Notice2022-13464
Before Commissioners: Richard Glick, Chairman; James P. Danly, Allison Clements, Mark C. Christie, and Willie L. Phillips; North American Electric Reliability Corporation; Order Approving Modifications to the Compliance Section of Reliability Standard CIP-014
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
June 24, 2022
Issuing agencies
Energy DepartmentFederal Energy Regulatory Commission
Full Text
<html>
<head>
<title>Federal Register, Volume 87 Issue 121 (Friday, June 24, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 121 (Friday, June 24, 2022)]
[Notices]
[Pages 37847-37850]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-13464]
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
[Docket No. RD22-3-000]
Before Commissioners: Richard Glick, Chairman; James P. Danly,
Allison Clements, Mark C. Christie, and Willie L. Phillips; North
American Electric Reliability Corporation; Order Approving
Modifications to the Compliance Section of Reliability Standard CIP-014
1. On February 16, 2022, the North American Electric Reliability
Corporation (NERC), the Commission-certified Electric Reliability
Organization (ERO), submitted a petition seeking approval of
Reliability Standard CIP-014-3, which would modify the compliance
section of Reliability Standard CIP-014-2 (Physical Security). The
proposed modification would eliminate a provision requiring that all
evidence demonstrating compliance with this Reliability Standard should
be retained at the transmission owner's or transmission operator's
facility. As discussed in this order, we approve NERC's petition.
I. Background
A. Section 215 and Mandatory Reliability Standards
2. Section 215 of the Federal Power Act (FPA) requires a
Commission-certified ERO to develop mandatory and enforceable
Reliability Standards, subject to Commission review and approval. The
ERO is obligated to file each Reliability Standard or modification to a
Reliability Standard that it proposes to be made effective with the
Commission.\1\ Reliability Standards may be enforced by the ERO,
subject to Commission oversight, or by the Commission independently.\2\
Pursuant to section 215 of the FPA, the Commission established a
process to select and certify an ERO,\3\ and subsequently certified
NERC.\4\
---------------------------------------------------------------------------
\1\ 16 U.S.C. 824o(d)(1).
\2\ Id. 824o(e).
\3\ Rules Concerning Certification of the Elec. Reliability
Org.; & Procedures for the Establishment, Approval, & Enforcement of
Elec. Reliability Standards, Order No. 672, 114 FERC ] 61,104, order
on reh'g, Order No. 672-A, 71 FR 19814 (April 18, 2006),114 FERC ]
61,328 (2006).
\4\ N. Am. Elec. Reliability Corp., 116 FERC ] 61,062, order on
reh'g and compliance, 117 FERC ] 61,126 (2006), aff'd sub nom.
Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
---------------------------------------------------------------------------
B. Currently Effective Reliability Standard CIP-014-2
3. Reliability Standard CIP-014-2, which applies to transmission
owners and transmission operators, is designed to ``identify and
protect Transmission stations and Transmission substations, and their
associated primary control centers, that if rendered inoperable or
damaged as a result of a physical attack could result in widespread
instability, uncontrolled separation, or Cascading within an
Interconnection.'' \5\ Pursuant to the Reliability Standard,
transmission owners must perform an initial and subsequent risk
assessments to identify the transmission stations and substations that,
if rendered inoperable or damaged could result in instability,
uncontrolled separation, or cascading within an Interconnection, and is
subject to a third party verification. Transmission owners that control
identified facilities must conduct an evaluation of the potential
threats and vulnerabilities of a physical attack to transmission
stations and substation, as well as primary control centers, develop
and implement a documented physical security plan and have a third-
party review of the evaluation.
---------------------------------------------------------------------------
\5\ NERC Reliability Standard CIP-014-2 (Physical Security),
Purpose.
