[Federal Register Volume 91, Number 56 (Tuesday, March 24, 2026)]
[Notices]
[Pages 14013-14015]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2026-05715]
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
[Docket No. RD25-8-000]
North American Electric Reliability Corporation; Order Approving
Reliability Standard CIP-002-8
North American Electric Reliability Corporation, 1401 H Street NW,
Suite 410, Washington, DC 20005. Attention: Lauren A. Perotti, Sarah P.
Crawford, Amy E. Engstrom.
Dear Ms. Perotti, Ms. Crawford, and Ms. Engstrom:
1. On December 20, 2024, the North American Electric Reliability
Corporation (NERC), the Commission-certified Electric Reliability
Organization, submitted a petition seeking approval of proposed
Critical Infrastructure Protection (CIP) Reliability Standard CIP-002-8
(Cyber Security--BES Cyber System Categorization) and the modification
of the term control center in the Glossary of Terms Used in NERC
Reliability Standards (NERC Glossary).\1\ NERC also requested approval
of the associated implementation plans, violation risk factors, and
violation severity levels, as well as the retirement of Reliability
Standard CIP-002-7.\2\ For the reasons discussed below, pursuant to
section 215(d)(2) of the Federal Power Act (FPA),\3\ we approve
proposed Reliability Standard CIP-002-8 and the related definition.
---------------------------------------------------------------------------
\1\ NERC Petition at 1.
\2\ The revisions to proposed Reliability Standard CIP-002 are
layered on top of the current NERC Board of Trustees approved draft,
proposed Reliability Standard CIP-002-7, which we are approving in a
concurrent order. Id. at 11; Virtualization Reliability Standards,
194 FERC ] 61,209 (2026).
\3\ 16 U.S.C. 824o(d)(2).
---------------------------------------------------------------------------
2. NERC explains that the purpose of proposed Reliability Standard
CIP-002-8 is to identify and categorize bulk electric system (BES)
cyber systems and their associated BES cyber assets for the application
of cyber security requirements commensurate with the adverse impact
that loss, compromise, or misuse of those BES cyber systems could have
on the reliable operation of the BES.\4\ Further, NERC notes that
responsible entities are required to categorize BES cyber systems as
low, medium, or high impact based on the characteristics of their BES
facilities, which determines the applicability of the suite of CIP
Reliability Standards.\5\ NERC also states that Attachment 1 of
proposed Reliability Standard CIP-002-8 includes the impact rating
criteria used to determine the impact level for BES cyber systems.
---------------------------------------------------------------------------
\4\ NERC Petition, Ex. A-1 (CIP-002-8 Clean) at 3.
\5\ NERC Petition at 3.
---------------------------------------------------------------------------
3. NERC proposes to revise the definition of the term control
center in the NERC Glossary to alleviate confusion from a lack of
common understanding of the term ``control'' as opposed to
``authority.'' \6\ NERC explains that the revision to the definition
expands the reach of the term to incorporate transmission owners ``so
that a Transmission Owner is considered to have a Control Center if it
has the capability to control transmission Facilities at two or more
locations using SCADA,'' i.e., supervisory control and data
acquisition.\7\ NERC asserts that the revised definition of control
center advances reliability by clarifying the facilities that are
subject to the CIP requirements.
---------------------------------------------------------------------------
\6\ Id. at 12.
\7\ Id.
---------------------------------------------------------------------------
4. NERC proposes to modify Criterion 2.12 of Attachment 1 of
proposed Reliability Standard CIP-002-8.\8\ NERC explains that proposed
Criterion 2.12 assigns a weighted value to the transmission lines that
a control center monitors and controls to assess the appropriate impact
of BES cyber systems associated with a control center. Pursuant to the
results of a field test conducted by the NERC Standards Development
Team, NERC determined that a threshold of 6,000 for the total
[[Page 14014]]
aggregate weighted value,\9\ with appropriate inclusion and exclusion
criteria, would sufficiently differentiate medium and low impact BES
cyber systems associated with control centers that are operated by a
transmission operator or owned by a transmission owner.\10\ NERC
explains that proposed Criterion 2.12 contains an exclusion clause that
allows responsible entities to categorize their BES cyber systems at
control centers at a level commensurate with the risk for local systems
that have limited flow-through or export generation and are primarily
designed to serve load without extending the exclusion to large control
areas.\11\
---------------------------------------------------------------------------
\8\ Id. at 15-17.
