[Federal Register Volume 80, Number 123 (Friday, June 26, 2015)]
[Notices]
[Pages 36800-36803]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-15652]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. IC15-6-000]


Commission Information Collection Activities (FERC-725B); Comment 
Request

AGENCY: Federal Energy Regulatory Commission, DOE.

ACTION: Comment request.

-----------------------------------------------------------------------

SUMMARY: In compliance with the requirements of the Paperwork Reduction 
Act of 1995, 44 U.S.C. 3507(a)(1)(D), the Federal Energy Regulatory 
Commission (Commission or FERC) is submitting its information 
collection [FERC-725B, Mandatory Reliability Standards for Critical 
Infrastructure Protection] to the Office of Management and Budget (OMB) 
for review of the information collection requirements. Any interested 
person may file comments directly with OMB and should address a copy of 
those comments to the Commission as explained below. The Commission 
previously issued a Notice in the Federal Register (80 FR 21230, 4/17/
2015) requesting public comments. The Commission received one public 
comment on the FERC725B. The public comment and FERC's response are 
provided later in this notice.

DATES: Comments on the collection of information are due by July 27, 
2015.

ADDRESSES: Comments filed with OMB, identified by the OMB Control No. 
1902-0248, should be sent via email to the Office of Information and 
Regulatory Affairs: [email protected] Attention: Federal Energy 
Regulatory Commission Desk Officer. The Desk Officer may also be 
reached via telephone at 202-395-0710.
    A copy of the comments should also be sent to the Commission, in 
Docket No. IC15-6-000, by either of the following methods:
     eFiling at Commission's Web site: http://www.ferc.gov/docs-filing/efiling.asp.

[[Page 36801]]

     Mail/Hand Delivery/Courier: Federal Energy Regulatory 
Commission, Secretary of the Commission, 888 First Street NE., 
Washington, DC 20426.
    Instructions: All submissions must be formatted and filed in 
accordance with submission guidelines at: http://www.ferc.gov/help/submission-guide.asp. For user assistance contact FERC Online Support 
by email at [email protected], or by phone at: (866) 208-3676 
(toll-free), or (202) 502-8659 for TTY.
    Docket: Users interested in receiving automatic notification of 
activity in this docket or in viewing/downloading comments and 
issuances in this docket may do so at http://www.ferc.gov/docs-filing/docs-filing.asp.

FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by email at 
[email protected], by telephone at (202) 502-8663, and by fax at 
(202) 273-0873.

SUPPLEMENTARY INFORMATION: 
    Title: FERC-725B, Mandatory Reliability Standards for Critical 
Infrastructure Protection
    OMB Control No.: 1902-0248
    Type of Request: Three-year extension of the FERC-725B information 
collection requirements with no changes to the reporting requirements.
    Abstract: The information collected by the FERC-725B, Reliability 
Standards for Critical Infrastructure Protection, is required to 
implement the statutory provisions of Section 215 of the Federal Power 
Act (FPA) (16 U.S.C. 824o).
    On January 18, 2008, the Commission issued order 706,\1\ approving 
eight Critical Infrastructure Protection (CIP) Reliability Standards 
submitted by the North American Electric Reliability Corporation (NERC) 
for Commission approval. The CIP version 1 Reliability Standards, (CIP-
002-1 through CIP-009-1),\2\ require certain users, owners, and 
operators of the Bulk-Power System to comply with specific requirements 
to safeguard critical cyber assets. These standards help protect the 
nation's Bulk-Power System against potential disruptions from cyber-
attacks. The CIP Reliability Standards include one actual reporting 
requirement and several recordkeeping requirements. Specifically, CIP-
008-1 requires responsible entities to report cyber security incidents 
to the Electricity Sector-Information Sharing and Analysis Center (ES-
ISAC). In addition, the eight CIP Reliability Standards require 
responsible entities to develop various policies, plans, programs, and 
procedures. However, the CIP Reliability Standards do not require a 
responsible entity to report to the Commission, ERO or Regional 
Entities, the various policies, plans, programs and procedures. 
Nonetheless, a showing of the documented policies, plans, programs and 
procedures is required to demonstrate compliance with the CIP 
Reliability Standards.
---------------------------------------------------------------------------

    \1\ Mandatory Reliability Standards for Critical Infrastructure 
Protection, Order No. 706, 122 FERC ] 61,040.
    \2\ Every version of the CIP Reliability Standards may be found 
on the NERC Web site at http://www.nerc.com/pa/Stand/Reliability%20Standards%20Complete%20Set/RSCompleteSet.pdf.
---------------------------------------------------------------------------

    The Commission approved minor changes in CIP versions 2 and 3 
Reliability Standards on September 30, 2009, and March 31, 2010,\3\ 
respectively. On April 19, 2012, the Commission issued Order No. 761, 
approving the CIP version 4 Standards (CIP-002-4 through CIP-009-4) and 
an implementation plan that scheduled their enforcement to begin 
October 1, 2014.\4\ The fundamental change in the CIP version 4 
Standards was that all subject entities would use the same `bright 
line' criteria to determine which of the facilities they owned were 
subject to the required policies, plans, programs and procedures (which 
remained nearly the same as for prior versions).
---------------------------------------------------------------------------