---------------------------------------------------------------------------
C. NERC Petition for Modifications to the Compliance Section of
Reliability Standard CIP-014
4. NERC proposes to remove section C.1.1.4., Additional Compliance
Information, from the compliance section of the currently effective
Reliability Standard CIP-014-2 (Physical Security) that requires all
evidence demonstrating compliance with this Reliability Standard to be
retained at the transmission owner's or transmission operator's
facility in order to protect the entity's confidential information.\6\
NERC states that the proposed change applies only to the compliance
section of Reliability Standard CIP-014-2, and proposes no changes in
the mandatory and enforceable Requirements of Reliability Standard CIP-
014-2. According to NERC, the provision presents challenges to
effective and efficient compliance monitoring and is not necessary to
protect the confidentiality of Reliability Standard CIP-014-2
compliance evidence.\7\
---------------------------------------------------------------------------
\6\ NERC Petition at 1. Section C.1.1.4., Additional Compliance
Information states:
Confidentiality: To protect the confidentiality and sensitive
nature of the evidence for demonstrating compliance with this
standard, all evidence will be retained at the Transmission Owner's
and Transmission Operator's facilities.
\7\ NERC Petition at 1.
---------------------------------------------------------------------------
5. NERC states that the ``Additional Compliance Information''
provision in the compliance section of CIP-014 was added to address
heightened concerns regarding the protection of CIP-014 evidence.
However, NERC has determined that it should no longer treat CIP-014
evidence any differently than other sensitive evidence it collects
during its Compliance Monitoring and Enforcement Program (CMEP)
activities.\8\ With the advent of the ERO Secure Evidence Locker (SEL),
NERC asserts that it has a secure means of collecting and analyzing
CIP-014 evidence in the same manner as any other sensitive evidence
collected as part of CMEP activities.\14\
---------------------------------------------------------------------------
\8\ Id. at 5-6.
---------------------------------------------------------------------------
6. NERC explains that if the change is approved, it will no longer
treat Reliability Standard CIP-014 evidence any differently than other
sensitive evidence it collects during its compliance activities.\9\
NERC plans to use its SEL to support data and information handling, and
it explains that it has developed the SEL for temporary storage of all
registered entity compliance evidence.\10\ According to NERC, the SEL
enables a registered entity to securely submit evidence
[[Page 37848]]
through an encrypted session; the evidence is encrypted immediately
upon submission, securely isolated per registered entity, never
extracted, never backed up, and subject to proactive and disciplined
destruction policies. NERC submits that the SEL provides security
advantages to ensure proper protection and chain-of-custody management
of the submitted evidence for CIP-014 compliance.
---------------------------------------------------------------------------
\9\ Id.
\10\ Id. at 6.
---------------------------------------------------------------------------
7. NERC requests that the modification to the Reliability Standard
become effective on the date of Commission approval.
II. Notice of Filing and Responsive Pleadings
8. Notice of NERC's February 16, 2022 Petition was published in the
Federal Register, 87 FR 11061 (Feb. 28, 2022), with interventions and
protests due on or before March 15, 2022. The Edison Electric Institute
(EEI) filed a timely motion to intervene and comments. On March 21,
2022, NERC submitted a request to submit reply comments and reply
comments (NERC Answer). On March 30, 2022, EEI filed a motion for leave
to answer and answer (EEI Answer).
9. EEI opposes NERC's petition and maintains that Reliability
Standard CIP-014 requires data collection for industry's most sensitive
assets and, therefore, the compliance provision should be retained so
that NERC continues to review compliance evidence for this Reliability
Standard only on-site at the registered entities for the most sensitive
data.\11\ EEI explains that the information retained under this
compliance requirement is of a critical and highly sensitive nature,
and some information provided for Reliability Standard CIP-014
compliance is only available to a small set of personnel on a need-to-
know basis within EEI member companies.\12\ According to EEI, its
members go to great lengths to protect the identity of the assets and
other sensitive information by using alternative anonymous names both
in internal and external discussions. Further, EEI expresses security
concerns related to the use of SEL, arguing that the SEL increases the
risk of aggregated industry information falling into the hands of a
nation state or bad actor.\13\ EEI argues that ease of access cannot
take precedence over the safety, security, and reliability of the
electric grid.