\9\ Aggregated weighted value is a point system based on voltage
values (in kilovolts (kV)) for BES transmission lines that are
monitored and controlled by a control center through inclusion of
each BES transmission line that is connected between two or more
transmission stations or substations. Id. at 16. The higher the kV
for a BES transmission line, the higher assigned points for that
line, indicating a larger potential adverse impact on the BES if the
control center was lost, compromised, or misused; thus, meriting
classifying the control center as a medium impact BES cyber system.
See id.
\10\ Id. at 15 (citing NERC, NERC Project 2021-03 CIP-002
Transmission Owner Control Center Field Test Final Report 6 (Jan.
2023), https://www.nerc.com/globalassets/standards/projects/2021-03/2021-03_cip-002_tocc_field_test_final_report_01262023.pdf
(concluding that under a range of power flow scenarios, 22 entities,
which are both below and above the 6,000 aggregated weighted value
bright line and are likely to be impacted by a modification to
Criterion 2.12, did not experience an adverse impact to the BES that
would merit classifying the control centers that are operated by a
transmission operator or owned by a transmission owner as medium
impact BES cyber systems)).
\11\ Id. at 17-21.
---------------------------------------------------------------------------
5. NERC's proposed implementation plan states that proposed
Reliability Standard CIP-002-8 and the proposed definition for control
center shall become effective on the later of either the effective date
of Reliability Standard CIP-002-7 or the first day of the first
calendar quarter that is three calendar months after the effective date
of the Commission's order approving proposed Reliability Standard CIP-
002-8. NERC concludes that the implementation plan is designed to
``balance the urgency to implement the requirements while affording
Responsible Entities time to incorporate the updated requirements into
their processes.'' \12\
---------------------------------------------------------------------------
\12\ Id. at 22.
---------------------------------------------------------------------------
6. Notice of NERC's petition was published in the Federal Register,
90 FR 24606 (June 11, 2025), with interventions and protests due on or
before July 7, 2025. Public Citizen, Inc. filed a timely motion to
intervene. No comments or protests were submitted. Pursuant to Rule 214
of the Commission's Rules of Practice and Procedure, 18 CFR 385.214
(2025), the timely, unopposed motion to intervene serves to make Public
Citizen, Inc. a party to the proceeding.
7. Pursuant to section 215(d)(2) of the FPA, we approve proposed
Reliability Standard CIP-002-8 as well as the proposed control center
definition for inclusion in the NERC Glossary, as just, reasonable, not
unduly discriminatory or preferential, and in the public interest. We
also approve the proposed Reliability Standard's associated violation
risk factors and violation severity levels, as well as the proposed
implementation plans. Finally, we approve the retirement of Reliability
Standard CIP-002-7 immediately prior to the effective date of proposed
Reliability Standard CIP-002-8.
8. We find that proposed Reliability Standard CIP-002-8 would
advance the reliable operation of the BES by better aligning the level
of impact BES cyber systems could have on the reliable operation of the
Bulk-Power System as a result of loss, compromise, or misuse of those
systems. Further, we determine that the proposed definition of control
center would strengthen reliability by improving risk identification,
allowing responsible entities to focus on protecting assets that pose a
higher reliability risk if unavailable, degraded, or compromised.
Lastly, the revised definition would also help responsible entities in
interpreting the control center definition by making clear that a
transmission owner may have a control center through its capability to
control transmission facilities.
Information Collection Statement
9. The FERC-725B information collection requirements are subject to
review by the Office of Management and Budget (OMB) under section
3507(d) of the Paperwork Reduction Act of 1995. OMB's regulations
require approval of certain information collection requirements imposed
by agency rules. Upon approval of a collection of information, OMB will
assign an OMB control number and expiration date. Respondents subject
to the filing requirements will not be penalized for failing to respond
to these collections of information unless the collections of
information display a valid OMB control number. The Commission solicits
comments on the need for this information, whether the information will
have practical utility, the accuracy of the burden estimates, ways to
enhance the quality, utility, and clarity of the information to be
collected or retained, and any suggested methods for minimizing
respondents' burden, including the use of automated information
techniques.
10. The Commission bases its paperwork burden estimates on the
additional paperwork burden presented by the proposed revisions to
Reliability Standard CIP-002-8. Reliability Standards are objective-
based and allow entities to choose compliance approaches best tailored
to their systems. The NERC Compliance Registry, as of June 2025,
identifies approximately 1,673 \13\ U.S. entities that are subject to
mandatory compliance with Reliability Standards.
---------------------------------------------------------------------------
\13\ The ``Number of Entity'' data is compiled from the June
2025 edition of the NERC Compliance Registry.