    \3\ 129 FERC ] 61,236 (2009) (approving Version 2 of the CIP 
Reliability Standards); North American Electric Reliability Corp., 
and 130 FERC ] 61,271 (2010) (approving Version 3 of the CIP 
Reliability Standards).
    \4\ Version 4 Critical Infrastructure Protection Reliability 
Standards, Order No. 761, 77 FR 24,594 (Apr. 25, 2012), 139 FERC ] 
61,058 (2012), order denying reh'g, 140 FERC ] 61,109 (2012).
---------------------------------------------------------------------------

    On November 22, 2013, the Commission issued Order No. 791, 
approving the CIP version 5 Standards (CIP-002-5 through CIP-009-5, 
CIP-010-1 and CIP-011-1) and the proposed implementation plan. The CIP 
version 5 Standards are currently scheduled to be implemented and 
enforceable beginning April 2016. Order No. 791 eliminated the 
enforceability of the CIP version 4 Standards. The Commission also 
approved nineteen new or revised definitions associated with the CIP 
version 5 Standards for inclusion in the Glossary of Terms Used in NERC 
Reliability Standards (NERC Glossary). The CIP version 5 Standards 
identify and categorize Bulk Electric System (BES) Cyber Systems using 
a new methodology based on whether a BES Cyber System has a Low, 
Medium, or High Impact on the reliable operation of the bulk electric 
system. At a minimum, a BES Cyber System must be categorized as a Low 
Impact asset. Once a BES Cyber System is categorized, a responsible 
entity must comply with the associated requirements of the CIP version 
5 Standards that apply to the impact category. The CIP version 5 
Standards include 12 requirements with new cyber security controls, 
which address Electronic Security Perimeters (CIP-005-5), Systems 
Security Management (CIP-007-5), Incident Reporting and Response 
Planning (CIP-008-5), Recovery Plans for BES Cyber Systems (CIP-009-5), 
and Configuration Change Management and Vulnerability Assessments (CIP-
010-1).
    Type of Respondents: Entities registered with the North American 
Electric Reliability Corporation.
    Estimate of Annual Burden: \5\ There are three items presenting 
burden associated with CIP Reliability Standards in the following 
section.
---------------------------------------------------------------------------

    \5\ The Commission defines burden as the total time, effort, or 
financial resources expended by persons to generate, maintain, 
retain, or disclose or provide information to or for a Federal 
agency. For further explanation of what is included in the 
information collection burden, reference 5 Code of Federal 
Regulations 1320.3.
---------------------------------------------------------------------------

     The first table illustrates burden associated with CIP 
version 5 Reliability Standards.
     The second table illustrates burden associated with CIP 
version 3 and 4 Reliability Standards.
     The third item (bulleted list) is a sum of the total 
burden for all active CIP-related Reliability Standards (i.e. CIP 
Versions 3-5).

                         Annual Burden Related to CIP Reliability Standards (Version 5)
----------------------------------------------------------------------------------------------------------------
                                   Classes of
                                    entity's         Number of      Total hours     Total hours     Total hours
 Groups of registered entities     facilities        entities        in year 1       in year 2       in year 3
                                  requiring CIP                       (hours)         (hours)         (hours)
----------------------------------------------------------------------------------------------------------------
Group A.......................  Low.............              41           2,540           2,540             564
Group B.......................  Low.............           1,058         554,392         554,392         110,032
Group B.......................  Medium..........             260         128,960          64,896          64,896

[[Page 36802]]

 
Group C.......................  Low.............             316         165,584         165,584          32,864
Group C.......................  Medium (New)....              78           1,248          19,136          19,136
Group C.......................  Low (Blackstart)             283          22,640    \6\ -206,024    \6\ -206,024
Group C.......................  Medium or High..             316         257,856         131,456         131,456
                               ---------------------------------------------------------------------------------
    Total.....................  ................  ..............       1,133,220         731,980         152,924
----------------------------------------------------------------------------------------------------------------

The total annual burden (related to CIP Version 5 only) is 672,708 
hours when averaging Years 1-3 [(1,133,220 hours + 731,980 hours + 
152,924 hours) / 3 = 672,708 hours]. The total annual cost averaged 
over Years 1-3 is $50,883,633 (672,708 hours * $75.64 \7\ = 
$50,883,633).
---------------------------------------------------------------------------

    \6\ These figures (in the context of this table) represent a 
removal of requirements and burden for Group C (Blackstart) 
respondents in Years 2 and 3 due to CIP Version 5 changes. Since 
these numbers are stated as negative figures, they represent a 
reduction in OMB-approved burden estimate.
    \7\ The estimates for cost per response are derived using the 
following formula: Average Burden Hours per Response * $75.64 per 
Hour = Average Cost per Response. The hourly cost figure comes from 
May 2014 data on the Bureau of Labor Statistics Web site (http://www.bls.gov/oes/current/naics2_22.htm). The figure is a mathematical 
average of the cost of wages and benefits related to legal services 
($129.68), technical employees ($58.17), and administrative support 
($39.12).
---------------------------------------------------------------------------

    Regarding CIP standards unaffected by CIP Version 5, the estimated 
burden has been adjusted to account for a reduction in affected 
entities.\8\ The applicable estimate related to CIP Version 3 and 4 
standards (related to the active components) is provided in the table 
below. (For display purposes, the numbers in the tables below have been 
rounded, however exact figures were used in the calculations.)
---------------------------------------------------------------------------

    \8\ The estimate has been decreased from 1,475 to 1,415. The 
NERC Compliance Registry indicated that as of 1/14/2015, 1,415 
entities were registered for at least one CIP-related function/
responsibility.