---------------------------------------------------------------------------
\11\ EEI Comments at 1.
\12\ Id. at 5.
\13\ Id.
---------------------------------------------------------------------------
10. NERC asserts in its answer that the proposed modification would
not decrease the protection of any highly sensitive compliance
evidence, but it is needed to ensure compliance monitoring with
Reliability Standard CIP-014.\14\ Among other arguments, NERC explains
that there will be limited CIP-014 evidence aggregated in the SEL at
any given time.\15\ Further, NERC elaborates that a registered entity
may choose to develop its own SEL rather than use NERC's SEL, or use
NERC's exceptions process, which allows registered entities to
collaborate with the compliance authority on alternative submittal
methods.
---------------------------------------------------------------------------
\14\ NERC Answer at 1.
\15\ Id. at 2-3.
---------------------------------------------------------------------------
11. Finally, NERC states that over the last two years, due to
pandemic restrictions, in some instances registered entities refused
on-site access for compliance monitoring.\16\ In addition, certain
entities also refused to allow a review of evidence using a secure
videoconferencing platform. NERC believes that ``[t]he end result was
increased risk, in certain instances, because [NERC and the Regional
Entities] had no mechanism with which to monitor compliance with CIP-
014 until the entity, at its own discretion, lifted its pandemic-
related restriction.'' \17\
---------------------------------------------------------------------------
\16\ Id. at 3-4.
\17\ Id. at 4.
---------------------------------------------------------------------------
12. In its answer, EEI argues that more flexibility should be given
to registered entities to select the most secure methods for providing
CIP-014 compliance data. In particular, EEI states that, if agreed to
by a registered entity's Compliance Enforcement Authority, ``secure
videoconferencing is an attractive and equally effective and efficient
alternative to using the ERO SEL and one that EEI members would
welcome.'' \18\ EEI notes, however, that certain entities may prefer to
use their own videoconferencing tools, as opposed to an ERO-based tool,
``because in doing so they have an understanding of, and confidence in,
the security measures that have been implemented.'' \19\ Further,
because many registered entities' corporate security access management
programs require training, background checks, and monitoring of third-
party access, EEI believes that some registered entities may be unable
to use their own SEL to submit compliance information if NERC or
Regional Entity compliance personnel are unable or unwilling to meet
their SEL security access requirements.\20\ EEI also expresses concern
with the length of time NERC will keep compliance information in the
SEL, as entities have no way of verifying whether it has been deleted.
---------------------------------------------------------------------------
\18\ EEI Answer at 2.
\19\ Id.
\20\ Id. at 2-3.
---------------------------------------------------------------------------
III. Determination
A. Procedural Matters
13. Pursuant to Rule 214 of the Commission's Rules of Practice and
Procedure, 18 CFR 385.214 (2021), EEI's timely, unopposed motion to
intervene serve to make it a party to this proceeding.
14. Rule 213(a)(2) of the Commission's Rules of Practice and
Procedure, 18 CFR 385.213(a)(2) (2021), prohibits an answer to a
protest or answer unless otherwise ordered by the decisional authority.
We accept NERC's and EEI's answers because they have provided
information that assisted us in our decision-making process.
B. Substantive Matters
15. As discussed below, we find that the proposed removal of the
evidence retention provision in section C.1.1.4 of the compliance
section of Reliability Standard CIP-014-2 is just, reasonable, not
unduly discriminatory or preferential, and in the public interest. The
modification will allow NERC to monitor compliance more effectively
without compromising the confidentiality of sensitive information.
Accordingly, we approve NERC's petition.