---------------------------------------------------------------------------
11. Of this total, we estimate that 1,573 entities will face a
minor increase in paperwork burden of two hours each for a total burden
hours increase of 3,146 at $97 \14\ per hour for $194 per entity and a
total $305,162 burden for the first year and no ongoing burdens in
addition to the burden already accounted for in the OMB control number
for CIP Reliability Standards.
---------------------------------------------------------------------------
\14\ The hourly cost for wages is based in part on the average
of the occupational categories from the Bureau of Labor Statistics
website (http://www.bls.gov/oes/current/naics2_22.htm) plus
benefits: Legal (Occupation Code: 23-0000): $162.66; Electrical
Engineer (Occupation Code: 17-2071): $79.31; Office and
Administrative Support (Occupation Code: 43-0000): $48.59 ($162.66 +
$79.31 + $48.59) / 3 = $96.85. The figure is rounded to $97.00 for
use in calculating wage figures in this Order.
---------------------------------------------------------------------------
12. Additionally, we estimate that another 100 entities will have a
burden of four hours each for a total burden hours increase of 400 at
$85 per hour for a total burden of $38,000 for the first year and no
ongoing burdens in addition to the burden already accounted for in the
OMB control number for CIP Reliability Standards.
13. The responses and burden hours for Years 1-3 will total
respectively as follows:
Year 1-3 each: for proposed Reliability Standard CIP-002-8
will be 557.67 responses; 1,182 hours;
The annual cost burden for each Year 1-3 is $101,803 for
proposed Reliability Standard CIP-002-8.
Title: Mandatory Reliability Standards, Revised Critical
Infrastructure Standards.
Action: Revision 8 of CIP-002 under FERC-725B Mandatory Reliability
Standards--CIP Reliability Standards.
OMB Control No.: 1902-0248.
Respondents: Businesses or other for-profit institutions; not-for-
profit institutions.
Frequency of Responses: On Occasion.
Necessity of the Information: This order approves proposed
Reliability Standard CIP-002-8 related to the
[[Page 14015]]
identification and categorization of BES cyber systems and their
associated BES cyber assets. As discussed above, the Commission
approves the proposed Reliability Standard CIP-002-8 pursuant to
section 215(d)(2) of the FPA because the Standard would advance
reliability by revising the threshold for applicable transmission
owners and transmission operators to categorize their BES cyber systems
based on the impact to their associated facilities, systems, and
equipment, which, if destroyed, degraded, misused, or otherwise
rendered unavailable would affect the reliability of the BES.
Internal Review: The Commission has reviewed the proposed
Reliability Standard and made a determination that its action is
necessary to implement section 215 of the FPA.
14. Interested persons may obtain information on the reporting
requirements by contacting the following: Federal Energy Regulatory
Commission, 888 First Street NE, Washington, DC 20426 [Attention: Kayla
Williams, Office of the Executive Director, email:
[email protected], phone: (202) 502-6468].
15. For submitting comments concerning the collection(s) of
information and the associated burden estimate(s), please send your
comments to the Commission, and to the Office of Management and Budget,
Office of Information and Regulatory Affairs, Washington, DC 20503
[Attention: Desk Officer for the Federal Energy Regulatory Commission,
phone: (202) 395-4638, fax: (202) 395-7285]. For security reasons,
comments to OMB should be submitted by email to:
[email protected]. Comments submitted to OMB should include
Docket Number RD25-8-000 and OMB Control Number 1902-0248.
16. In addition to publishing the full text of this document in the
Federal Register, the Commission provides all interested persons an
opportunity to view and/or print the contents of this document via the
internet through the Commission's Home Page (http://www.ferc.gov).
17. From the Commission's Home Page on the internet, this
information is available on eLibrary. The full text of this document is
available on eLibrary in PDF and Microsoft Word format for viewing,
printing, and/or downloading. To access this document in eLibrary, type
the docket number excluding the last three digits of this document in
the docket number field.
18. User assistance is available for eLibrary and the Commission's
website during normal business hours from the Commission's Online
Support at (202) 502-6652 (toll free at 1-866-208-3676) or email at
[email protected], or the Public Reference Room at (202) 502-
8371, or (202) 502-8659 for TTY. Email the Public Reference Room at
[email protected].
19. All submissions must be formatted and filed in accordance with
submission guidelines at: http://www.ferc.gov/help/submission-guide.asp. For user assistance, contact FERC Online Support by email at
[email protected], or by phone at: (866) 208-3676 (toll-free),
or (202) 502-8659 for TTY.
By direction of the Commission.
Issued: March 19, 2026.
Carlos D. Clay,
Deputy Secretary.
[FR Doc. 2026-05715 Filed 3-23-26; 8:45 am]
BILLING CODE 6717-01-P