------------------------------------------

    9. NERC explains that Reliability Standard CIP-014-1 ``serves the 
vital reliability goal of enhancing physical security measures for the 
most critical Bulk-Power System facilities and lessening the overall 
vulnerability of the Bulk-Power System to physical attacks.'' \9\ NERC 
maintains that the ``appropriate focus of the proposed Reliability 
Standard is Transmission stations and Transmission substations, which 
are uniquely essential elements of the Bulk-Power System.'' \10\ The 
Reliability Standard is applicable to transmission owners that satisfy 
the Applicability Sections 4.1.1.1, 4.1.1.2, 4.1.1.3, or 4.1.1.4, and 
to transmission operators. NERC states that the transmission facilities 
covered by Applicability Sections 4.1.1.1 through 4.1.1.4 match the 
``Medium Impact'' transmission facilities listed in Attachment 1 
(Impact Rating Criteria), specifically, the ``Medium Impact'' 
facilities described in Sections 2.4, 2.5, 2.6, and 2.7, of Reliability 
Standard CIP-002-5.1,\11\ According to NERC, the ``standard drafting 
team determined that using the criteria for `Medium Impact' 
Transmission Facilities set forth in Reliability Standard CIP-002-5.1 
is an appropriate applicability threshold as the Commission has 
acknowledged that it is a technically sound basis for identifying 
Transmission Facilities, which, if compromised, would present an 
elevated risk to the Bulk-Power System.'' \12\
---------------------------------------------------------------------------

    \9\ NERC Petition at 15-16.
    \10\ Id. at 18. NERC states that, although the terms 
``Transmission stations'' and ``Transmission substations'' are 
sometimes used interchangeably, Reliability Standard CIP-014-1 uses 
the term ``Transmission substation'' to refer to a facility 
contained within a physical border (e.g., a fence or wall) that 
contains one or more autotransformers. Id. According to NERC, the 
term ``Transmission station,'' as used in Reliability Standard CIP-
014-1, refers to a facility that functions as a switching station or 
switchyard but does not contain autotransformers. Id. at 18-19.
    \11\ Id. at 25 (citing Reliability Standard CIP-002-5.1 (Cyber 
Security--BES Cyber System Categorization), Attachment 1 (Impact 
Rating Criteria)).
    \12\ Id.
---------------------------------------------------------------------------

    10. Reliability Standard CIP-014-1 has six requirements. 
Requirement R1 requires applicable transmission owners to perform risk 
assessments on a periodic basis to identify their transmission stations 
and transmission substations that, if rendered inoperable or damaged, 
could result in widespread instability, uncontrolled separation, or 
cascading within an Interconnection. Requirement R1 also requires 
transmission owners to identify the primary control center that 
operationally controls each of the identified transmission stations or 
transmission substations.
    11. Requirement R2 requires that each applicable transmission owner 
have an unaffiliated third party with appropriate experience verify the 
risk assessment performed under Requirement R1. Requirement R2 states 
that the transmission owner must either modify its identification of 
facilities consistent with the verifier's recommendation or document 
the technical basis for not doing so. In addition, Requirement R2 
requires each transmission owner to implement procedures for protecting 
sensitive or confidential information made available to third-party 
verifiers or developed under the Reliability Standard from public 
disclosure.
    12. Requirement R3 requires the transmission owner to notify a 
transmission operator that operationally controls a primary control 
center identified under Requirement R1 of such identification to ensure 
that the transmission operator has notice of the identification so that 
it may timely fulfill its obligations under Requirements R4 and R5 to 
protect the primary control center.
    13. Requirement R4 requires each applicable transmission owner and 
transmission operator to conduct an evaluation of the potential threats 
and vulnerabilities of a physical attack on each of its respective 
transmission stations, transmission substations, and primary control 
centers identified as critical in Requirement R1.
    14. Requirement R5 requires each transmission owner and 
transmission operator to develop and implement documented physical 
security plans that cover each of their respective transmission 
stations, transmission substations, and primary control centers 
identified as critical in Requirement R1.
    15. Requirement R6 requires that each transmission owner and 
transmission operator subject to Requirements R4 and R5 have an 
unaffiliated third party with appropriate experience review its 
Requirement R4 evaluation and Requirement R5 security plan. Requirement 
R6 states that the transmission owner or transmission operator must 
either modify its evaluation and security plan consistent with the 
recommendation, if any, of the reviewer or document its reasons for not 
doing so. In addition, Requirement R6 requires each transmission owner 
to implement procedures for protecting sensitive or confidential 
information made available to third-party reviewers or developed under 
the Reliability Standard from public disclosure.

D. Notice of Proposed Rulemaking

    16. On July 17, 2014, the Commission issued a Notice of Proposed 
Rulemaking proposing to approve Reliability Standard CIP-014-1 as just, 
reasonable, not unduly discriminatory or preferential, and in the 
public interest.\13\ In addition, the NOPR proposed to direct NERC to 
develop two modifications to the Reliability Standard. First, the NOPR 
proposed to direct NERC to develop a modification to allow applicable 
governmental authorities (i.e., the Commission and any other 
appropriate federal or provincial authorities) to add or subtract 
facilities from an applicable entity's list of critical facilities 
under Requirement R1.\14\ Second, the NOPR proposed to direct NERC to 
modify the Reliability Standard to remove the term ``widespread'' as it 
appears in the phrase ``widespread instability'' in Requirement R1.\15\ 
The NOPR also proposed to direct NERC to submit two informational 
filings, one addressing the protection of ``High Impact'' control 
centers and the other addressing resiliency measures, to be submitted, 
respectively, within six months and one

[[Page 70071]]

year following the effective date of a final rule in this 
proceeding.\16\
---------------------------------------------------------------------------

    \13\ Physical Security Reliability Standard, Notice of Proposed 
Rulemaking, 79 FR 42,734 (July 23, 2014), 148 FERC ] 61,040 (2014) 
(NOPR).
    \14\ Id. P 23.
    \15\ Id. P 29.
    \16\ Id. PP 35, 57.
---------------------------------------------------------------------------

    17. In response to the NOPR, the Commission received 33 sets of 
initial comments and six sets of reply comments. We address below the 
issues raised in the NOPR and comments. The Appendix to this final rule 
lists the entities that filed comments in response to the NOPR.

II. Discussion

    18. Pursuant to FPA section 215(d)(2), we approve Reliability 
Standard CIP-014-1 as just, reasonable, not unduly discriminatory or 
preferential, and in the public interest. The Commission also approves 
the associated violation risk factors, violation severity levels, 
implementation plan, and effective date proposed by NERC (i.e., the 
``first day of the first calendar quarter that is six months beyond'' 
the effective date of the final rule in this proceeding).\17\ As 
discussed below, the Commission determines that Reliability Standard 
CIP-014-1 satisfies the directives in the March 7 Order concerning the 
development and submittal of physical security Reliability Standards.
---------------------------------------------------------------------------

    \17\ NERC Petition, Exhibit B (Implementation Plan) at 1.
---------------------------------------------------------------------------

    19. In addition to approving Reliability Standard CIP-014-1, the 
Commission adopts in part the NOPR proposal directing NERC to develop 
and submit modifications to the Reliability Standard concerning the use 
of the term ``widespread'' in Requirement R1. The Commission determines 
that the term ``widespread'' is unclear with respect to the obligations 
it imposes on applicable entities; how it would be implemented by 
applicable entities; and how it would be enforced. Accordingly, the 
Commission directs NERC, pursuant to FPA section 215(d)(5), to remove 
the term ``widespread'' from Reliability Standard CIP-014-1 or, 
alternatively, to propose modifications to the Reliability Standard 
that address the Commission's concerns. We direct that NERC submit a 
responsive modification within six months from the effective date of 
this final rule.
    20. The Commission does not adopt the NOPR proposal that would have 
required NERC to develop and submit modifications to Reliability 
Standard CIP-014-1 to allow applicable governmental authorities (i.e., 
the Commission and any other appropriate federal or provincial 
authorities) to add or subtract facilities from an applicable entity's 
list of critical facilities under Requirement R1. We determine that the 
Commission's enforcement authority under FPA section 215(e), and 
particularly the use of targeted auditing following implementation of 
Reliability Standard CIP-014-1, will allow us to address the concerns 
raised in the NOPR.
    21. With respect to the informational filings proposed in the NOPR, 
the Commission adopts the proposal to direct NERC to make an 
informational filing addressing whether Reliability Standard CIP-014-1 
provides physical security for all ``High Impact'' control centers, as 
that term is defined in Reliability Standard CIP-002-5.1, necessary for 
the reliable operation of the Bulk-Power System. However, the 
Commission extends the deadline for that informational filing until two 
years following the effective date of Reliability Standard CIP-014-1. 
The Commission, at this time, does not adopt the NOPR proposal to 
direct NERC to make an informational filing addressing resiliency. 
Instead, the Commission will continue to consider ways for industry to 
best inform the Commission of its current and future resiliency 
efforts, which could take the form of reports and/or technical 
conferences to address specific areas of concern (e.g., spare parts, 
fuel security, and advanced technologies).
    22. We address below the following issues raised in the NOPR and in 
the comments: (A) Removal of the term ``widespread''; (B) applicable 
governmental authorities' ability to add or subtract facilities from an 
entity's list of critical facilities; (C) informational filing on 
``High Impact'' control centers; (D) informational filing on 
resiliency; (E) third-party verification and review; (F) exclusion of 
generators from the applicability section of Reliability Standard CIP-
014-1; (G) confidentiality; (H) other issues raised in comments; (I) 
violation risk factors and violation severity levels; and (J) 
implementation plan and effective date.

A. Removal of the Term ``Widespread''

March 7 Order
    23. The March 7 Order stated that a critical facility is ``one 
that, if rendered inoperable or damaged, could have a critical impact 
on the operation of the interconnection through instability, 
uncontrolled separation or cascading failures on the Bulk-Power 
System.'' \18\
---------------------------------------------------------------------------

    \18\ March 7 Order, 146 FERC ] 61,166 at P 6.
---------------------------------------------------------------------------

NERC Petition
    24. Reliability Standard CIP-014-1 states that its purpose is to 
``identify and protect Transmission stations and Transmission 
substations, and their associated primary control centers, that if 
rendered inoperable or damaged as a result of a physical attack could 
result in widespread instability, uncontrolled separation, or Cascading 
within an Interconnection.'' \19\ Requirement R1 states that the 
``initial and subsequent risk assessments shall consist of a 
transmission analysis or transmission analyses designed to identify the 
Transmission station(s) and Transmission substation(s) that if rendered 
inoperable or damaged could result in widespread instability, 
uncontrolled separation, or Cascading within an Interconnection.''
---------------------------------------------------------------------------

    \19\ NERC Petition at 17.
---------------------------------------------------------------------------

NOPR
    25. The NOPR proposed to direct NERC to modify Reliability Standard 
CIP-014-1 to remove the term ``widespread'' as it appears in the phrase 
``widespread instability.'' The NOPR stated that the phrase 
``widespread instability'' is undefined by NERC and is inconsistent 
with the March 7 Order's explanation of ``critical facility'' and the 
definition of ``reliable operation'' in FPA section 215(a)(4).\20\
---------------------------------------------------------------------------

    \20\ ``[A facility] that, if rendered inoperable or damaged, 
could have a critical impact on the operation of the interconnection 
through instability, uncontrolled separation or cascading failures 
on the Bulk-Power System.'' March 7 Order, 146 FERC ] 61,166 at P 6; 
16 U.S.C. 824o(a)(4) (``The term `reliable operation' means 
operating the elements of the bulk-power system within equipment and 
electric system thermal, voltage, and stability limits so that 
instability, uncontrolled separation, or cascading failures of such 
system will not occur as a result of a sudden disturbance, including 
a cybersecurity incident, or unanticipated failure of system 
elements.'').
---------------------------------------------------------------------------

    26. The NOPR stated that the use of ``widespread instability'' in 
Requirement R1 could, depending on the meaning of ``widespread,'' 
narrow the scope (and number) of identified critical facilities under 
Reliability Standard CIP-014-1 beyond what was contemplated in the 
March 7 Order. The NOPR also stated that the use of the term 
``widespread'' could potentially render the Reliability Standard 
unenforceable or lead to an inadequate level of reliability by omitting 
facilities that are critical to the reliable operation of the Bulk-
Power System.
Comments
    27. NERC comments that it does not oppose the NOPR directive but 
that the modification should be developed through NERC's standards 
development process and NERC should be allowed to propose alternative 
clarifying language ``to ensure the proposed Reliability Standard 
remains focused on Interconnection impacts and not local