16. Reliability Standard CIP-014-2, compliance section C.1.1.4.,
Additional Compliance Information, currently requires compliance
personnel and auditors (and enforcement staff if a potential
noncompliance is identified) to be physically present at an entity's
facility to review evidence of compliance. As NERC's petition explains,
this requirement presented challenges during the pandemic, when
auditors could not access certain entities' facilities in person and in
some instances were prevented from reviewing the evidence remotely.\21\
---------------------------------------------------------------------------
\21\ NERC Petition at 7; NERC Answer at 3.
---------------------------------------------------------------------------
17. We recognize that Reliability Standard CIP-014-2 requires data
collection for industry's sensitive assets and that therefore the data
should be handled in a secure manner. However, while section C.1.1.4
may have provided necessary protection in the past, we are persuaded by
NERC's explanation that its SEL now offers a secure and more flexible
alternative for compliance evidence collection and review for
Reliability Standard CIP-014-2.
18. Moreover, we are not persuaded by EEI's comments seeking to
retain the
[[Page 37849]]
on-site viewing requirement. First, contrary to EEI's suggestion in its
comments, the use of the SEL is not novel and untested. In NERC's
petition requesting funding for the SEL, which was filed in June 2020,
NERC explained that the use of an evidence locker was a practice
already in place for at least two Regional Entities to collect evidence
associated with Critical Infrastructure Protection (CIP) Reliability
Standards.\22\ Before deciding to implement the SEL, NERC consulted
with industry and discussed security concerns related to evidence
collection.\23\ Also, NERC has been using the SEL to access compliance
evidence for the other CIP Reliability Standards, which indicates that
it is a well-established and secure method of evidence review.
Restricting auditor review to on-site only when there is a secure
alternative impairs the auditor's ability to perform in-depth review of
the evidence and could result in increased risk due to lack of adequate
or timely compliance monitoring.
---------------------------------------------------------------------------
\22\ NERC, Request of the North American Electric Reliability
Corporation to expend funds to develop the ERO Enterprise Secure
Evidence Locker, Docket No. RR19-8-001, at 4 (filed June 8, 2020)
(NERC 2020 Filing); N. Am. Elec. Reliability Corp., Docket No. RR19-
8-001 (June 22, 2020) (delegated order).
\23\ NERC 2020 Filing at 5.
---------------------------------------------------------------------------
19. Further, we are not persuaded by EEI's argument that the SEL
increases the risk of aggregated industry information falling into the
hands of a nation-state or bad actor. Once evidence is submitted
through an SEL encrypted session, it is immediately encrypted and
cannot be extracted, is not backed up, and is subject to proactive and
disciplined destruction policies, as well as being separated by
registered entity.\24\ NERC explained that it will remove the
information from the SEL when the CMEP engagement concludes.\25\
---------------------------------------------------------------------------
\24\ NERC Answer at 2.
\25\ Id. at 2-3.
---------------------------------------------------------------------------
20. Finally, as stated by NERC, entities can structure their own
SELs that adhere to their security measure requirements. EEI argues
that some registered entities may be unable to use their own SELs to
submit compliance information if NERC or Regional Entity compliance
personnel are unable or unwilling to meet the SEL security access
requirements.\26\ However, EEI provides no specific evidence of such
situations for other CIP compliance monitoring engagements or whether
they have led to increased risk of evidence being compromised. We find
unpersuasive EEI's objections to NERC's offering of a flexible approach
to accommodate entities.
---------------------------------------------------------------------------
\26\ Id.
---------------------------------------------------------------------------
21. Therefore, we find that the removal of the evidence retention
provision in section C.1.1.4 of the compliance section of Reliability
Standard CIP-014-2 will allow NERC to monitor compliance more
effectively without compromising the confidentiality of sensitive
information. Accordingly, we approve NERC's petition and accept the
proposed Reliability Standard CIP-014-3, to become effective on the
date of issuance of this order.
