Home/Federal/Federal Register/2023-08929

Rule2023-08929

Incentives for Advanced Cybersecurity Investment

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published

May 3, 2023

Effective

July 3, 2023

Issuing agencies

Energy DepartmentFederal Energy Regulatory Commission

Abstract

The Federal Energy Regulatory Commission is revising its regulations to provide incentive-based rate treatment for the transmission of electric energy in interstate commerce and the sale of electric energy at wholesale in interstate commerce by utilities for the purpose of benefitting consumers by encouraging investments by utilities in Advanced Cybersecurity Technology and participation by utilities in cybersecurity threat information sharing programs, as directed by the Infrastructure Investment and Jobs Act of 2021.

Full Text

<html>
<head>
<title>Federal Register, Volume 88 Issue 85 (Wednesday, May 3, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 85 (Wednesday, May 3, 2023)]
[Rules and Regulations]
[Pages 28348-28380]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-08929]

[[Page 28347]]

Vol. 88

Wednesday,

No. 85

May 3, 2023

Part VI

Department of Energy

-----------------------------------------------------------------------

Federal Energy Regulatory Commission

18 CFR Part 35

Incentives for Advanced Cybersecurity Investment; Final Rule

Federal Register / Vol. 88 , No. 85 / Wednesday, May 3, 2023 / Rules
and Regulations

[[Page 28348]]

-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 35

[Docket No. RM22-19-000; Order No. 893]

Incentives for Advanced Cybersecurity Investment

AGENCY: Federal Energy Regulatory Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Energy Regulatory Commission is revising its
regulations to provide incentive-based rate treatment for the
transmission of electric energy in interstate commerce and the sale of
electric energy at wholesale in interstate commerce by utilities for
the purpose of benefitting consumers by encouraging investments by
utilities in Advanced Cybersecurity Technology and participation by
utilities in cybersecurity threat information sharing programs, as
directed by the Infrastructure Investment and Jobs Act of 2021.

DATES: This rule is effective July 3, 2023.

FOR FURTHER INFORMATION CONTACT:
David DeFalaise (Technical Information), Office of Electric
Reliability, Federal Energy Regulatory Commission, 888 First Street NE,
Washington, DC 20426, (202) 502-8180, <a href="/cdn-cgi/l/email-protection#7014110619145e141516111c1119031530161502135e171f06">[email&#160;protected]</a>.
Ryan Maca (Technical Information), Office of Energy Infrastructure
Security, Federal Energy Regulatory Commission, 888 First Street NE,
Washington, DC 20426, (202) 502-6129, <a href="/cdn-cgi/l/email-protection#5f2d263e3171323e3c3e1f393a2d3c71383029">[email&#160;protected]</a>.
Adam Pollock (Technical Information), Office of Energy Market
Regulation, Federal Energy Regulatory Commission, 888 First Street NE,
Washington, DC 20426, (202) 502-8458, <a href="/cdn-cgi/l/email-protection#25444144480b554a49494a464e65434057460b424a53">[email&#160;protected]</a>.
Alan J. Rukin (Legal Information), Office of the General Counsel,
Federal Energy Regulatory Commission, 888 First Street NE, Washington,
DC 20426, (202) 502-8502, <a href="/cdn-cgi/l/email-protection#50313c313e7e22253b393e10363522337e373f26">[email&#160;protected]</a>.

SUPPLEMENTARY INFORMATION:

TABLE OF CONTENTS

Paragraph
numbers

I. Introduction............................................ 1
II. Background............................................. 3
A. Infrastructure Investment and Jobs Act of 2021...... 3
1. Advanced Cybersecurity Technology............... 4
2. Cybersecurity Threat Information Sharing 7
Programs..........................................
B. Study and Report to Congress........................ 8
C. NOPR................................................ 10
III. Discussion............................................ 17
A. Cybersecurity Investments........................... 18
1. Utilities Eligible To Request Rate Incentives 19
for Cybersecurity Investments.....................
2. Cybersecurity Investment Definitions............ 27
3. Cybersecurity Investment Eligibility Criteria... 28
B. Cybersecurity Investment Incentive Requests......... 54
1. PQ List Approach................................ 55
2. Case-by-Case Approach........................... 100
3. Early Compliance With Approved Reliability 112
Standards.........................................
C. Cybersecurity Investment Rate Incentives............ 120
1. Cybersecurity ROE Incentive..................... 122
2. Cybersecurity Regulatory Asset Incentive........ 135
3. Performance-Based Rates......................... 155
D. Cybersecurity Investment Incentive Implementation... 161
1. Cybersecurity ROE Incentive Duration............ 161
2. Cybersecurity Regulatory Asset Incentive 165
Duration and Amortization Period..................
3. Filing Process.................................. 174
4. Reporting Requirements.......................... 192
E. Other Issues........................................ 204
1. Comments........................................ 204
2. Commission Determination........................ 206
IV. Information Collection Statement....................... 207
V. Environmental Analysis.................................. 213
VI. Regulatory Flexibility Act............................. 214
VII. Document Availability................................. 215
VIII. Effective Date and Congressional Notification........ 218

I. Introduction

1. In this final rule, the Federal Energy Regulatory Commission
revises its regulations pursuant to section 219A of the Federal Power
Act (FPA) \1\ to add subpart K, consisting of Sec. 35.48, to our
regulations to establish rules for incentive-based rate treatment for
certain voluntary cybersecurity investments \2\ by utilities \3\ as
described in this final rule. These rules make incentive-based rate
treatment available to utilities that make voluntary cybersecurity
investments in Advanced Cybersecurity Technology \4\ that

[[Page 28349]]

enhance their security posture by improving their ability to protect
against, detect, respond to, or recover from a cybersecurity threat and
to utilities that participate in cybersecurity threat information
sharing programs. The Commission is issuing this final rule to comply
with FPA section 219A(c).\5\ This voluntary cybersecurity incentive-
based rate treatment is for the purpose of benefitting consumers by
encouraging cybersecurity investments in Advanced Cybersecurity
Technology and in participation in cybersecurity threat information
sharing programs.\6\
---------------------------------------------------------------------------

\1\ Infrastructure Investment and Jobs Act of 2021, Public Law
117-58, section 40123, 135 Stat. 429, 951 (to be codified at 16
U.S.C. 824s-1) (IIJA).
\2\ In this final rule, the term investments includes
expenditures that can be either capitalized costs or expenses.
\3\ Notwithstanding that FPA section 219A requires the
Commission to offer incentives to public utilities, as discussed in
section III.A.1. of this final rule, we make rate incentives also
available to non-public utilities that have or will have a rate on
file with the Commission, similar to Commission precedent under FPA
section 219, 16 U.S.C. 824s. We intend that all references in this
final rule to utilities include both public utilities and non-public
utilities that have or will have a rate on file with the Commission.
\4\ FPA section 219A(a)(1) defines the term Advanced
Cybersecurity Technology to mean any technology, operational
capability, or service, including computer hardware, software, or a
related asset, that enhances the security posture of public
utilities through improvements in the ability to protect against,
detect, respond to, or recover from a cybersecurity threat. IIJA,
Public Law 117-58, section 40123, 135 Stat. at 951 (to be codified
at 16 U.S.C. 824s-1(a)(1)). FPA section 219A(a)(2) defines the term
Advanced Cybersecurity Technology Information to mean information
relating to advanced cybersecurity technology or proposed advanced
cybersecurity technology that is generated by or provided to the
Commission or another Federal agency. Id. at 952 (to be codified at
16 U.S.C. 824s-1(a)(2)).
\5\ IIJA, Public Law 117-58, section 40123, 135 Stat. at 952 (to
be codified at 16 U.S.C. 824s-1(c)).
\6\ Id.
---------------------------------------------------------------------------

2. We establish a regulatory framework for utilities to request
incentive-based rate treatment for certain voluntary cybersecurity
investments.\7\ Under this framework, we: (1) identify the utilities
permitted to request incentive-based rate treatment for cybersecurity
investments; (2) establish the criteria that the Commission will use to
determine whether a cybersecurity investment is eligible to receive an
incentive-based rate treatment; (3) discuss the approaches that a
utility may use to demonstrate that a cybersecurity investment
satisfies the eligibility criteria; (4) explain the types of incentive-
based rate treatments available for qualifying cybersecurity
investments; (5) set limits on the duration of the incentive-based rate
treatment; (6) describe what utilities must include in their
applications for incentive-based rate treatment for cybersecurity
investments; and (7) establish the annual reporting requirements for
utilities that receive incentive-based rate treatment for their
cybersecurity investments.
---------------------------------------------------------------------------