[[Page 70072]]

impacts.'' \21\ NERC states that the term ``widespread'' was used to 
focus applicable entities' security efforts on facilities whose loss 
would have more than a local area impact.
---------------------------------------------------------------------------

    \21\ NERC Comments at 19.
---------------------------------------------------------------------------

    28. SIA, Idaho Power, Pa PUC, SmartSenseCom, Foundation and Pepco 
support the NOPR proposal because they believe that the term 
``widespread'' is vague or inconsistent with the definition of 
``reliable operation'' in FPA section 215.\22\ Pepco, for example, 
states that the term ``widespread'' is ambiguous, will require requests 
for clarification or interpretation and will expose applicable entities 
to ``second-guessing'' from auditors. KCP&L, while it does not state 
that it supports the proposal, acknowledges that the term 
``widespread'' is vague and that the term ``introduces interpretive 
language that may be problematic for compliance and enforcement 
interpretations as well as unintentionally narrow the scope of 
facilities.'' \23\
---------------------------------------------------------------------------

    \22\ See SIA Comments at 2; Idaho Power Comments at 2; Pa PUC 
Comments at 5; Pepco Comments at 4-5; SmartSenseCom Comments at 7-8; 
Foundation Reply Comments at 7.
    \23\ KCP&L Comments at 4.
---------------------------------------------------------------------------

    29. Other commenters do not support the proposed directive largely 
because they contend that the proposal may have the unintended 
consequence of expanding the scope of Reliability Standard CIP-014-1 to 
include localized events that have no impact on an Interconnection.\24\ 
APS, SCE, SDG&E, and G&T Cooperatives also maintain that while the term 
``widespread'' is not defined by NERC, it appears elsewhere in the 
Reliability Standards, including in NERC's definition of ``Cascading'' 
and in the TPL Reliability Standards, and is understood by industry. 
Associations also state that the Commission should withdraw the NOPR 
proposal; however, Associations state that, in the alternative, the 
Commission should clarify that removal of the term ``widespread'' is 
not intended to bring within the scope of Reliability Standard CIP-014-
1 ``a substation or station unless the applicable Transmission Owner 
determines through technical studies and analyses that include the 
application of engineering judgment and practice that the loss of such 
facility would have a critical impact on the operation of the [bulk 
electric system] in the event the asset is rendered inoperable or 
damaged.'' \25\ NARUC states that the proposal will add costs without 
necessarily improving reliability.
---------------------------------------------------------------------------

    \24\ See APS Comments at 3; SCE Comments at 3; SDG&E Comments at 
4-5; TVA Comments at 9-10; Tallahassee Comments at 1; Oncor Comments 
at 3-4; Ohio PUC Comments at 4-5; BPA Comments at 3; NARUC Comments 
at 11; G&T Cooperatives Comments at 8-11; Southern Comments at 7-10.
    \25\ Associations Comments at 14-15; see also APS Comments at 3-
4, Southern Comments at 11.
---------------------------------------------------------------------------

    30. ITC, while agreeing that the term ``widespread'' is not well-
defined and would render the Reliability Standard vague, contends that 
the definition of critical facility in Requirement R1 should be 
replaced by defining as critical all physical facilities that contain 
``High Impact'' or ``Medium Impact'' BES Cyber Systems as those terms 
are defined in Reliability Standard CIP-002-5.1.
Commission Determination
    31. The Commission adopts the NOPR proposal in part and directs 
NERC to remove the term ``widespread'' from Reliability Standard CIP-
014-1 or, alternatively, to propose modifications to the Reliability 
Standard that address the Commission's concerns. The differing views 
expressed in the comments validate the concern raised in the NOPR that 
the meaning of the term ``widespread'' is unclear and subject to 
interpretation.
    32. We stated in the March 7 Order that ``the Reliability Standards 
that we are ordering today apply only to critical facilities that, if 
rendered inoperable or damaged, could have a critical impact on the 
operation of the interconnection through instability, uncontrolled 
separation or cascading failures on the Bulk-Power System.\26\ We 
affirm the March 7 Order's statement that ``[m]ethodologies to 
determine these facilities should be based on objective analysis, 
technical expertise, and experienced judgment.'' \27\
---------------------------------------------------------------------------

    \26\ March 7 Order, 146 FERC ] 61,166 at P 6 n.5.
    \27\ Id. P 6.
---------------------------------------------------------------------------

    33. However, incorporating the undefined term ``widespread'' in 
Reliability Standard CIP-014-1 introduces excessive uncertainty in 
identifying critical facilities under Requirement R1.\28\ As the 
Commission stated in the March 7 Order, only an instability that has a 
``critical impact on the operation of the interconnection'' warrants 
finding that the facility causing the instability is critical under 
Requirement R1. The March 7 Order did not intend to suggest that the 
physical security Reliability Standards should address facilities that 
do not have a ``critical impact on the operation of the 
interconnection.'' This understanding is, we believe, unintentionally 
absent in Requirement R1 because the requirement only deems a facility 
critical when, if rendered inoperable or damaged, it could result in 
widespread instability, uncontrolled separation, or Cascading within an 
Interconnection. The definition in Requirement R1 should not be 
dependent on how an applicable entity interprets the term 
``widespread'' but instead should be modified to make clear that a 
facility that has a critical impact on the operation of an 
Interconnection is critical and therefore subject to Requirement R1.
---------------------------------------------------------------------------

    \28\ See Version 5 Critical Infrastructure Protection 
Reliability Standards, Order No. 791, 78 FR 72,755 (Dec. 3, 2013), 
145 FERC ] 61,160, at P 67 (2013), order granting clarification in 
part and denying rehearing, Order No. 791-A, 146 FERC ] 61,188 
(2014) (directing removal or clarification ``identify, assess and 
correct'' language).
---------------------------------------------------------------------------

    34. While some commenters contend that the meaning of the term 
``widespread'' is well-understood by industry, we find that there is 
ample evidence in the record to support the conclusion that the term is 
susceptible to different interpretations by applicable entities. 
Notably, KCP&L states that, while it was a participant in the standards 
drafting process for Reliability Standard CIP-014-1, it agrees that the 
term requires interpretation. Moreover, KCP&L and Pepco share our 
concern that compliance enforcement authorities may find it difficult 
to consistently enforce compliance with Requirement R1 without a clear 
understanding of the term's meaning.
    35. Accordingly, pursuant to FPA section 215(d)(5), the Commission 
directs NERC to develop a modification to Reliability Standard CIP-014-
1 that either removes the term ``widespread'' from Requirement R1 or, 
in the alternative, proposes changes that address the Commission's 
concerns. Further, we direct that NERC submit a responsive modification 
within six months from the effective date of this final rule. We 
recognize that certain entities commented on how NERC could modify 
Reliability Standard CIP-014-1 to address the Commission's stated 
concerns.\29\ However, we conclude that it is appropriate to allow NERC 
to develop and propose a modification in the first instance. With 
respect to ITC's more general comments regarding the scope of critical 
facilities in Requirement R1, we address the potential for applying the 
impact designations in Reliability Standard CIP-002-5.1 to Reliability 
Standard CIP-014-1, Requirement R1 in the section below regarding the 
NOPR's proposed informational filing on ``High Impact'' control 
centers.
---------------------------------------------------------------------------

    \29\ See, e.g., BPA Comments at 2; Ohio PUC Comments at 5; TVA 
Comments at 9, ITC Comments at 9.

---------------------------------------------------------------------------

[[Page 70073]]

B. Applicable Governmental Authority's Ability To Add or Subtract 
Facilities From an Entity's List of Critical Facilities

March 7 Order
    36. In the March 7 Order, the Commission stated that:

    [T]he risk assessment used by an owner or operator to identify 
critical facilities should be verified by an entity other than the 
owner or operator. Such verification could be performed by NERC, the 
relevant Regional Entity, a Reliability Coordinator, or another 
entity. The Reliability Standards should include a procedure for the 
verifying entity, as well as the Commission, to add or remove 
facilities from an owner's or operator's list of critical 
facilities. . . .\30\
---------------------------------------------------------------------------

    \30\ March 7 Order, 146 FERC ] 61,166 at P 11.
---------------------------------------------------------------------------

NERC Petition
    37. Reliability Standard CIP-014-1 does not include a procedure 
that allows the Commission to add or subtract facilities from an 
applicable entity's list of critical facilities under Requirement R1. 
Instead, NERC states that the Commission has the existing authority to 
enforce NERC Reliability Standards pursuant to FPA section 
215(e)(3).\31\ NERC explains that a transmission owner must be able to 
demonstrate that its method for performing its risk assessment under 
Requirement R1 ``was technically sound and reasonably designed to 
identify its critical Transmission stations and Transmission 
substations.'' \32\ NERC maintains that if ``in the course of assessing 
an entity's compliance with the proposed Reliability Standard, NERC, a 
Regional Entity or [the Commission] finds that the entity's 
transmission analysis was patently deficient and the Requirement R2 
verification process did not cure those deficiencies, they could use 
their enforcement authority to compel Transmission Owners to re-perform 
the risk assessment using assumptions designed to identify the 
appropriate critical facilities.'' \33\
NOPR
---------------------------------------------------------------------------

    \31\ NERC Petition at 37.
    \32\ Id.
    \33\ Id.
---------------------------------------------------------------------------

    38. The NOPR stated that Reliability Standard CIP-014-1 does not 
include a procedure that allows the Commission to add or subtract 
facilities from an applicable entity's list of critical facilities. The 
NOPR stated that if the Commission determined through an audit of an 
applicable entity, or through some other means, that a critical 
facility does not appear on the entity's list of critical facilities, 
there is no provision in Reliability Standard CIP-014-1 to allow the 
Commission to require its inclusion. In the NOPR, the Commission 
proposed to direct NERC to modify the physical security Reliability 
Standard to ``include a procedure that would allow applicable 
governmental authorities, i.e., the Commission and any other 
appropriate federal or provincial authorities, to add or subtract 
facilities from an applicable entity's list of critical facilities.'' 
\34\
---------------------------------------------------------------------------

    \34\ NOPR, 148 FERC ] 61,040 at P 23.
---------------------------------------------------------------------------

Comments
    39. NERC asserts that the Commission should not adopt the NOPR 
proposal. NERC maintains that the proposal is unnecessary because it 
duplicates existing Commission compliance monitoring and enforcement 
authority.\35\ Moreover, NERC contends that the NOPR's concerns 
surrounding the use of existing compliance and enforcement methods to 
ensure compliance with Requirement R1 are unsubstantiated. NERC states 
that if the NOPR proposal is adopted, then the Commission must better 
justify the reasons for the directive and limit and clarify the scope 
and content of the proposed directive.
---------------------------------------------------------------------------

    \35\ NERC Comments at 8 (``the Commission can use its broad 
enforcement authority to make certain that the applicable entity re-
performs the risk assessment on whatever timeline the Commission 
deems appropriate or face penalties or sanctions under the FPA'').
---------------------------------------------------------------------------

    40. Pa PUC, Foundation, SmartSenseCom and Paschall state that they 
support the NOPR proposal.\36\ Other commenters do not oppose the 
proposal but maintain that it should be clarified or modified if 
adopted by the Commission.\37\
---------------------------------------------------------------------------

    \36\ Pa PUC Comments at 5; Foundation Comments at 3; 
SmartSenseCom Comments at 6; Paschall Comments at 2.
    \37\ See G&T Cooperatives Comments at 3-8; ITC Comments at 12; 
NYPSC Comments at 5-7; Pepco Comments at 5-7; Idaho Power Comments 
at 1-2.
---------------------------------------------------------------------------