IV. Information Collection Statement
22. In compliance with the requirements of the Paperwork Reduction
Act of 1995, 44 U.S.C. 3506(c)(2)(A), the Commission is soliciting
public comment on revisions to the information collection FERC-725U,
Mandatory Reliability Standards for the Bulk Power System; CIP
Reliability Standards; which will be submitted to the Office of
Management and Budget (OMB) for a review of the information collection
requirements. Comments on the collection of information are due within
60 days of the date this order is published in the Federal Register.
Respondents subject to the filing requirements of this order will not
be penalized for failing to respond to these collections of information
unless the collections of information display a valid OMB control
number.
23. The information collection requirements are subject to review
by the OMB under section 3507(d) of the Paperwork Reduction Act of
1995.\27\ OMB's regulations require approval of certain information
collection requirements imposed by agency rules.\28\ The Commission
solicits comments on the Commission's need for this information,
whether the information will have practical utility, the accuracy of
the burden estimates, ways to enhance the quality, utility, and clarity
of the information to be collected or retained, and any suggested
methods for minimizing respondents' burden, including the use of
automated information techniques.
---------------------------------------------------------------------------
\27\ 44 U.S.C. 3507(d).
\28\ 5 CFR 1320 (2021).
---------------------------------------------------------------------------
24. The number of respondents below is based on an estimate of the
NERC compliance registry for transmission owners and transmission
operator. The Commission based its paperwork burden estimates on the
NERC compliance registry as of May 6, 2022. According to the registry,
there are 326 transmission owners and 18 transmission operators not
also registered as transmission owners. The estimate is based on a zero
change in burden from the current standard to the standard approved in
this Order. The Commission based the burden estimate on staff
experience, knowledge, and expertise.
25. For the new Reliability Standard CIP-014-3, the burden for
entities remains the same as they will still need to provide the same
evidence to demonstrate compliance whether it is kept on-site or loaded
electronically into the SEL. No comments were received that expressed a
change in the manhour burden associated with the use of SEL.
26. Burden Estimates: The Commission estimates the changes in the
annual public reporting burden and cost \29\ as indicated below:
---------------------------------------------------------------------------
\29\ FERC staff estimates that industry costs for salary plus
benefits are similar to Commission costs. The FERC 2021 average
salary plus benefits for one FERC full-time equivalent (FTE) is
$180,703/year (or $87.00/hour) posted by the Bureau of Labor
Statistics for the Utilities sector (available at <a href="https://www.bls.gov/oes/current/naics3_221000.htm">https://www.bls.gov/oes/current/naics3_221000.htm</a>).
\30\ The total number (344) of transmission owners (326) plus
transmission operators (18) not also registered as owners, this
represents the unique US entities (taken from data as of May 6,
2022).
FERC-725U--(Mandatory Reliability Standards: Reliability Standard CIP-014) Change in Burden
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Number of Number of
respondents responses per Total number Average burden hours & cost per Total burden hours & total cost Average cost
\30\ respondent of responses response per respondent
(1) (2) (1) * (2) = (4)................................... (3) * (4) = (5).............................. (5) / (1)
(3)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Change Annual Reporting and Recordkeeping 344 1 344 32.71 hrs.; $2,845.77................. 11,252.24 hrs.; $978,944.88.................. $2,845.77
Total FERC-725U.......................... 344 1 344 32.71 hrs.; $2,845.77................. 11,254.24 hrs.; $978,944.88.................. 2,845.77
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[[Page 37850]]
Titles: FERC-725U, Mandatory Reliability Standards for the Bulk
Power System; CIP Reliability Standards.
Action: Compliance update with no changes to Existing Collections
of Information, FERC-725U.
OMB Control Nos.: 1902-0274(FERC-725U).
Respondents: Business or other for profit, and not for profit
institutions.
Frequency of Responses: On occasion.