\7\ Incentives for Advanced Cybersecurity Investment, Notice of
Proposed Rulemaking, 87 FR 60567 (Oct. 6, 2022), 180 FERC ] 61,189
(2022) (NOPR).
---------------------------------------------------------------------------

II. Background

A. Infrastructure Investment and Jobs Act of 2021

3. On November 15, 2021, the IIJA was signed into law.\8\ Section
40123 of the IIJA added section 219A to the FPA, which directs the
Commission to revise its regulations to establish, by rule, incentive-
based, including performance-based, rate treatments for the
transmission of electric energy in interstate commerce and the sale of
electric energy at wholesale in interstate commerce by public utilities
for the purpose of benefitting consumers by encouraging investments by
public utilities in Advanced Cybersecurity Technology and participation
by public utilities in cybersecurity threat information sharing
programs.
---------------------------------------------------------------------------

\8\ IIJA, Public Law 117-58, 135 Stat. 429.
---------------------------------------------------------------------------

1. Advanced Cybersecurity Technology
4. Under FPA section 219A(a), an Advanced Cybersecurity Technology
can be a product and/or a service.\9\ Cybersecurity products are
generally hardware, software, and cybersecurity services that can be
used for information technology (IT) systems and/or operational
technology (OT) systems.\10\ Cybersecurity products can include, but
are not limited to, security information and event management systems,
intrusion detection systems, anomaly detection systems, encryption
tools, data loss prevention systems, forensic toolkits, incident
response tools, imaging tools, network behavior analysis tools, access
management systems, configuration management systems, anti-malware
tools, user behavior analytic software, event logging systems, and any
system for access control, identification, authentication, and/or
authorization control.
---------------------------------------------------------------------------

\9\ Id. at 952 (to be codified at 16 U.S.C. 824s-1(c)).
\10\ The National Institute of Standards and Technology (NIST)
glossary defines OT to mean programmable systems or devices that
interact with the physical environment (or manage devices that
interact with the physical environment). These systems/devices
detect or cause a direct change through the monitoring and/or
control of devices, processes, and events. Examples include
industrial control systems, building management systems, fire
control systems, and physical access control mechanisms. NIST,
Computer Security Resource Center, Glossary (Mar. 10, 2022), <a href="https://csrc.nist.gov/glossary">https://csrc.nist.gov/glossary</a>.
---------------------------------------------------------------------------

5. Cybersecurity services may be either automated or manual and can
include, but are not limited to, system installation and maintenance,
network administration, asset management, threat and vulnerability
management, training, incident response, forensic investigation,
network monitoring, data sharing, data recovery, disaster recovery,
network restoration, log analytics, cloud network storage, and any
general cybersecurity consulting service.
6. Under FPA section 219A(a), Advanced Cybersecurity Technology
Information may include, but is not limited to, plans, policies,
procedures, specifications, implementation, configuration, manuals,
instructions, accounting, financials, logs, records, and physical or
electronic access lists related to or regarding the Advanced
Cybersecurity Technology. FPA section 219A(g) states that Advanced
Cybersecurity Technology Information that is provided to, generated by,
or collected by the Federal Government under FPA section 219A
subsections (b), (c), or (f) shall be considered to be critical
electric infrastructure information under FPA section 215A.\11\
Utilities submitting to the Commission Advanced Cybersecurity
Technology Information or other information they believe to be Critical
Energy/Electric Infrastructure Information (CEII) must clearly indicate
which portions of their filing contains CEII and provide public and
non-public versions of the information pursuant to the Commission's
regulations.\12\
---------------------------------------------------------------------------

\11\ IIJA, Public Law 117-58, section 40123, 135 Stat. at 952
(to be codified at 16 U.S.C. 824s-1(g)) (citing 16 U.S.C. 824o-1).
\12\ See 18 CFR 388.113(d)(1)(i)-(ii).
---------------------------------------------------------------------------

2. Cybersecurity Threat Information Sharing Programs
7. FPA section 219A(c) directs the Commission to identify
incentive-based rate treatments that could support participation by
public utilities in cybersecurity threat information sharing programs.
Utilities face barriers to participating in cybersecurity information
sharing programs, such as the high costs associated with implementing
monitoring technology and maintenance of sensor technology, the amount
of time and effort required to share information, incurring fees to
participate in cybersecurity threat information sharing programs, and
concerns regarding the confidentiality of the information once shared.