                    Burden Related to CIP Reliability Standards (Version 3 and Version 4) \9\
----------------------------------------------------------------------------------------------------------------
                                                                              Total  annual
    Number of      Annual  number of   Total number  of  Average  burden &   burden hours  &        Cost per
   respondents       responses  per       responses           cost per        total  annual     respondent  ($)
                       respondent                             response             cost
(1)                            (2)    (1) * (2) = (3)                (4)    (3) * (4) = (5)          (5) / (1)
----------------------------------------------------------------------------------------------------------------
          1,415                  1              1,415           \10\ 383       \11\ 541,334            $28,937
                                                                 $28,937        $40,946,496
----------------------------------------------------------------------------------------------------------------

    The following items represent the estimated total annual burden for 
FERC-725B and includes all burden associated with CIP Reliability 
Standards.\12\
---------------------------------------------------------------------------

    \9\ Reliability Standards CIP-002-3, CIP003-3, CIP-004-3a, CIP-
005-3a, CIP-006-3a, CIP-007-3c, CIP-008-3, and CIP-009-3.
    \10\ This figure is rounded for display in the table. The actual 
number is 382.56813 and is used in the calculations above.
    \11\ This figure is rounded for display in the table. The actual 
number is 541,333.91 and is used in the calculations above.
    \12\ CIP Versions 3 and 4 (remaining components of Version 3 and 
4), and 5.
---------------------------------------------------------------------------

     Number of respondents: 1,415 (Not all entities with CIP-
related functions will be obligated to comply with every CIP 
reliability standard.)
     Total Annual Burden Hours: 1,214,042
     Total Annual Cost: $91,830,137 (1,214,042 hours * $75.64 = 
$91,830,137)
     Average Cost per Respondent: $64,898 \13\ ($91,830,137 / 
1,415 entities = $64,898).
---------------------------------------------------------------------------

    \13\ This figure is rounded. The actual number is 64,897.623.
---------------------------------------------------------------------------

    Public comments received about the FERC-725B information 
collection: FERC received one comment from Robert S. Lynch and 
Associates. The comment pertained to the the burden and cost of 
responding to a Freedom of Information Act (FOIA) request related to 
the FERC-725B and the information collection not being safeguarded 
against a request under the FOIA.
    FERC's response to the public comment: The burden related to the 
Federal Energy Regulatory Commission safeguarding of information 
collection activities against a request under the Freedom of 
Information Act (FOIA) request does not have a direct collection cost 
burden on the regulated entities and, thus, is not included in the 
reported cost burden.
    However, to the data vulnerability issue raised by the commenter, 
the information collected as related to the CIP Reliability Standards 
is generally protected from FOIA requests because it is retained by the 
regulated entities themselves and not the Commission. For compliance 
and enforcement activities of the CIP Reliability Standards, Section 
215 of the Federal Power Act (FPA) \14\ required the Commission to 
appoint an Electric Reliability Organization (ERO). The Commission 
appointed NERC. The ERO and its designated assignees, generally in 
exercising its compliance and enforcement activities under Section 215 
of the FPA, only reviews the information collected by the regulated 
entities and only takes possession of the information required to 
process the enforcement actions. The Commission, in furtherance of the 
Commission's statutory responsibility under Section 215 of the FPA, 
reviews and approves enforcement actions undertaken by ERO and, in 
doing so, does receive information collected related to CIP Reliability 
Standards. However, the information that is received by the Commission 
for performing its statutory oversight responsibilities is generally 
devoid of specific sensitive information. Therefore, FERC does not find 
it

[[Page 36803]]

necessary to make any changes to the collection at this time.
---------------------------------------------------------------------------

    \14\ 16 U.S.C. 824o.
---------------------------------------------------------------------------

    Comments: Comments are invited on: (1) whether the collection of 
information is necessary for the proper performance of the functions of 
the Commission, including whether the information will have practical 
utility; (2) the accuracy of the agency's estimate of the burden and 
cost of the collection of information, including the validity of the 
methodology and assumptions used; (3) ways to enhance the quality, 
utility and clarity of the information collection; and (4) ways to 
minimize the burden of the collection of information on those who are 
to respond, including the use of automated collection techniques or 
other forms of information technology.

    Dated: June 19, 2015.
Kimberly D. Bose,
Secretary.
[FR Doc. 2015-15652 Filed 6-25-15; 8:45 am]
 BILLING CODE 6717-01-P