    41. The majority of commenters do not support the NOPR proposal for 
various legal and policy reasons.\38\ Associations' comments are 
representative of this viewpoint in that they address: (1) The 
statutory authority to modify critical facility lists or otherwise 
allow the Commission (or any other governmental authority) an 
operational role in the performance of a Reliability Standard; (2) how 
the Commission would afford entities due process in determining whether 
to direct the addition or removal of facilities while still maintaining 
confidentiality; and (3) what constitutes ``any other appropriate 
federal or provincial authorities'' and the legal authority and 
advisability of delegating responsibility to another government entity. 
Like NERC, Associations contend that the Commission already possesses 
the compliance and enforcement authority to ensure that applicable 
entities comply with Requirement R1.\39\ Specifically, Associations 
state that the ``Commission has sufficient existing enforcement 
authority under the FPA to take actions to address concerns raised in 
the NOPR regarding the sufficiency of decisions made to identify 
critical facilities under CIP-014-1 . . . includ[ing] the use of 
traditional enforcement authority under Section 215(e)(3), including 
audits and investigations, which it has used on several occasions.'' 
\40\ Associations also request a technical conference in two years that 
addresses the implementation of Reliability Standard CIP-014-1.
---------------------------------------------------------------------------

    \38\ See Southern Comments at 2-7; Trade Associations Comments 
at 5-12; GridWise Comments at 3-9; Duke Comments at 3-5; NARUC 
Comments at 4; KCP&L Comments at 2-4; SDG&E Comments at 3-4; Oncor 
Comments at 2-3; Entergy Comments at 1; TAPS Comments at 3-9; APS 
Comments at 2-3; BPA Comments at 2; SCE Comments at 2; Ohio PUC 
Comments at 3-4; TVA Comments at 6-9; CEA Comments at 3-9; NU 
Utilities Comments at 1.
    \39\ Associations Comments at 9; see also TAPS Comments at 5 
(``If the Commission finds a Registered Entity's risk assessment 
study to be inadequate because it lacks a critical facility, the 
Registered Entity will be in violation of [Requirement] R1 of the 
Physical Security standard . . . [t]he Commission could then direct 
a specific method of compliance . . . and impose daily penalties 
until the Registered Entity complies. If despite the threat of 
penalties, the Commission were concerned about the need for timely 
action, it could order the Registered Entity to come into compliance 
within a specified reasonable timeframe.'').
    \40\ Associations Comments at 9.
---------------------------------------------------------------------------

Commission Determination
    42. Based on our review of the comments, we determine not to adopt 
the NOPR proposal.
    43. We are persuaded by commenters that the NOPR directive would 
present NERC, as the entity that would have to develop the proposed 
modification, and the Commission, which would have to approve any NERC 
proposal, with a number of substantial policy issues. Ultimately, we 
believe that the NOPR proposal would require NERC and the Commission to 
expend resources that could be better applied elsewhere.
    44. The Commission, instead, will focus its resources on carrying 
out compliance and enforcement activities to ensure that critical 
facilities are identified under Requirement R1. In its comments, NERC 
indicated that NERC staff will submit to the NERC Board of Trustees a 
report three months following implementation of Requirements R1, R2 and 
R3 concerning the scope of facilities identified as

[[Page 70074]]

critical, including the number of facilities identified as critical and 
their defining characteristics.\41\ NERC also committed to sending this 
report to Commission staff.\42\ Based on the results reported by NERC, 
we expect Commission staff to audit a representative number of 
applicable entities to ensure compliance with Reliability Standard CIP-
014-1. Depending on the audit findings, the Commission will determine 
if there is a need for any further action by the Commission including, 
but not limited to, directing NERC to develop modifications to 
Reliability Standard CIP-014-1 to provide greater specificity to the 
methodology for determining critical facilities. At this time, we will 
not direct Commission staff to convene a technical conference on 
implementation of Reliability Standard CIP-014-1 in two-years' time, as 
requested by Associations. We may revisit that proposal at a later 
time.
---------------------------------------------------------------------------

    \41\ NERC Comment at 27-28. NERC's post-implementation reports 
are further discussed below.
    \42\ Id. at 28.
---------------------------------------------------------------------------

C. Informational Filing on ``High Impact'' Control Centers

March 7 Order
    45. The March 7 Order stated that a ``critical facility is one 
that, if rendered inoperable or damaged, could have a critical impact 
on the operation of the interconnection through instability, 
uncontrolled separation or cascading failures on the Bulk-Power 
System.'' \43\ The March 7 Order, while not mandating that a minimum 
number of facilities be deemed critical under the physical security 
Reliability Standards, explained that the ``Commission expects that 
critical facilities generally will include, but not be limited to, 
critical substations and critical control centers.'' \44\
---------------------------------------------------------------------------

    \43\ March 7 Order, 146 FERC ] 61,166 at P 6.
    \44\ Id. P 6, n.6.
---------------------------------------------------------------------------

NERC Petition
    46. NERC states that Reliability Standard CIP-014-1 addresses the 
protection of primary control centers, which NERC defines as facilities 
that ``operationally control[ ] a Transmission station or Transmission 
substation when the electronic actions from the control center can 
cause direct physical actions at the identified Transmission station or 
Transmission substation, such as opening a breaker.'' \45\
---------------------------------------------------------------------------

    \45\ NERC Petition at 19.
---------------------------------------------------------------------------

    47. NERC maintains that ``[c]ontrol centers that provide back-up 
capability and control centers that cannot operationally control a 
critical Transmission station or Transmission substation do not present 
similar direct risks to Real-time operations if they are the target of 
a physical attack,'' and thus they are not covered by Reliability 
Standard CIP-014-1.\46\ NERC explains that the destruction of a back-up 
control center would ``have no direct reliability impact in Real-time 
as the entity can continue operation . . . from its primary control 
center.'' \47\ With respect to control centers that do not physically 
operate Bulk-Power System facilities, such as control centers operated 
by reliability coordinators, NERC states that, while ``certain 
monitoring and oversight capabilities might be lost as a result of a 
physical attack on such control centers, the Transmission Owner or 
Transmission Operator that operationally controls the critical 
Transmission station or Transmission substation would be able to 
continue operating its transmission system to prevent widespread 
instability, uncontrolled separation, or Cascading within an 
Interconnection.'' \48\
---------------------------------------------------------------------------

    \46\ Id.
    \47\ Id. at 20.
    \48\ Id. at 20-21.
---------------------------------------------------------------------------

    48. NERC acknowledges that certain control centers categorized as 
``High Impact'' or ``Medium Impact'' under Reliability Standard CIP-
002-5.1 (Cyber Security--BES Cyber System Categorization) would not be 
covered control centers under Reliability Standard CIP-014-1.\49\ NERC 
explains that this situation:
---------------------------------------------------------------------------

    \49\ Reliability Standard CIP-002-5.1 (Cyber Security--BES Cyber 
System Categorization), Attachment 1 (Impact Rating Criteria).

reflects the different nature of cyber security risks and physical 
security risks at control centers . . . [a] primary cyber security 
concern for control centers is the corruption of data or information 
and the potential for operators to take action based on corrupted 
data or information . . . [and] [t]his concern exists at control 
centers that operationally control Bulk-Power System facilities and 
those that do not. As such, there is no distinction in CIP-002-5.1 
between these control centers . . . however, such a distinction is 
appropriate in the physical security context.\50\
---------------------------------------------------------------------------

    \50\ NERC Petition at 22 n.55.

    49. NERC points out that Reliability Standard CIP-006-5 already 
requires physical security protections that are ``designed to restrict 
physical access to locations containing High and Medium Impact Cyber 
Systems,'' which include control centers and backup control centers for 
reliability coordinators, balancing authorities, transmission operators 
and generation operators irrespective of their ability to operationally 
control Bulk-Power System facilities.\51\
---------------------------------------------------------------------------

    \51\ Id. at 21.
---------------------------------------------------------------------------

NOPR
    50. The NOPR proposed to direct NERC to make an informational 
filing within six months of the effective date of a final rule in this 
proceeding indicating whether the development of Reliability Standards 
that provide physical security for all ``High Impact'' control centers, 
as that term is defined in Reliability Standard CIP-002-5.1, is 
necessary for the reliable operation of the Bulk-Power System.
    51. The NOPR stated that primary and back-up control centers of 
functional entities other than transmission owners and operators 
identified as ``High Impact'' may warrant assessment and physical 
security controls under this Reliability Standard because a successful 
attack could prevent or impair situational awareness, especially from a 
wide-area perspective, or could allow attackers to distribute 
misleading and potentially harmful data and operating instructions that 
could result in instability, uncontrolled separation, or cascading 
failures.
    52. The NOPR stated that the proposed informational filing should 
address whether there is a need for consistent treatment of ``High 
Impact'' control centers for cybersecurity and physical security 
purposes through the development of Reliability Standards that afford 
physical protection to all ``High Impact'' control centers. The NOPR 
also stated that the development of physical security protections for 
all ``High Impact'' control centers would not be without precedent 
because, as noted above, Reliability Standard CIP-006-5 already 
requires that ``High Impact'' control centers have some physical 
protections, including restrictions on physical access, to protect BES 
Cyber Assets. However, the NOPR further stated that the security 
measures required by Reliability Standard CIP-006-5 may not be 
comparable to those required by Reliability Standard CIP-014-1, and 
thus may not be sufficient to ``deter, detect, delay, assess, 
communicate, and respond to potential threats and vulnerabilities'' as 
required in Requirement R5 of Reliability Standard CIP-014-1. Further, 
the NOPR stated that Reliability Standard CIP-006-5 does not require an 
``unaffiliated third party review'' of the evaluation and security plan 
required by Reliability Standard CIP-014-1.

[[Page 70075]]

Comments
    53. NERC states that it does not oppose submitting an informational 
filing to address whether ``High Impact'' control centers warrant 
assessment and physical security controls under Reliability Standard 
CIP-014-1. However, NERC requests that the Commission modify the NOPR 
proposal to give NERC at least 12 months from the effective date of a 
final rule in this proceeding to submit the informational filing.
    54. Other commenters, while not necessarily agreeing that all 
``High Impact'' control centers should be subject to Reliability 
Standard CIP-014-1, support the NOPR proposal for various reasons.\52\ 
Associations state that the informational filing ``will provide a more 
granular mapping of the strategic considerations embedded in the CIP 
standards . . . as well as consideration of the issues relating to 
control centers not covered by CIP-014-1.'' \53\ MISO and SDG&E state 
that the informational filing could be a useful way for identifying 
areas of possible improvement in the future. Some commenters, including 
Associations, recommend that the Commission direct NERC to submit the 
informational filing as critical energy infrastructure information 
(CEII).
---------------------------------------------------------------------------

    \52\ See Associations Comments at 16; KCP&L Comments at 4; 
Foundation Comments at 7; SDG&E Comments at 5; Pa PUC Comments at 6; 
SCE Comments at 4; MISO Comments at 6-7.
    \53\ Associations Comments at 16.
---------------------------------------------------------------------------

    55. ITC supports the proposed informational filing but states that 
the Commission should widen the scope of the informational filing to 
assess the benefits of extending Reliability Standard CIP-014-1 to all 
``High Impact'' and ``Medium Impact'' BES Cyber Assets. ITC states that 
the definition of ``critical'' assets is insufficiently comprehensive 
because it fails to provide physical security for facilities that 
contain crucial Cyber Assets. ITC further states that identifying 
critical facilities under Requirement R1 is unnecessary because 
applicable entities already have a list of facilities containing ``High 
Impact'' and ``Medium Impact'' Cyber Assets, which could also serve as 
the list of critical facilities for the purposes of Reliability 
Standard CIP-014-1. SIA agrees that Requirement R1 should be modified 
to include all ``High Impact'' control centers.
    56. Commenters opposed to the NOPR proposal contend that the 
informational filing is unnecessary or would be burdensome.\54\ Trade 
Associations state that Reliability Standard CIP-014-1 correctly 
focuses on the protection of primary control centers that operationally 
control transmission stations or substations identified under 
Requirement R1. Idaho Power states that Reliability Standard CIP-006-5 
contains enough physical access controls to meet the expectations of 
``deter, detect, delay, assess, communicate, and respond'' because 
there are extensive monitoring and alerting requirements that must be 
applied to all ``High Impact'' control centers. Reclamation states that 
Reliability Standard CIP-014-1 will capture all ``High Impact'' control 
centers as currently drafted. Pepco states that an informational filing 
would divert resources from implementation and compliance with 
Reliability Standard CIP-014-1.
---------------------------------------------------------------------------

    \54\ Trade Associations Comments at 12; Pepco Comments at 7.
---------------------------------------------------------------------------