B. Study and Report to Congress

8. As an initial step in the process of revising the Commission's
regulations, FPA section 219A(b) requires the Commission to conduct a
study, in consultation with certain entities,\13\ to identify
incentive-based rate treatments, including performance-based rates, for
the jurisdictional transmission and sale of electric energy that could
support investments in Advanced Cybersecurity Technology and
participation by public utilities in cybersecurity threat

[[Page 28350]]

information sharing programs.\14\ As directed, Commission staff
consulted with the specified entities to help identify incentive-based
rate treatments that could enhance the security posture of the Bulk-
Power System.\15\
---------------------------------------------------------------------------

\13\ FPA section 219A(b) identifies the following entities: the
Secretary of Energy; North American Electric Reliability Corporation
(NERC); Electricity Subsector Coordinating Council (ESCC); and
National Association of Regulatory Utility Commissioners (NARUC).
\14\ IIJA, Public Law 117-58, section 40123, 135 Stat. at 952
(to be codified at 16 U.S.C. 824s-1(b)).
\15\ The term Bulk-Power System is defined in FPA section 215
and refers to: (1) facilities and control systems necessary for
operating an interconnected electric energy transmission network (or
any portion thereof); and (2) electric energy from generation
facilities needed to maintain transmission system reliability. 16
U.S.C. 824o(a)(1). In the context of developing and determining the
applicability of mandatory Reliability Standards, NERC uses the term
bulk electric system, which NERC defines to generally include the
transmission facilities that are operated at 100 kV or higher and
real power or reactive power resources connected at 100 kV or
higher. See NERC, Glossary of Terms Used in NERC Reliability
Standards (Mar. 8, 2023), <a href="https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf">https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf</a> (NERC Glossary).
---------------------------------------------------------------------------

9. In addition to conducting the study, FPA section 219A(b)
requires the Commission to submit a report to Congress (Report)
detailing the results of the study. On May 13, 2022, the Report was
submitted to Congress.\16\ The Report, among other things, outlined
prior Commission efforts to address incentives for cybersecurity
initiatives. The Report provided information regarding potential
incentive-based rate treatments and the Commission's general ratemaking
authority, including the prior adoption of rate incentives and
performance-based ratemaking in other contexts. In addition, the Report
discussed challenges associated with adopting an incentive-based rate
structure to enhance the security posture of the Bulk-Power System.
---------------------------------------------------------------------------

\16\ FERC, Incentives for Advanced Cybersecurity Technology
Investment (May 2022).
---------------------------------------------------------------------------

C. NOPR

10. On September 22, 2022, the Commission issued the NOPR in this
proceeding, proposing under FPA section 219A to establish rules for
incentive-based rate treatments for certain voluntary cybersecurity
investments by utilities.\17\ The Commission proposed that these rules
would make incentives available to utilities that make certain
cybersecurity investments that enhance their security posture by
improving their ability to protect against, detect, respond to, or
recover from a cybersecurity threat, or that participate in
cybersecurity threat information sharing programs to the benefit of
ratepayers and national security.
---------------------------------------------------------------------------

\17\ NOPR, 180 FERC ] 61,189 at P 1.
---------------------------------------------------------------------------

11. First, the Commission proposed a regulatory framework for how a
utility could qualify for incentives for eligible cybersecurity
investments.\18\ Under this framework, the Commission proposed that
eligible cybersecurity investments must: (1) materially improve
cybersecurity through either an investment in Advanced Cybersecurity
Technology or participation in a cybersecurity threat information
sharing program; \19\ and (2) not already be mandated by Critical
Infrastructure Protection (CIP) Reliability Standards, or local, State,
or Federal law.\20\ The Commission proposed that a utility would seek
incentive-based rate treatment for a cybersecurity investment in a
filing pursuant to FPA section 205,\21\ and that the incentive would be
effective no earlier than the date of the Commission order approving
the incentive request.\22\
---------------------------------------------------------------------------