Necessity of the Information: Reliability Standard CIP-014-3
(Physical Security) is part of the implementation of the Congressional
mandate of the Energy Policy Act of 2005 to develop mandatory and
enforceable Reliability Standards to better ensure the reliability of
the nation's Bulk Power system. Specifically, the revised standard only
changes the how the evidence is stored.
Internal Review: The Commission has reviewed NERC's proposal and
determined that its action is necessary to implement section 215 of the
FPA.
27. Interested persons may obtain information on the reporting
requirements by contacting the Federal Energy Regulatory Commission,
Office of the Executive Director, 888 First Street NE, Washington, DC
20426 [Attention: Ellen Brown, email: <a href="/cdn-cgi/l/email-protection#bafedbcedbf9d6dfdbc8dbd4d9dffadcdfc8d994ddd5cc"><span class="__cf_email__" data-cfemail="3f7b5e4b5e7c535a5e4d5e515c5a7f595a4d5c11585049">[email protected]</span></a>, phone:
(202) 502-8663].
28. All submissions must be formatted and filed in accordance with
submission guidelines at: <a href="http://www.ferc.gov">http://www.ferc.gov</a>. For user assistance,
contact FERC Online Support by email at <a href="/cdn-cgi/l/email-protection#44222136272b2a282d2a21373134342b363004222136276a232b32"><span class="__cf_email__" data-cfemail="660003140509080a0f080315131616091412260003140548010910">[email protected]</span></a>, or
by phone at (866) 208-3676 (toll-free).
29. Comments concerning the information collections and
requirements approved and associated burden estimates, should be sent
to the Commission in this docket and may also be sent to the Office of
Management and Budget, Office of Information and Regulatory Affairs
[Attention: Desk Officer for the Federal Energy Regulatory Commission].
OMB submissions must be formatted and filed in accordance with
submission guidelines at <a href="http://www.reginfo.gov/public/do/PRAMain">www.reginfo.gov/public/do/PRAMain</a>. Using the
search function under the ``Currently Under Review'' field, select
Federal Energy Regulatory Commission; click ``submit,'' and select
``comment'' to the right of the subject collection.
30. Please refer to the appropriate OMB Control Number(s) 1902-
0274(FERC-725U) in your submission.
V. Document Availability
31. In addition to publishing the full text of this document in the
Federal Register, the Commission provides all interested persons an
opportunity to view and/or print the contents of this document via the
internet through the Commission's Home Page (<a href="http://www.ferc.gov">http://www.ferc.gov</a>) and
in the Commission's Public Reference Room during normal business hours
(8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A,
Washington, DC 20426.
32. From the Commission's Home Page on the internet, this
information is available on eLibrary. The full text of this document is
available on eLibrary in PDF and Microsoft Word format for viewing,
printing, and/or downloading. To access this document in eLibrary, type
the docket number excluding the last three digits of this document in
the docket number field.
33. User assistance is available for eLibrary and the Commission's
website during normal business hours from the Commission's Online
Support at (202) 502-6652 (toll free at 1-866-208-3676) or email at
<a href="/cdn-cgi/l/email-protection#f4929186979b9a989d9a91878184849b8680b492918697da939b82"><span class="__cf_email__" data-cfemail="14727166777b7a787d7a71676164647b666054727166773a737b62">[email protected]</span></a>, or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at
<a href="/cdn-cgi/l/email-protection#55252037393c367b2730333027303b3630273a3a3815333027367b323a23"><span class="__cf_email__" data-cfemail="c6b6b3a4aaafa5e8b4a3a0a3b4a3a8a5a3b4a9a9ab86a0a3b4a5e8a1a9b0">[email protected]</span></a>.
The Commission orders:
Reliability Standard CIP-014-3 is hereby approved, as discussed in
the body of this order.
Issued: June 16, 2022.
Debbie-Anne A. Reese,
Deputy Secretary.
[FR Doc. 2022-13464 Filed 6-23-22; 8:45 am]
BILLING CODE 6717-01-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on June 24, 2022.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.