Commission Determination
    57. The Commission adopts the NOPR proposal and directs NERC to 
submit an informational filing that addresses whether there is a need 
for consistent treatment of ``High Impact'' control centers for 
cybersecurity and physical security purposes through the development of 
Reliability Standards that afford physical protection to all ``High 
Impact'' control centers. The Commission, however, modifies the NOPR 
proposal and extends the due date for the informational filing to two 
years following the effective date of Reliability Standard CIP-014-1.
    58. While we approve Reliability Standard CIP-014-1 in this final 
rule, including the Reliability Standard's treatment of control 
centers, the Commission, for the reasons set forth in the NOPR, finds 
that NERC should assess whether all ``High Impact'' control centers 
should be protected under Reliability Standard CIP-014-1.\55\ We 
recognize that NERC and applicable entities will be in a better 
position to provide this assessment after implementation of Reliability 
Standard CIP-014-1 and Reliability Standard CIP-006-5, the latter of 
which provides some physical protection to ``High Impact'' control 
centers. Accordingly, the Commission directs NERC to submit the 
informational filing two years following the effective date of 
Reliability Standard CIP-014-1. The Commission, while not directing 
NERC to submit the informational filing as CEII, recognizes the 
concerns raised by commenters regarding confidentiality. The Commission 
expects NERC to prepare the informational filing and submit it in such 
a way as to protect any critical information from public disclosure.
---------------------------------------------------------------------------

    \55\ See NOPR, 148 FERC ] 61,040 at PP 35-39.
---------------------------------------------------------------------------

    59. At this time, the Commission will not direct NERC to address in 
the informational filing whether all ``High Impact'' and ``Medium 
Impact'' BES Cyber Assets should be considered critical for the 
purposes of Reliability Standard CIP-014, Requirement R1. We are 
sympathetic to several points raised in ITC's comments, which echo some 
of the statements in the NOPR. However, as stated in the NOPR, the 
basis for directing an informational filing regarding control centers 
is found in the March 7 Order, where the Commission stated that it 
``expects that critical facilities generally will include, but not be 
limited to, critical substations and critical control centers.'' \56\ 
While NERC explained why not all ``High Impact'' control centers may be 
critical for the purposes of Reliability Standard CIP-014-1, we 
conclude that this issue requires close attention and should be 
addressed in the informational filing. The broader concerns raised by 
ITC regarding the scope of Requirement R1 can be evaluated by NERC and 
industry as part of the implementation process. As we noted above, the 
Commission will devote resources to compliance with and enforcement of 
Reliability Standard CIP-014-1 to ensure that all critical facilities 
are identified pursuant to Requirement R1. Should the Commission find 
through these efforts, or through the post-implementation reports and 
informational filing that NERC will submit, that Requirement R1 as 
currently written is not capturing all critical facilities, then the 
Commission will act upon that information.
---------------------------------------------------------------------------

    \56\ NOPR, 148 FERC ] 61,040 at P 44 (quoting March 7 Order, 146 
FERC ] 61,166 at P 6 n.6).
---------------------------------------------------------------------------

D. Informational Filing on Resiliency

March 7 Order
    60. In the March 7 Order, the Commission stated that the 
development of physical security Reliability Standards ``will help 
provide for the resiliency and reliable operation of the Bulk-Power 
System. To that end, the proposed Reliability Standards should allow 
owners or operators to consider resiliency of the grid in the risk 
assessment when identifying critical facilities, and the elements that 
make up those facilities, such as transformers that typically require 
significant time to repair or replace. As part of this process, owners 
or operators may consider elements of resiliency such as how the system 
is designed, operated, and

[[Page 70076]]

maintained, and the sophistication of recovery plans and inventory 
management.'' \57\
---------------------------------------------------------------------------

    \57\ March 7 Order, 146 FERC ] 61,166 at P 7.
---------------------------------------------------------------------------

NERC Petition
    61. Reliability Standard CIP-014-1 mentions resiliency in 
Requirement R5, stating in Requirement R5.1 that the physical security 
plans that entities develop shall include, among other attributes: 
``Resiliency or security measures designed collectively to deter, 
detect, delay, assess, communicate, and respond to potential physical 
threats and vulnerabilities identified during the evaluation conducted 
in Requirement R4.'' The NERC petition describes Requirement R5.1, with 
regard to resiliency, as referring to ``steps an entity may take that, 
while not specifically targeted as hardening the physical security of 
the site, help to decrease the potential adverse impact of a physical 
attack . . . including modifications to system topology or the 
construction of a new Transmission station . . . that would lessen the 
criticality of the facility.'' \58\
---------------------------------------------------------------------------

    \58\ NERC Petition at 42.
---------------------------------------------------------------------------

NOPR
    62. The NOPR stated that the NERC petition describes resiliency 
measures that could be included in the required physical security 
plans. The NOPR also stated, however, that specific resiliency measures 
are not required by Reliability Standard CIP-014-1, which is consistent 
with the March 7 Order. Instead, the NOPR noted that Reliability 
Standard CIP-014-1 allows the security plans to be flexible in order to 
meet different threats and protect varying Bulk-Power System 
configurations.
    63. The NOPR stated that resiliency is as, or even more, important 
than physical security given that physical security cannot protect 
against all possible attacks. The NOPR also stated that, in the case of 
the loss of a substation, the Bulk-Power System may depend on 
resiliency to minimize the impact of the loss of facilities and restore 
blacked-out portions of the Bulk-Power System as quickly as possible. 
The NOPR further stated that some entities may implement resiliency 
measures rather than security measures, such as by adding facilities or 
operating procedures that reduce or eliminate the importance of 
existing critical facilities, which could significantly improve 
reliability and resiliency.
    64. The NOPR stated that the NERC petition indicated that the NERC 
Board of Trustees expects NERC management to monitor and assess the 
implementation of Reliability Standard CIP-014-1 on an ongoing basis, 
which would include: The number of assets identified as critical under 
the Reliability Standard; the defining characteristics of the assets 
identified as critical; the scope of security plans (i.e., the types of 
security and resiliency measures contemplated under the various 
security plans); the timelines included in the security plan for 
implementing the security and resiliency measures; and industry 
progress in implementing the Reliability Standard. The NOPR also stated 
that NERC explained that this information could be used to provide 
regular updates to Commission staff.\59\ The NOPR proposed to rely on 
NERC's ongoing assessment of Reliability Standard CIP-014-1's 
implementation and to require NERC to make such information available 
to Commission staff upon request.
---------------------------------------------------------------------------

    \59\ NOPR, 148 FERC ] 61,040 at P 56.
---------------------------------------------------------------------------

    65. In addition, the NOPR proposed to direct NERC to submit an 
informational filing that addresses the resiliency of the Bulk-Power 
System when confronted with the loss of critical facilities. The NOPR 
stated that the informational filing should explore what steps can be 
taken, in addition to those required by Reliability Standard CIP-014-1, 
to maintain the reliable operation of the Bulk-Power System when faced 
with the loss or degradation of critical facilities. The NOPR proposed 
to direct NERC to submit the informational filing within one year after 
the effective date of the final rule in this proceeding.\60\
---------------------------------------------------------------------------

    \60\ NERC issued a report on severe impact resilience in 2012. 
See NERC, Severe Impact Resilience: Considerations and 
Recommendations (May 2012), available at http://www.nerc.com/comm/OC/SIRTF%20Related%20Files%20DL/SIRTF_Final_May_9_2012-Board_Accepted.pdf. The NOPR stated that the proposed informational 
filing could draw on the report but should also reflect subsequent 
work and development on this topic, particularly including supply 
chain, transporting and other logistical issues for equipment such 
as large transformers. NOPR, 148 FERC ] 61,040 at P 57.
---------------------------------------------------------------------------

Comments
    66. NERC requests that the Commission not direct it to submit an 
informational filing on resiliency. NERC contends that an informational 
filing on resiliency would divert resources from NERC's oversight of 
the implementation of Reliability Standard CIP-014-1 and NERC's efforts 
to assess the Reliability Standard's effectiveness. NERC states that it 
will monitor and assess implementation of Reliability Standard CIP-014-
1, as described in NERC's petition, and will prepare two initial 
reports for the NERC Board of Trustees, the first report being 
submitted three months following implementation of Requirements R1, R2 
and R3 and the second report being submitted three months after 
implementation of Requirements R4, R5 and R6. With respect to the 
second report, NERC states that ``[g]iven the NOPR's discussion of 
resiliency, this report will pay particular attention to the resiliency 
measures included in entities' security plans.'' \61\ NERC further 
states that it commits to provide both reports to Commission staff.
---------------------------------------------------------------------------

    \61\ NERC Comments at 28.
---------------------------------------------------------------------------

    67. Pepco does not support the proposed informational filing 
because of the burden Pepco contends it would impose on NERC and 
registered entities, including diverting resources from the 
implementation of Reliability Standard CIP-014-1. Pepco asserts that 
resiliency is already addressed in Reliability Standard CIP-014-1.
    68. SDG&E, MISO and Idaho Power support directing NERC to submit 
the proposed informational filing on resiliency as a way of determining 
next steps for enhancing the reliability of the Bulk-Power System.\62\
---------------------------------------------------------------------------

    \62\ See SDG&E Comments at 5; MISO Comments at 6-7; Idaho Power 
Comments at 4; see also Paschall Comments at 2.
---------------------------------------------------------------------------

    69. Other commenters, including Associations, while generally 
agreeing that the issue of resiliency needs to be considered, recommend 
that the Commission convene a technical conference rather than require 
NERC to submit an informational filing because, they maintain, a 
technical conference would be more effective.\63\
---------------------------------------------------------------------------

    \63\ See Associations Comments at 17; KCP&L Comments at 6-7; SCE 
Comments at 4; Trade Associations Comments at 13-14; GridWise 
Comments at 3.
---------------------------------------------------------------------------

Commission Determination
    70. The Commission determines not to adopt the NOPR proposal 
requiring NERC to submit an informational filing concerning resiliency 
of the Bulk-Power System. While commenters expressed differing views on 
whether an informational filing is needed, the comments recognized the 
importance of Bulk-Power System resiliency. In addition, NERC committed 
to providing the Commission with two reports following implementation 
of Reliability Standard CIP-014-1, which, NERC indicates, will address 
the issue of resiliency.
    71. Rather than require NERC to submit an informational filing at 
this time, the Commission will review the NERC reports and will 
consider ways for industry to best inform the Commission of its current 
and future

[[Page 70077]]

resiliency efforts, which could take the form of reports and/or 
technical conferences to address specific areas of concern (e.g., spare 
parts, fuel security, and advanced technologies).