\18\ Id. P 2.
\19\ Id. PP 20-22.
\20\ Id.
\21\ 16 U.S.C. 824d. The Commission noted that a utility would
be permitted to first file a petition for declaratory order to seek
a Commission determination on its eligibility for an incentive, but
the utility would still need to make a filing with the Commission
pursuant to FPA section 205 before adding the incentive-based rate
treatment to its rate on file with the Commission.
\22\ NOPR, 180 FERC ] 61,189 at P 24.
---------------------------------------------------------------------------

12. Second, the Commission proposed to evaluate cybersecurity
investments using a list of pre-qualified expenditures that are
determined by the Commission to be eligible for incentives, which would
be posted on the Commission's public website (PQ List).\23\ The
Commission proposed that any cybersecurity investment that is on the PQ
List would be entitled to a rebuttable presumption of eligibility for
an incentive.\24\ With the Commission having evaluated cybersecurity
investments to include on the PQ List in advance of the application for
incentive-based rate treatment, along with the rebuttable presumption,
the Commission postulated that the PQ List approach would provide an
efficient and transparent mechanism for determining appropriate
cybersecurity investments that are eligible for incentives.\25\ The
Commission also discussed and sought comment on a potential alternative
approach, whereby a utility's cybersecurity investment would be
evaluated on a case-by-case basis to determine if it is eligible for an
incentive.\26\
---------------------------------------------------------------------------

\23\ Id. P 25.
\24\ Id. P 26.
\25\ Id. P 27.
\26\ Id. P 32.
---------------------------------------------------------------------------

13. Third, the Commission proposed two potential cybersecurity
incentives: (1) a return on equity (ROE) adder of 200 basis points
(Cybersecurity ROE Incentive); \27\ and (2) deferred cost recovery for
certain cybersecurity investments that enables the utility to defer
expenses and include the unamortized portion in its rate base
(Cybersecurity Regulatory Asset Incentive).\28\
---------------------------------------------------------------------------

\27\ Id. P 36.
\28\ Id. P 39.
---------------------------------------------------------------------------

14. Fourth, the Commission proposed that any approved incentive(s)
would remain in effect for five years from the date on which the
cybersecurity investment(s) enters service or the expenses are
incurred, or expire earlier if certain other conditions discussed in
the NOPR are met before the end of that five year period, e.g., the
cybersecurity investment becomes mandatory.\29\ For continued voluntary
participation in a cybersecurity threat information sharing program,
however, the Commission proposed that utilities be able to continue
deferring these expenses and including them in their rate base for each
annual tranche of expenses, for as long as: (1) the utility continues
incurring costs for its participation in the program; and (2) the
program remains eligible for incentives.\30\ The Commission sought
comment on the proposed duration and expiration conditions for
incentives granted under this proposal.
---------------------------------------------------------------------------

\29\ Id. PP 46-49.
\30\ Id. P 49.
---------------------------------------------------------------------------

15. Finally, the Commission proposed that a utility receiving a
cybersecurity incentive pursuant to the proposed rule must make an
annual informational filing by June 1 of each year following the
receipt of incentive for as long as the utility receives the
incentive.\31\ The Commission proposed that the annual filing should
detail the specific cybersecurity investments that were made pursuant
to the Commission's approval and the corresponding FERC account
used.\32\
---------------------------------------------------------------------------

\31\ Id. PP 54-56.
\32\ See 18 CFR pt. 141.
---------------------------------------------------------------------------

16. The initial comment period for the NOPR ended on November 7,
2022, and the Commission received 27 initial comments. The reply
comment period for the NOPR ended on November 21, 2022, and the
Commission received six reply comments.

III. Discussion

17. To implement the statutory directive in FPA section 219A, we
add subpart K to our regulations, consisting of Sec. 35.48, to
establish the rules for incentive-based rate treatment for utilities
that voluntarily make cybersecurity investments as described in this
final rule. For this final rule, a

[[Page 28351]]

cybersecurity investment includes both expenses and capitalized costs
associated with Advanced Cybersecurity Technology and participation in
a cybersecurity threat information sharing program. In this final rule
we: (1) identify the utilities permitted to request incentive-based
rate treatment for cybersecurity investments; (2) establish the
criteria that the Commission will use to determine whether a
cybersecurity investment is eligible to receive an incentive-based rate
treatment; (3) discuss the approaches that a utility may use to
demonstrate that a cybersecurity investment satisfies the eligibility
criteria; (4) explain the type of incentive-based rate treatment
available for qualifying cybersecurity investments; (5) set limits on
the duration of the incentive-based rate treatment; (6) describe what
utilities must include in their applications for incentive-based rate
treatment for cybersecurity investments; and (7) establish the annual
reporting requirements for utilities that receive incentive-based rate
treatment for their cybersecurity investments.

A. Cybersecurity Investments

18. We establish a structure that allows certain entities to
request rate incentives for cybersecurity investments that satisfy the
eligibility criteria. First, we determine which utilities may request
the cybersecurity incentives. Next, we add definitions that identify
the types of investments for which those utilities could seek
incentive-based rate treatment. Finally, we establish the eligibility
criteria that the Commission will use to determine whether a
cybersecurity investment is eligible for an incentive.
1. Utilities Eligible To Request Rate Incentives for Cybersecurity
Investments
19. FPA section 219A(c) directs the Commission to establish, by
rule, incentive-based rate treatment for the transmission of electric
energy in interstate commerce and the sale of electric energy at
wholesale in interstate commerce by public utilities for the purpose of
benefiting consumers by encouraging cybersecurity investments.\33\
---------------------------------------------------------------------------

\33\ IIJA, Public Law 117-58, section 40123, 135 Stat. at 952
(to be codified at 16 U.S.C. 824s-1(c)).
---------------------------------------------------------------------------

a. NOPR Proposal
20. In the NOPR, the Commission proposed to make rate incentives
available to both public utilities as well as non-public utilities that
have or will have a rate on file with the Commission, similar to
Commission precedent regarding transmission incentives under FPA
section 219.\34\ The Commission explained that it intended that all
references to utilities in the NOPR would include both public utilities
and non-public utilities that have or will have a rate on file with the
Commission.
---------------------------------------------------------------------------

\34\ NOPR, 180 FERC ] 61,189 at P 1 n.3 (citing 16 U.S.C. 824s).
---------------------------------------------------------------------------

b. Comments
21. Some commenters discuss the utilities that should or should not
be eligible for cybersecurity incentives. American Public Power
Association (APPA) agrees with the NOPR proposal that non-public
utilities with rates on file with the Commission should be eligible to
receive incentives for qualifying investments.\35\ Electric Power
Supply Association (EPSA) also supports the proposal and argues that
the statutory language in FPA section 219A requires the Commission to
extend the proposed incentives to all utilities whose rates are
regulated by the Commission, including those utilities who recover
their costs through competitive markets.\36\
---------------------------------------------------------------------------

\35\ APPA Initial Comments at 6.
\36\ EPSA Initial Comments at 6-7.
---------------------------------------------------------------------------

22. EPSA contends that Congress did not intend to limit
cybersecurity incentives to utilities with cost-of-service rates on
file with the Commission, but rather intended to make incentive-based
rates available to all utilities, including those with market-based
rates.\37\ EPSA specifically suggests that the Commission establish
formula rates for costs associated with identified incented
cybersecurity investments. Alternatively, EPSA suggests allowing
market-based rate entities to make FPA section 205 filings to recover
the costs of eligible cybersecurity investments.\38\ In contrast,
California Public Utilities Commission and the California Department of
Water Resources State Water Project (California Parties) suggest that
market-based rate sellers or generators should not be eligible for
incentives, so as to avoid interference with competitive markets.\39\
Transmission Access Policy Study Group (TAPS) states that the
Commission should explicitly exclude generators with market-based rates
from incentive eligibility.\40\ APPA urges the Commission to clarify in
the final rule that its proposed incentives are limited to cost-based
rates and not available for wholesale sales made under market-based
rate authority.\41\
---------------------------------------------------------------------------