E. Third-Party Verification and Review

March 7 Order
    72. In the March 7 Order, the Commission stated that ``the risk 
assessment used by an owner or operator to identify critical facilities 
should be verified by an entity other than the owner or operator . . . 
[and] [s]imilarly, the determination of threats and vulnerabilities and 
the security plan should also be reviewed by NERC, the relevant 
Regional Entity, the Reliability Coordinator, or another entity with 
appropriate expertise.'' \64\
---------------------------------------------------------------------------

    \64\ March 7 Order, 146 FERC ] 61,166 at P 11.
---------------------------------------------------------------------------

NERC Petition
    73. Requirement R2 of Reliability Standard CIP-014-1 requires 
transmission owners to have their risk assessments verified by an 
unaffiliated third party. Requirement R6, likewise, requires each 
transmission owner and transmission operator to have their 
vulnerability and threat assessment(s) along with their security 
plan(s) for any critical facilities reviewed by an unaffiliated third 
party.
    74. Regarding how an applicable entity is supposed to address any 
recommendations by a third-party verifier, Reliability Standard CIP-
014-1, in Requirement R2.3, states that the transmission owner must 
either (a) ``modify its identification . . . consistent with the 
recommendation'' or (b) ``document the technical basis for not 
modifying the identification in accordance with the recommendation.'' 
Similarly, Requirement R6.3 sets forth the procedure for considering 
any recommendations from the reviewing entity as to the threat 
assessments and security plans: The applicable entity must either (a) 
``modify its evaluation or security plan(s) consistent with the 
recommendation'' or (b) ``document the reason(s) for not modifying the 
evaluation or security plan(s) consistent with the recommendation.''
    75. NERC states that ``[r]equiring documentation of the technical 
basis for not modifying the identification in accordance with the 
recommendation will help ensure that a Transmission Owner meaningfully 
considers the verifier's recommendations and follows those 
recommendations unless it can technically justify its reasons for not 
doing so. To comply with Part 2.3, the technical justification must be 
sound and based on acceptable approaches to conducting transmission 
analyses.'' \65\ The NERC petition contains a similar explanation for 
the third-party review (Requirement R6) of the threat assessments and 
security plans mandated in Requirements R4 and R5.\66\
---------------------------------------------------------------------------

    \65\ NERC Petition at 36.
    \66\ Id. at 50.
---------------------------------------------------------------------------

NOPR
    76. The NOPR proposed to approve the third-party verification and 
review method proposed by NERC in Requirements R2 and R6. The NOPR 
stated that failure to provide a written, technically justifiable 
reason for rejecting a third-party recommendation would render the 
applicable entity non-compliant. With that understanding, the NOPR 
proposed to approve NERC's proposed third-party verification and review 
in Requirements R2 and R6 of Reliability Standard CIP-014-1 as an 
equally efficient and effective alternative to the directive in the 
March 7 Order.
Comments
    77. NERC states that it supports the NOPR proposal. NERC states 
that third-party verification and review will provide another layer of 
expertise and independence to the identification of critical assets, 
the evaluation of threats and vulnerabilities, and the development of 
effective security plans. NERC reiterates that an applicable entity's 
failure to provide a reasonable, written explanation for declining to 
follow a third-party recommendation would constitute non-compliance.
    78. MISO, Reclamation, KCP&L, ITC, and G&T Cooperatives support the 
NOPR proposal but each suggest modifications or request clarification 
of Reliability Standard CIP-014-1.\67\
---------------------------------------------------------------------------

    \67\ See also Paschall Comments at 2; Foundation Comments at 7.
---------------------------------------------------------------------------

    79. MISO states that entities like itself, that are both 
reliability coordinators and planning coordinators, may be subject to 
substantial, simultaneous demands by many transmission owners for 
concurrent verification of risk assessments. MISO notes that 
Requirement R2.2 requires applicable entities to have their risk 
assessment verified within 90 days of completion of the risk 
assessment. MISO states that firm adherence to the 90-day deadline 
could undermine the protections in Reliability Standard CIP-014-1 by 
requiring verifying entities (e.g., MISO) to conduct hurried or 
shorter-than-optimal assessments. Accordingly, MISO seeks clarification 
that NERC has the discretion to extend the implementation deadline, 
especially with respect to the 90-day verification deadline in 
Requirement R2.2. Likewise, G&T Cooperatives, NIPSCO and KCP&L state 
that there should be flexibility regarding the 90-day deadline because 
of the limited pool of qualified third-party verifiers.
    80. Reclamation states that transmission owners should have 
discretion to make decisions regarding third-party recommendations 
based on cost and risk analyses. Reclamation also states that 
Requirement 2.1 should be modified to require that third-party 
verifications be conducted by a transmission owner's planning 
coordinator or transmission planner. If the transmission owner is also 
the planning coordinator and transmission planner, then Reclamation 
states that the verification should be conducted by the reliability 
coordinator.
    81. KCP&L states that NERC should develop a pre-approved list of 
qualified third-party contractors or require third parties to register 
with NERC. KCP&L also seeks clarification that an independent system 
operator (ISO) or regional transmission operator (RTO) concurrent with 
its role as reliability coordinator could provide third-party review 
services. KCP&L states that it does not oppose having an RTO that is 
also a reliability coordinator or planning coordinator serve as a 
third-party reviewer but would not support a mandate requiring a 
specific third-party reviewer. KCP&L also seeks clarification of the 
meaning of the phrase ``unaffiliated third-party.''
    82. ITC states that the Commission should ``confirm that the 
verification of a responsible entity's risk assessment, threat 
assessment, and security plan, as specified in Requirements R2 and R6, 
constitutes full compliance by that responsible entity with respect to 
the risk assessment and security plan.'' \68\
---------------------------------------------------------------------------

    \68\ ITC Comments at 10.
---------------------------------------------------------------------------

    83. NIPSCO, TVA and Idaho Power do not support the NOPR proposal. 
NIPSCO contends that third-party verification is ``inconsistent with 
the approach to entity self-assessment applied in other Reliability 
Standards'' and notes that the Version 5 CIP Reliability Standards do 
not include a provision for third-party review.\69\ NIPSCO also 
contends that the use of third parties could raise confidentiality 
concerns. Idaho Power maintains that the proposal should not be adopted 
because it does not require third parties to include a written or 
technical justification with their recommendations. Idaho Power also

[[Page 70078]]

states that ``if a third-party verification and review process is 
incorporated in to the Standard, it should clearly describe the 
specific methodology and performance criteria to be applied.'' \70\ TVA 
states that FPA section 215 does not contemplate the use of third-party 
verifiers and reviewers acting in an enforcement role. TVA also 
contends that Reliability Standard CIP-014-1 does not contain any 
qualification criteria that third-party verifiers and reviewers must 
meet. TVA further states that using third-party verifiers and reviewers 
could compromise the confidentiality of critical information.
---------------------------------------------------------------------------

    \69\ NIPSCO Comments at 2.
    \70\ Idaho Power Comments at 3-4.
---------------------------------------------------------------------------

Commission Determination
    84. We adopt the NOPR proposal and approve the third-party 
verification and review provisions found in Requirements R2 and R6 of 
Reliability Standard CIP-014-1. These provisions, as stated by NERC, 
provide an important, independent layer of expertise in the 
identification, assessment and protection of critical facilities.
    85. We disagree with the arguments raised in the comments submitted 
by NIPSCO, TVA and Idaho Power. The use of third-party verification and 
review in Reliability Standard CIP-014-1 is not inconsistent with other 
Commission-approved Reliability Standards merely because third-party 
review is not used in other Reliability Standards. NIPSCO is correct 
that the Version 5 CIP Reliability Standards do not include third-party 
review provisions. However, as NIPSCO acknowledges, the Version 5 CIP 
Reliability Standards contain bright-line criteria that guide the 
determinations made by applicable entities in identifying BES Cyber 
Assets.\71\ By contrast, Reliability Standard CIP-014-1 contains no 
such criteria and instead requires applicable entities to develop their 
own analysis. In addition, the threat evaluation in Requirement R4 and 
security plan in Requirement R6 involve areas of expertise that 
applicable entities in the electric industry may not possess and thus 
would strongly benefit from the experience of qualified third parties.
---------------------------------------------------------------------------

    \71\ We also note that in Order No. 706, the Commission directed 
NERC to develop an external review procedure for the identification 
of critical assets by responsible entities. See Mandatory 
Reliability Standards for Critical Infrastructure Protection, Order 
No. 706, 122 FERC ] 61,040, at PP 322-329, order on reh'g, Order No. 
706-A, 123 FERC ] 61,174 (2008), order on clarification, Order No. 
706-B, 126 FERC ] 61,229 (2009), order on clarification, Order No. 
706-C, 127 FERC ] 61,273 (2009).
---------------------------------------------------------------------------

    86. Similarly, we disagree with TVA that the use of third-party 
verifiers and reviewers is inconsistent with FPA section 215. As 
discussed above, we reject TVA's view that third-party verifiers and 
reviewers will be acting in an enforcement capacity. These third 
parties will have no authority to determine whether an applicable 
entity has violated a requirement of Reliability Standard CIP-014-1, 
require compliance, or issue penalties. Moreover, as stated in the 
NOPR, an applicable entity in some cases could be found to be in 
violation of a requirement even if the applicable entity's actions were 
verified by a third party.\72\ We also determine that the requirements 
in Reliability Standard CIP-014-1 (i.e., Requirements R2.1 and R6.1) 
establishing the qualifications for third-party verifiers and reviewers 
are sufficient. As discussed below, as Reliability Standard CIP-014-1 
is implemented, we are satisfied that NERC and Regional Entities will 
provide additional assistance to applicable entities to identify 
qualified third-party verifiers and reviewers if the need arises. We 
are also satisfied that Requirements R2.4 and R6.4 provide adequate 
protection against the disclosure of sensitive or confidential 
information.
---------------------------------------------------------------------------

    \72\ NOPR, 148 FERC ] 61,040 at P 23.
---------------------------------------------------------------------------

    87. In response to Idaho Power's concern, we expect that third-
party verifiers and reviewers will articulate a reasonable basis for 
their recommendations. The absence of such a basis for a recommendation 
could justify an applicable entity's decision to decline to adopt the 
recommendation. We also see no reason to include in Reliability 
Standard CIP-014-1 ``specific methodology and performance criteria'' 
for third-party verification and review beyond what is already 
contained in the requirements and compliance measures recited in the 
Reliability Standard.
    88. With respect to the other comments, there is no evidence in the 
record to support the conclusion that an insufficient number of 
qualified third-party verifiers and reviewers exists such that 
applicable entities will be unable to meet the 90-day deadline in 
Requirements R2 and R6. To the extent an applicable entity requires 
additional time to comply, that situation should be addressed on a 
case-by-case basis.\73\ Reclamation has not explained why Requirement 
R2.1 should be modified to require that a transmission owner use its 
planning coordinator or transmission planner as a verifier, and thus we 
reject that proposal. In addition, addressing Reclamation's second 
point, while risk and cost could be aspects of an applicable entity's 
technical justification for declining to follow a third-party 
recommendation, ultimately there must be a sufficient objective basis 
in the justification document from which to determine that the 
applicable entity acted reasonably in declining to follow the 
recommendation.
---------------------------------------------------------------------------

    \73\ For similar reasons, we reject Entergy's suggestion that 
Reliability Standard CIP-014-1 include language providing for 
flexibility concerning delays in compliance with deadlines contained 
in the Reliability Standard due to acts of nature. See Entergy 
Comments at 1.
---------------------------------------------------------------------------

    89. With respect to KCP&L's comments, there may be value in NERC 
developing a list of qualified third-party verifiers and reviewers or 
otherwise requiring some form of registration process for third-party 
verifiers and reviewers. The Commission, however, will not direct NERC 
to do so at this time. We expect that NERC could, as Reliability 
Standard CIP-014-1 is implemented, pursue or, if necessary, propose 
such an effort if warranted. Indeed, Reliability Standard CIP-014-1 
appears to contemplate such a role for NERC by indicating in 
Requirement R6.1 that an entity is qualified to serve as a reviewer if 
``approved by the ERO.'' In addition, we see no reason why an ISO or 
RTO could not serve as a third-party verifier or reviewer provided it 
satisfies the qualifications stated in Requirements R2.1 and R6.1. We 
also conclude that the term ``unaffiliated third party'' is 
sufficiently clear. As NERC stated in its petition, ``the term 
`unaffiliated' means that the selected verifying entity cannot be a 
corporate affiliate (i.e., the verifying entity cannot be an entity 
that corporately controls, is controlled by or is under common control 
with, the Transmission Owner). The verifying entity also cannot be a 
division of the Transmission Owner that operates as a functional 
unit.'' \74\ KCP&L does not indicate what, in this explanation, is 
ambiguous or requires clarification.
---------------------------------------------------------------------------

    \74\ NERC Petition at 34-35.
---------------------------------------------------------------------------

    90. With respect to ITC's comment, third-party verification under 
Requirement R2 adds an important layer of expertise and independence in 
the identification of critical facilities. However, verification under 
Requirement R2 is not intended to and, indeed, cannot cure an 
applicable entity's failure to comply with Requirement R1 if it is 
determined by the compliance enforcement authority that the applicable 
entity failed to do so, a situation that ITC concedes could

[[Page 70079]]

happen.\75\ We anticipate that a properly verified critical facility 
list will normally result in compliance with Requirement R1, but the 
Commission cannot foreclose the possibility that that may not be the 
case.\76\
---------------------------------------------------------------------------

    \75\ ITC Comments at 9 (``ITC further doesn't disagree that, in 
extremely dire circumstances, a risk assessment which has been 
verified by a third-party may nonetheless be so deficient (and the 
third-party review be similarly inadequate) that it could be 
considered non-compliant.''); see also NERC Petition at 37 (``If, in 
the course of assessing an entity's compliance with the proposed 
Reliability Standard, NERC, a Regional Entity, or FERC finds that 
the entity's transmission analysis was patently deficient and that 
the Requirement R2 verification process did not cure those 
deficiencies, they could use their enforcement authority to compel 
Transmission Owners to re-perform the risk assessment using 
assumptions designed to identify the appropriate critical 
facilities.'').
    \76\ See Order No. 706, 122 FERC ] 61,040 at P 320 (denying 
``safe harbor'' for good faith compliance with CIP Reliability 
Standards).
---------------------------------------------------------------------------

F. Generators

March 7 Order
    91. The March 7 Order did not direct NERC to make the physical 
security Reliability Standards applicable to specific functional entity 
types. The March 7 Order stated that ``some of the requirements imposed 
by these newly proposed Reliability Standards may best be performed by 
the owner and other activity may best be performed by the operator,'' 
and that NERC should clearly indicate which entity is responsible for 
each requirement.\77\ With regard to the applicable types of 
facilities, the Commission stated that it ``is not requiring NERC to 
adopt a specific type of risk assessment, nor is the Commission 
requiring that a mandatory number of facilities be identified as 
critical facilities under the Reliability Standards.'' \78\
---------------------------------------------------------------------------

    \77\ March 7 Order, 146 FERC ] 61,166 at P 6, n.4.
    \78\ Id. P 6.
---------------------------------------------------------------------------

NERC Petition
    92. In explaining why the Reliability Standard does not include 
generator owners and generator operators as applicable entities, the 
standard drafting team found that:

it was not necessary to include Generator Operators and Generator 
Owners in the Reliability Standard. First, Transmission stations or 
Transmission substations interconnecting generation facilities are 
considered when determining applicability. Transmission Owners will 
consider those Transmission stations and Transmission substations 
that include a Transmission station on the high side of the 
Generator Step-up transformer (GSU) using Applicability Section 
4.1.1.1 and 4.1.1.2 . . . Second, the transmission analysis or 
analyses conducted under Requirement R1 should take into account the 
impact of the loss of generation connected to applicable 
Transmission stations or Transmission substations. Additionally, the 
[March 7] order does not explicitly mention generation assets and is 
reasonably understood to focus on the most critical Transmission 
Facilities.\79\
---------------------------------------------------------------------------

    \79\ NERC Petition, Exhibit A (Proposed Reliability Standard) at 
23. The standard drafting team provided the following example: ``a 
Transmission station or Transmission substation identified as a 
Transmission Owner facility that interconnects generation will be 
subject to the Requirement R1 risk assessment if it operates at 500 
kV or greater or if it is connected at 200 kV-499 kV to three or 
more other Transmission stations or Transmission substations and has 
an `aggregate weighted value' exceeding 3000 according to the table 
in Applicability Section 4.1.1.2.'' Id. at 23.

    93. NERC explains that generator owners and generator operators 
were not included in the applicability section because, ``while the 
loss of a generator facility due to a physical attack may have local 
reliability effects, the loss of the facility is unlikely to have the 
widespread, uncontrollable impact'' contemplated for loss of a critical 
facility in the March 7 Order.\80\ NERC maintains that a ``generation 
facility does not have the same critical functionality as certain 
Transmission stations and Transmission substations due to the limited 
size of generating plants, the availability of other generation 
capacity connected to the grid, and planned resilience of the 
transmission system to react to the loss of a generation facility.'' 
\81\
---------------------------------------------------------------------------

    \80\ NERC Petition at 22.
    \81\ Id.
---------------------------------------------------------------------------

NOPR
    94. The NOPR proposed to approve the applicability section of the 
Reliability Standard CIP-014-1 without the inclusion of generator 
owners and generator operators. The NOPR stated that omitting generator 
owners and generator operators from the applicability section is 
consistent with the March 7 Order. The NOPR affirmed the statement in 
the March 7 Order that the ``number of facilities identified as 
critical will be relatively small compared to the number of facilities 
that comprise the Bulk-Power System.'' \82\ The NOPR proposed to accept 
NERC's justification for excluding generator owners and operators 
because it is in keeping with the March 7 Order's focus on protecting 
the most critical facilities. The NOPR stated that, according to NERC, 
a generation facility ``does not have the same critical functionality 
as certain Transmission stations and Transmission substations due to 
the limited size of generating plants, the availability of other 
generation capacity connected to the grid, and planned resilience of 
the transmission system to react to the loss of a generation 
facility.'' \83\ The NOPR also noted that Requirement R1 mandates a 
transmission analysis that accounts for transmission owner- or 
transmission operator-owned substations that connect generating 
stations to the Bulk-Power System with step-up transformers.
---------------------------------------------------------------------------

    \82\ NOPR, 148 FERC ] 61,040 at P 44 (quoting March 7 Order, 146 
FERC ] 61,166 at P 12).
    \83\ NOPR, 148 FERC ] 61,040 at P 45 (quoting NERC Petition at 
22).
---------------------------------------------------------------------------

    95. While proposing to accept the applicability section of the 
proposed Reliability Standard, the NOPR stated that NERC's proposed 
omission of generator owners and generator operators could potentially 
exempt substations owned or operated by generators. The NOPR sought 
comment on the potential reliability impact of excluding generator 
owned or operated substations.
Comments
    96. NERC states that it supports the NOPR proposal to approve the 
applicability criteria in Reliability Standard CIP-014-1 without the 
inclusion of generator owners and generator operators. NERC, 
reiterating the justification in the NERC petition, states that the 
loss of a generation facility is unlikely to result in critical impacts 
on the Bulk-Power System.
    97. Associations, Trade Associations, Reclamation, G&T 
Cooperatives, KCP&L, Idaho Power, and APS also support the NOPR 
proposal.\84\ Associations' comments are representative of the comments 
supportive of the NOPR proposal in that Associations state that 
generation facilities will be considered in Reliability Standard CIP-
014-1, even without generator owners and generator operators included 
in the applicability criteria, because all generators interconnected to 
applicable transmission stations or substations will be in included in 
the transmission analysis under applicability sections 4.1.1.1 and 
4.1.1.2.
---------------------------------------------------------------------------

    \84\ Associations Comments at 16-17; Trade Associations Comments 
at 12-13; Reclamation Comments at 1; G&T Cooperatives Comments at 
13-14; KCP&L Comments at 5; Idaho Power Comments at 3; APS Comments 
at 4-5.
---------------------------------------------------------------------------

    98. Paschall states, without elaboration, that generation 
facilities should be included within the scope of Reliability Standard 
CIP-014-1. Foundation comments that it supports Reliability Standard 
CIP-014-1, as modified in the NOPR, and also advocates for the 
inclusion of certain generation facilities in a second stage physical 
security Reliability Standard (discussed in Section H below).

[[Page 70080]]

Commission Determination
    99. We adopt the NOPR proposal and approve the applicability 
criteria in Reliability Standard CIP-014-1 without the inclusion of 
generator owners and generator operators. As the Commission stated in 
the NOPR, we agree with NERC that a generation facility ``does not have 
the same critical functionality as certain Transmission stations and 
Transmission substations due to the limited size of generating plants, 
the availability of other generation capacity connected to the grid, 
and planned resilience of the transmission system to react to the loss 
of a generation facility.''
    100. Paschall provides a conclusory statement that generation 
facilities should be included in Reliability Standard CIP-014-1, but 
does not provide a rationale for this position. Thus, we find 
Paschall's comments unpersuasive.

G. Confidentiality

March 7 Order
    101. The March 7 Order stated that:

    All three steps of compliance with the Reliability Standard 
described above could contain sensitive or confidential information 
that, if released to the public, could jeopardize the reliable 
operation of the Bulk-Power System. Guarding sensitive or 
confidential information is essential to protecting the public by 
discouraging attacks on critical infrastructure. Therefore, NERC 
should include in the Reliability Standards a procedure that will 
ensure confidential treatment of sensitive or confidential 
information but still allow for the Commission, NERC and the 
Regional Entities to review and inspect any information that is 
needed to ensure compliance with the Reliability Standards.\85\
---------------------------------------------------------------------------

    \85\ March 7 Order, 146 FERC ] 61,166 at P 10.
---------------------------------------------------------------------------

NERC Petition
    102. Reliability Standard CIP-014-1 includes two requirements 
addressing the concerns over confidentiality. Requirements R2.2 and 
R6.4, which are substantially the same, state that ``[e]ach 
Transmission Owner shall implement procedures, such as the use of non- 
disclosure agreements, for protecting sensitive or confidential 
information made available to the unaffiliated third party [verifier or 
reviewer] and to protect or exempt sensitive or confidential 
information developed pursuant to this Reliability Standard from public 
disclosure.''
Comments
    103. Associations, GridWise, Duke, Seattle, ITC, and Trade 
Associations state that the Commission should explicitly address the 
issue of confidentiality in the final rule. Associations state that the 
Commission should state that any data produced or collected by an RTO 
in accordance with a requirement of Reliability Standard CIP-014-1 are 
protected and should not be made available to a market monitor pursuant 
to a RTO tariff or market monitor agreement. Associations state that, 
at a minimum, a market monitor should have to make a filing with the 
Commission explaining the need for such information and indicating how 
the market monitor would protect such information from disclosure. 
GridWise and ITC state that they share Associations' concerns regarding 
confidentiality.
    104. Trade Associations and Seattle comment that the final rule 
should contain an explicit statement that Reliability Standard CIP-014-
1 is intended to preempt any state or local public disclosure laws. 
SWTDUG's reply comments question the Commission's legal authority to 
preempt state or local public disclosure laws, as suggested by Trade 
Associations and Seattle, without further Congressional action.
    105. Duke comments that the Commission should take all necessary 
steps to protect the confidential information related to the activities 
of applicable entities, the Commission, NERC and Regional Entities in 
performance of their obligations under Reliability Standard CIP-014-1. 
Duke states that, pursuant to the Commission's regulations, the 
``disposition of each violation or alleged violation that relates to a 
Cybersecurity Incident or that would jeopardize the security of the 
Bulk-Power System if publicly disclosed shall be nonpublic unless the 
Commission directs otherwise.'' \86\ Duke recommends interpreting this 
provision to include violations of Reliability Standard CIP-014-1 or to 
revise the regulation to do so. Duke also maintains that: (1) The risk 
assessment required under Requirement R1; (2) the third-party 
verification performed under Requirement R2; (3) the notification 
provided to transmission operators under Requirement R3; (4) the 
evaluation of threats and vulnerabilities performed under Requirement 
R4; (5) the development of physical security plans performed under 
Requirement R5; and (6) the third-party review performed under 
Requirement R6 all qualify as CEII. In addition, Duke states that this 
information is also exempt from the Freedom of Information Act under 
the (b)(4) exemption for ``trade secrets and commercial or financial 
information obtained from a person and privileged or confidential.''
---------------------------------------------------------------------------

    \86\ 18 CFR 39.7(b)(4).
---------------------------------------------------------------------------

Commission Determination
    106. In the March 7 Order, the Commission recognized that 
compliance with the contemplated physical security Reliability 
Standards would likely require the development or sharing of 
confidential or sensitive material that, if disclosed to the public, 
could jeopardize the reliable operation of the Bulk-Power System. As a 
result, the Commission directed NERC to include adequate procedures in 
the Reliability Standards to prevent the dissemination of confidential 
or sensitive information.
    107. We find that NERC has included sufficient safeguards in 
Reliability Standard CIP-014-1 to ensure that confidential or sensitive 
information produced in compliance with the Reliability Standard will 
not be publicly disclosed. Reliability Standard CIP-014-1 includes 
requirements regarding the sharing of information between applicable 
entities and third-party verifiers and reviewers in Requirements R2.4 
and R6.4. Moreover, the ``Compliance'' section of Reliability Standard 
CIP-014-1 provides: ``Confidentiality: To protect the confidentiality 
and sensitive nature of the evidence for demonstrating compliance with 
this standard, all evidence will be retained at the Transmission 
Owner's and Transmission Operator's facilities.''
    108. The Commission will take all necessary and appropriate steps, 
as provided for in our governing statutes and regulations, to preserve 
an applicable entity's confidential or sensitive information when the 
public disclosure of such information could jeopardize the reliable 
operation of the Bulk-Power System. However, we decline to address in 
this final rule issues of preemption or the specific mechanism for 
treating confidential or sensitive information. Moreover, we find that 
it would be inappropriate to address Associations' request concerning 
the disclosure of information related to compliance with Reliability 
Standard CIP-014-1 to market monitors pursuant to a market monitor 
agreement or RTO tariff. No such agreements or tariffs are before us in 
this rulemaking proceeding.

H. Other Issues

    109. Entergy seeks clarification as to whether the requirement in 
Reliability Standard CIP-014-1, Requirement R5 that an applicable 
entity ``shall develop and implement a documented physical security 
plan(s) that covers their

[[Page 70081]]

respective Transmission station(s), Transmission substation(s), and 
primary control center(s) . . . [and] shall be developed within 120 
calendar days following the completion of Requirement R2 and executed 
according to the timeline specified in the physical security plan(s)'' 
means that the actions called for in the security plan must be 
completed within 120 days. We see no ambiguity in Requirement R5 as the 
requirement only states that the security plan, not the actions called 
for in the plan, must be developed within 120 calendar days.
    110. Reclamation proposes that the term ``risk assessment'' in 
Requirement R1 of Reliability Standard CIP-014-1 be changed to ``impact 
assessment'' because the requirement contemplates an assessment on the 
impact of the loss of facilities on the stability of the bulk electric 
system rather than a ``risk assessment.'' Reclamation further states 
that, based on the generally accepted meaning of the term ``risk 
assessment,'' that term better correlates to Requirement R4. We see no 
practical reason to require NERC to modify the nomenclature used in 
Requirement R1. Similarly, we see no reason to require NERC to change 
``risk assessment'' to ``threat risk assessment,'' as suggested by 
Paschall, or to require NERC to define ``risk assessment'' because the 
term is largely defined in Requirement R1.
    111. Foundation recommends that the Commission direct NERC to begin 
development of a second phase physical security Reliability Standard. 
Foundation maintains that such a Reliability Standard would address 
deficiencies in Reliability Standard CIP-014-1, including the exclusion 
of generation facilities and certain control centers. For example, 
Foundation maintains that the loss of a single generation facility 
could cause cascading outages on the Bulk-Power System. However, for 
the reasons discussed in Sections C and F above, we are not persuaded 
that there is a sufficient factual basis at this time to direct NERC to 
develop a second phase physical security Reliability Standard. While we 
decline to direct NERC to develop a second phase physical security 
Reliability Standard at this time, the informational filing on ``High 
Impact'' control centers required in this final rule, the post-
implementation reports that NERC has committed to provide to the 
Commission, the Commission's compliance and enforcement efforts, and 
other outreach with NERC, industry and the public, will inform the 
Commission's views going forward as to what additional steps, if any, 
might be required to help ensure the reliable operation of the Bulk-
Power System in the face of physical security threats.

I. Violation Risk Factors and Violation Severity Levels

    112. Each requirement of Reliability Standard CIP-014-1 includes 
one violation risk factor and has an associated set of at least one 
violation severity level. The ranges of penalties for violations will 
be based on the sanctions table and supporting penalty determination 
process described in the Commission-approved NERC Sanction Guidelines, 
according to the NERC petition. The NOPR proposed to approve the 
violation risk factors and violation severity levels for the 
requirements in Reliability Standard CIP-014-1 consistent with the 
Commission's established guidelines.\87\ The Commission did not receive 
any comments regarding this aspect of the NOPR. Accordingly, the 
Commission approves the violation risk factors and violation severity 
levels for the requirements in Reliability Standard CIP-014-1.
---------------------------------------------------------------------------

    \87\ North American Electric Reliability Corp., 135 FERC ] 
61,166 (2011).
---------------------------------------------------------------------------

J. Implementation Plan and Effective Date

NERC Petition
    113. The NERC petition proposes that Reliability Standard CIP-014-1 
become effective the ``first day of the first calendar quarter that is 
six months beyond the date that this standard is approved by applicable 
regulatory authorities'' (i.e., the effective date of a final rule in 
this proceeding approving the proposed Reliability Standard).\88\ NERC 
states that the initial risk assessment required under Requirement R1 
must be completed by or before the effective date of the proposed 
Reliability Standard.\89\ As described in the requirements of the 
Reliability Standard, NERC also identifies when Requirements R2, R3, 
R4, R5, and R6 must be complied with following the effective date of 
Reliability Standard CIP-014-1.
---------------------------------------------------------------------------

    \88\ NERC Petition, Exhibit B (Implementation Plan) at 1. 
Exhibit B also delineates the completion timelines for Requirements 
R2 through R6. Parts 2.1, 2.2, and 2.4 of Requirement R2 shall be 
completed within 90 calendar days of the effective date of the 
Reliability Standard. Part 2.3 of Requirement R2 shall be completed 
within 60 calendar days of the completion of performance under 
Requirement R2 part 2.2. Requirement R3 shall be completed within 7 
calendar days of completion of performance under Requirement R2. 
Requirements R4 and R5 shall be completed within 120 calendar days 
of completion of performance under Requirement R2. Parts 6.1, 6.2, 
and 6.4 of Requirement R6 shall be completed within 90 calendar days 
of completion of performance under Requirement R5. Part 6.3 of 
Requirement R6 shall be completed within 60 calendar days of 
Requirement R6 part 6.2.
    \89\ Id.
---------------------------------------------------------------------------

NOPR
    114. The NOPR proposed to approve NERC's implementation plan and 
effective date for Reliability Standard CIP-014-1.
Comments
    115. KCP&L states that the Commission should make it clear if the 
effective date of Reliability Standard CIP-014-1 will be earlier than 
April 2016, which KCP&L states is the effective date of Reliability 
Standard CIP-002-5. KCP&L states that the ``basis for determination of 
criticality in CIP-014-1 references the same applicability as found in 
the CIP-002-5 . . . [and the] potential disconnect in implementation 
dates may impact registered entities adversely in preparations for 
Critical Infrastructure Protection standards or in application of 
physical security improvements given the work required to identify 
critical assets.'' \90\
---------------------------------------------------------------------------

    \90\ KCP&L Comments at 7.
---------------------------------------------------------------------------

Commission Determination
    116. We approve the implementation plan and effective date proposed 
by NERC for Reliability Standard CIP-014-1. In response to KCP&L's 
comment, we understand that, pursuant to the implementation plan and 
effective date proposed by NERC and approved herein, Reliability 
Standard CIP-014-1 will become effective before April 2016.

III. Information Collection Statement

    117. The Paperwork Reduction Act (PRA) \91\ requires each federal 
agency to seek and obtain Office of Management and Budget (OMB) 
approval before undertaking a collection of information directed to ten 
or more persons or contained in a rule of general applicability. OMB 
regulations require approval of certain information collection 
requirements imposed by agency rules.\92\ Upon approval of a 
collection(s) of information, OMB will assign an OMB control number and 
an expiration date. Respondents subject to the filing requirements of 
an agency rule will not be penalized for failing to respond to these 
collections of information unless the collections of information 
display a valid OMB control number.
---------------------------------------------------------------------------

    \91\ 44 U.S.C. 3501-3520.
    \92\ See 5 CFR 1320.10.

---------------------------------------------------------------------------

[[Page 70082]]

Comments

    118. Associations state that developing a security plan will cost 
more than $19,000 per company and ``should include a more realistic 
estimate of costs to comply with the proposed standard because of the 
influence that the Commission's assessment may have on the judgment of 
state utility commission or other regulatory authorities determining 
the prudence of costs incurred to comply with the proposed standard.'' 
\93\ Associations also state ``that it understands that one medium-
sized investor-owned utility anticipates that third-party contract 
support will cost approximately $270,000 for conducting transmission 
studies under R1, third-party verification under R2, analyses of 
threats under R4, and support for security plan development under R5.'' 
\94\ Associations further state that the Commission's estimate did not 
include the cost of implementing the actual security measures included 
in applicable entity security plan. KCP&L states that it supports 
Associations' comments.
---------------------------------------------------------------------------

    \93\ Associations Comments at 19.
    \94\ Id. at 19 n.19.
---------------------------------------------------------------------------

Commission Determination

    119. We adopt the Information Collection Statement estimates 
contained in the NOPR. As we have previously stated, the estimates 
provided in an Information Collection Statement are meant to quantify 
the paperwork burden imposed by a final rule.\95\ The Information 
Collection Statement is not intended to estimate the cost of compliance 
with the requirements of a Reliability Standard approved in a final 
rule.\96\ Associations has not explained why it believes the 
Commission's paperwork burden estimate is not ``realistic'' or what 
would be a ``realistic'' figure other than to relate, in a footnote, 
that it understands that an unidentified medium-sized utility 
anticipates that compliance with requirements of Reliability Standard 
CIP-014-1, rather than the paperwork burden imposed by a final rule 
approving the Reliability Standard, will cost approximately $270,000. 
Associations' comments do not provide any creditable evidence or 
analysis to cause us to reevaluate the paperwork burden estimate 
contained in the NOPR. Accordingly, as set forth below, we adopt the 
NOPR's Information Collection Statement burden and cost estimates.
---------------------------------------------------------------------------

    \95\ As defined in the PRA, ``the term ``burden'' means time, 
effort, or financial resources expended by persons to generate, 
maintain, or provide information to or for a Federal agency, 
including the resources expended for--(A) reviewing instructions; 
(B) acquiring, installing, and utilizing technology and systems; (C) 
adjusting the existing ways to comply with any previously applicable 
instructions and requirements; (D) searching data sources; (E) 
completing and reviewing the collection of information; and (F) 
transmitting, or otherwise disclosing the information.''
    \96\ Version 5 Critical Infrastructure Protection Reliability 
Standards, Order No. 791, 78 FR 72,755 (Dec. 3, 2013), 145 FERC ] 
61,160, at P 235 (2013), order granting clarification in part and 
denying rehearing, Order No. 791-A, 146 FERC ] 61,188 (2014).
---------------------------------------------------------------------------

    120. The Commission based its estimates on the number of 
respondents on the NERC compliance registry as of May 28, 2014. 
According to the registry, there are 357 transmission owners (TOs) and 
197 transmission operators (TOPs). The NERC compliance registry also 
shows that there are only 19 transmission operators that are not also 
registered as a transmission owner.
    121. The burden associated with the final rule is included in FERC-
725U (Mandatory Reliability Standards: Reliability Standard CIP-014, 
OMB Control Number 1902-0274).\97\ The following table shows the 
Commission's burden and cost estimates, broken down by requirement and 
year:
---------------------------------------------------------------------------

    \97\ The requirement for NERC to make the informational filing 
is part of the responsibilities related to being the nation-wide 
Electric Reliability Organization. The burden related to that filing 
is part of FERC-725 (OMB Control Number 1902-0225).
    \98\ The estimates for cost per response are derived using the 
following formula: Average Burden Hours per Response * XX per Hour = 
Average Cost per Response.
    The hourly cost figures are based on data for wages plus 
benefits from the Bureau of Labor Statistics (as of September 4, 
2014) at http://www.bls.gov/oes/current/naics3_221000.htm and http://www.bls.gov/news.release/ecec.nr0.htm. The figures are rounded for 
the purposes of calculations in this table and are:
     For electrical engineers: $60.87/hr., rounded to $61/
hr.
     for attorneys: $128/hr.
     for administrative staff: $31.86/hr., rounded to $32/
hr.

                                                                        FERC-725U
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                  Number of                           Average burden      Total burden
Requirements in reliability standard CIP-    Number and type of respondents     responses per     Total number of     hours and cost    hours and total
                014-1 over                                                        respondent         responses      per response \98\         cost
years 1-3                                  (1)..............................                (2)        (1)*(2)=(3)                (4)            (3)*(4)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Year 1:
    R1...................................  357 TOs..........................                  1                357                 20              7,140
                                                                                                                               $1,220           $435,540
    R2...................................  357 TOs..........................                  1                357                 34             12,138
                                                                                                                               $2,342           $836,094
    R3...................................  2 TOPs...........................                  1                  2                  1                  2
                                                                                                                                 $128               $256
    R4...................................  30 TOs...........................                  1                 32                 80              2,560
                                           2 TOPs...........................  .................  .................             $4,880           $156,160
    R5...................................  30 TOs...........................                  1                 32                320             10,240
                                           2 TOPs...........................  .................  .................            $19,520           $624,640
    R6...................................  30 TOs...........................                  1                 32                304              9,728
                                           2 TOPs...........................  .................  .................            $18,812           $601,984
Record Retention.........................  357 TOs..........................                  1                359                  2                718
                                           2 TOPs...........................  .................  .................                $64            $22,976
Year 2:
    Record Retention.....................  357 TOs..........................                  1                359                  2                718
                                           2 TOPs...........................  .................  .................                $64            $22,976
Year 3:
    R1...................................  30 TOs...........................                  1                 30                 20                600
                                           .................................  .................  .................             $1,220            $36,600
    R2...................................  30 TOs...........................                  1                 30                 34              1,029

[[Page 70083]]

 
                                           .................................  .................  .................             $2,342            $70,260
    R3...................................  2 TOPs...........................                  1                  2                  1                  2
                                           .................................  .................  .................               $128               $256
    R4...................................  30 TOs...........................                  1                 32                 80              2,560
                                           2 TOPs...........................  .................  .................             $4,880           $156,160
    R5...................................  30 TOs...........................                  1                 32                 80              2,560
                                           2 TOPs...........................  .................  .................             $4,880           $156,160
    R6...................................  30 TOs...........................                  1                 32                134              4,288
                                           2 TOPs...........................  .................  .................             $8,442           $270,144
    Record Retention.....................  357 TOs..........................                  1                359                  2                718
                                           2 TOPs...........................  .................  .................                $64            $22,976
                                                                                                                                      ------------------
        Year 1 Total.....................  .................................  .................  .................  .................             42,526
                                           .................................  .................  .................  .................         $2,677,650
        Year 2 Total.....................  .................................  .................  .................  .................                718
                                           .................................  .................  .................  .................            $22,976
        Year 3 Total.....................  .................................  .................  .................  .................             11,748
                                           .................................  .................  .................  .................           $712,556
                                                                                                                                      ------------------
            TOTAL (for Years 1-3)........  .................................  .................  .................  .................             54,992
                                           .................................  .................  .................  .................         $3,413,182
--------------------------------------------------------------------------------------------------------------------------------------------------------

    122. In arriving at the figures in the above table, the Commission 
made the following assumptions:
    a. Requirement R1: We assume that responsible entities will 
complete the required risk assessment at approximately the same time as 
they complete the assessments required under the existing TPL 
Reliability Standards. Accordingly, the burden for Reliability Standard 
CIP-014-1 only represents the documentation required in addition to 
what entities currently prepare. Conservatively, we assume that in the 
first year all transmission owners and transmission operators will 
complete the required risk assessment.\99\ In the third year, we assume 
that only 30 transmission operators will be required to do another risk 
assessment and that the entities with critical facilities after the 
first risk assessment will still have critical facilities after the 
second risk assessment.
---------------------------------------------------------------------------

    \99\ While it is likely that only large transmission owners and 
transmission operators will have critical facilities under 
Requirement R1, the Commission's estimate includes all transmission 
owners and operators because reliable data on what percentage of 
large owners and operators control critical facilities is 
unavailable.
---------------------------------------------------------------------------

    b. Requirement R5: We assume that developing physical security 
plans in the first year will be more time consuming than in later years 
because in later years the plans will likely only need to be updated.
    123. Title: FERC-725U, Mandatory Reliability Standards: Reliability 
Standard CIP-014-1.
    Action: Proposed Collection of Information.
    OMB Control No: 1902-0274.
    Respondents: Business or other for profit, and not for profit 
institutions.
    Frequency of Responses: Ongoing.
    Necessity of the Information: Reliability Standard CIP-014-1 
implements the Congressional mandate of the Energy Policy Act of 2005 
to develop mandatory and enforceable Reliability Standards to better 
ensure the reliability of the nation's Bulk-Power System. Specifically, 
Reliability Standard CIP-014-1 ensures that applicable entities with 
critical Bulk-Power System facilities develop and implement physical 
security plans to address physical security threats and vulnerabilities 
that could result in widespread instability, uncontrolled separation, 
or cascading within an Interconnection.
    Internal review: The Commission has reviewed Reliability Standard 
CIP-014-1 and has determined that the Reliability Standard is necessary 
to ensure the reliability and integrity of the nation's Bulk-Power 
System.
    124. Interested persons may obtain information on the reporting 
requirements by contacting: Federal Energy Regulatory Commission, 888 
First Street NE., Washington, DC 20426 [Attention: Ellen Brown, Office 
of the Executive Director, email: [email protected], Phone: (202) 
502-8663, fax: (202) 273-0873]. Comments on the requirements of this 
rule may also be sent to the Office of Information and Regulatory 
Affairs, Office of Management and Budget, Washington, DC 20503 
[Attention: Desk Officer for the Federal Energy Regulatory Commission]. 
For security reasons, comments should be sent by email to OMB at 
[email protected]. Comments submitted to OMB should refer to 
FERC-725U and OMB Control No. 1902-0274.

IV. Environmental Analysis

    125. The Commission is required to prepare an Environmental 
Assessment or an Environmental Impact Statement for any action that may 
have a significant adverse effect on the human environment.\100\ The 
Commission has categorically excluded certain actions from this 
requirement as not having a significant effect on the human 
environment. Included in the exclusion are rules that are clarifying, 
corrective, or procedural or that do not substantially change the 
effect of the regulations being amended.\101\ The actions here fall 
within this categorical exclusion in the Commission's regulations.
---------------------------------------------------------------------------

    \100\ Order No. 486, Regulations Implementing the National 
Environmental Policy Act of 1969, 52 FR 47897 (Dec. 17, 1987), FERC 
Stats. & Regs. Regulations Preambles 1986-1990 ] 30,783 (1987).
    \101\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------

V. Regulatory Flexibility Act

    126. The Regulatory Flexibility Act of 1980 (RFA) \102\ generally 
requires a description and analysis of proposed

[[Page 70084]]

rules that will have significant economic impact on a substantial 
number of small entities.
---------------------------------------------------------------------------

    \102\ 5 U.S.C. 601-612.
---------------------------------------------------------------------------

    127. The Small Business Administration (SBA) revised its size 
standard (effective January 22, 2014) for electric utilities from a 
standard based on megawatt hours to a standard based on the number of 
employees, including affiliates.\103\ Under SBA's new size standards, 
transmission owners and transmission operators likely come under the 
following category and associated size threshold: Electric bulk power 
transmission and control, at 500 employees.\104\
---------------------------------------------------------------------------

    \103\ SBA Final Rule on ``Small Business Size Standards: 
Utilities,'' 78 FR 77,343 (Dec. 23, 2013).
    \104\ 13 CFR 121.201, Sector 22, Utilities.
---------------------------------------------------------------------------

    128. The NOPR stated that, based on U.S. economic census data, the 
approximate percentage of small firms in this category is 57 
percent.\105\ The NOPR also stated that the Commission did not have 
information concerning how the economic census data compares with 
entities registered with NERC and is unable to estimate the number of 
small transmission owners and transmission operators using the new SBA 
definition. However, the NOPR stated that Reliability Standard CIP-014-
1 only applies to transmission owners and transmission operators that 
own and/or operate certain critical Bulk-Power System facilities. In 
the NOPR, the Commission stated that it believes that Reliability 
Standard CIP-014-1 will be applicable to a relatively small group of 
large entities. No comments were received addressing the Commission's 
proposed certification.\106\
---------------------------------------------------------------------------

    \105\ NOPR, 148 FERC ] 61,040 at P 70. Data and further 
information are available on the SBA Web site. See SBA Firm Size 
Data, available at http://www.sba.gov/advocacy/849/12162. Since 
issuance of the NOPR, the Commission has obtained data that enables 
us to estimate more closely the number of small entities affected by 
this final rule. We now estimate that 28 percent (or 103 out of the 
359 entities) are small entities.
    \106\ To the extent that Associations' comments, which we 
addressed above in the Information Collection Statement section, 
were also directed to the Commission's proposed certification 
regarding the Regulatory Flexibility Act, Associations' comments do 
not dispute any of the assumptions underlying the proposed 
certification or contest the proposed certification itself.
---------------------------------------------------------------------------

    129. Accordingly, the Commission certifies that Reliability 
Standard CIP-014-1 will not have a significant impact on a substantial 
number of small entities. Accordingly, no regulatory flexibility 
analysis is required.

VI. Document Availability

    130. In addition to publishing the full text of this document in 
the Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
Internet through the Commission's Home Page (http://www.ferc.gov) and 
in the Commission's Public Reference Room during normal business hours 
(8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A, 
Washington DC 20426.
    131. From the Commission's Home Page on the Internet, this 
information is available on eLibrary. The full text of this document is 
available on eLibrary in PDF and Microsoft Word format for viewing, 
printing, and/or downloading. To access this document in eLibrary, type 
the docket number excluding the last three digits of this document in 
the docket number field.
    132. User assistance is available for eLibrary and the Commission's 
Web site during normal business hours from the Commission's Online 
Support at 202-502-6652 (toll free at 1-866-208-3676) or email at 
[email protected], or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at 
[email protected].

VII. Effective Date and Congressional Notification

    133. This final rule is effective January 26, 2015. The Commission 
has determined, with the concurrence of the Administrator of the Office 
of Information and Regulatory Affairs of OMB, that this rule is not a 
``major rule'' as defined in section 351 of the Small Business 
Regulatory Enforcement Fairness Act of 1996.\107\ This final rule is 
being submitted to the Senate, House, and Government Accountability 
Office.
---------------------------------------------------------------------------

    \107\ 5 U.S.C. 804(2).

    By the Commission.
Nathaniel J. Davis, Sr.,
Deputy Secretary.

    Note:  This appendix will not appear in the Code of Federal 
Regulations.

Appendix

------------------------------------------------------------------------
           Abbreviation                           Commenter
------------------------------------------------------------------------
                           Initial Commenters
------------------------------------------------------------------------
APS...............................  Arizona Public Service Company.
Associations......................  Edison Electric Institute, Electric
                                     Power Supply Association,
                                     Electricity Consumers Resource
                                     Council.
BPA...............................  Bonneville Power Administration.
CEA...............................  Canadian Electricity Association.
Duke..............................   Duke Energy Corporation.
Entergy...........................  Entergy.
Foundation........................  Foundation for Resilient Societies.
GridWise..........................  GridWise Alliance.
G&T Cooperatives..................  Associated Electric Cooperative,
                                     Inc., Basin Electric Power
                                     Cooperative, and Tri-State
                                     Generation and Transmission
                                     Association, Inc.
Idaho Power.......................  Idaho Power Company.
ITC...............................  International Transmission Company.
KCP&L.............................  Kansas City Power & Light Company
                                     and KCP&L Greater Missouri
                                     Operations Company.
MISO..............................  Midcontinent Independent System
                                     Operator, Inc.
NARUC.............................  National Association of Regulatory
                                     Utility Commissioners.
NEMA..............................  National Electrical Manufactures
                                     Association.
NERC..............................  North American Electric Reliability
                                     Corporation.
NU................................  Utilities Northeast Utilities
                                     System.
NYPSC.............................  New York Public Service Commission.
Ohio PUC..........................  Public Utilities Commission of Ohio.
Oncor.............................  Oncor Electric Delivery Company LLC.
Pa PUC............................  Pennsylvania Public Utility
                                     Commission.
Paschall..........................  Roger Paschall.
Pepco.............................  Pepco Holdings, Inc.
Reclamation.......................  U.S. Department of Interior, Bureau
                                     of Reclamation.
Seattle...........................  City of Seattle.

[[Page 70085]]

 
SCE...............................  Southern California Edison.
SDG&E.............................  San Diego Gas & Electric.
SIA...............................  Security Industry Association.
Southern..........................  Southern Company Services, Inc.
TAPS..............................  Transmission Access Policy Study
                                     Group.
TVA...............................  Tennessee Valley Authority.
Trade Associations................  American Public Power Association,
                                     Large Public Power Council,
                                     National Rural Electric Cooperative
                                     Association.
Xcel..............................  Xcel Energy Services Inc.
------------------------------------------------------------------------
                            Reply Commenters
------------------------------------------------------------------------
Foundation........................  Foundation for Resilient Societies.
ITC...............................  International Transmission Company.
NIPSCO............................  Northern Indiana Public Service
                                     Company.
SmartSenseCom.....................  SmartSenseCom, Inc.
SWTDUG............................  Southwest Transmission Dependent
                                     Utility Group.
Tallahassee.......................  City of Tallahassee.
------------------------------------------------------------------------

[FR Doc. 2014-27908 Filed 11-24-14; 8:45 am]
BILLING CODE 6717-01-P