\37\ Id. at 6.
\38\ Id. at 8.
\39\ California Parties Reply Comments at 13.
\40\ TAPS Initial Comments at 26-27.
\41\ APPA Initial Comments at 22.
---------------------------------------------------------------------------

c. Commission Determination
23. We adopt the NOPR proposal to permit public utilities and non-
public utilities that have or will have a rate on file with the
Commission to seek incentive-based rate treatment for their eligible
cybersecurity investments.\42\
---------------------------------------------------------------------------

\42\ NOPR, 180 FERC ] 61,189 at P 1 n.3.
---------------------------------------------------------------------------

24. We add Sec. 35.48(a) to our regulations, which declares that
the purpose of this section is to establish rules for incentive-based
rate treatment for utilities with rates on file with the Commission
that voluntarily make cybersecurity investments. In doing so, we adopt
the NOPR proposal to allow utilities described in FPA section 201(f)
\43\ that have or will have a rate on file with the Commission to be
eligible to receive incentives for cybersecurity investments in the
same manner as public utilities. Accordingly, we add Sec. 35.48(c) to
our regulations, which states that the Commission will authorize
incentive-based rate treatment to public and non-public utilities that
have or will have a rate on file with the Commission for their
voluntary cybersecurity investments, provided that the resulting rate
is just and reasonable and not unduly discriminatory or preferential.
---------------------------------------------------------------------------

\43\ 16 U.S.C. 824(f).
---------------------------------------------------------------------------

25. In FPA section 219A(c), Congress directs the Commission to
offer incentive-based rate treatment for both the transmission of
electric energy in interstate commerce and the sale of electric energy
at wholesale in interstate commerce. This rulemaking satisfies the
statutory requirement of providing the opportunity for public and non-
public utilities to file to seek authorization to recover the cost of
and receive incentive-based rate treatment on eligible cybersecurity
investments.
26. We disagree with EPSA's contentions that utilities that make
sales of energy, capacity, or ancillary services at market-based rates
should be able to continue to make those sales and also separately
recover the costs of, and receive incentive-based rate treatment on,
eligible cybersecurity investments. The Incentive permitted in this
final rule may only be recovered through a cost-of-service rate. As
noted above, the ability to seek incentive-based rate treatment under
this final rule meets the requirements of FPA section 219A.\44\ All

[[Page 28352]]

sellers of energy, capacity, and ancillary services are free to file
cost-of-service rates under FPA section 205. Thus, we note that
utilities currently making sales of energy, capacity, and ancillary
services under market-based rate authority may make a filing to recover
their entire cost of service, including costs of and an incentive on,
eligible cybersecurity investments and proceed to make sales
exclusively under that cost-based rate.\45\
---------------------------------------------------------------------------

\44\ The dissent's criticism correctly notes that FPA section
219A is designed to provide incentives for certain cybersecurity
investments. However, FPA section 219A also requires the Commission
to determine that any rate approved under this rule be just and
reasonable, not unduly discriminatory or preferential. IIJA, Public
Law 117-58, section 40123, 135 Stat. at 952 (to be codified at 16
U.S.C. 824s-1(e)). We agree with TAPS that the recovery of costs and
an incentive as set forth in this final rule is not compatible with
making sales at market-based rates. Therefore, our decision on this
issue seeks to give meaning to all of the provisions of FPA section
219A.
\45\ Cf. PJM Interconnection, L.L.C., 178 FERC ] 61,121, at P
115 (2022) (noting generators' ability to choose between selling
capacity at cost-based or market-based rates).
---------------------------------------------------------------------------

2. Cybersecurity Investment Definitions
27. The cybersecurity investments eligible for incentives could
include investments in Advanced Cybersecurity Technology, voluntary
participation in a cybersecurity threat information sharing program, or
both. Accordingly, we add Sec. 35.48(b) to our regulations to define
these and other terms used in that section. We incorporate the
definitions of Advanced Cybersecurity Technology and Advanced
Cybersecurity Technology Information in FPA section 219A(a).\46\
Therefore, we define Advanced Cybersecurity Technology as any
technology, operational capability, or service, including computer
hardware, software, or a related asset, that enhances the security
posture of public utilities through improvements in the ability to
protect against, detect, respond to, or recover from a cybersecurity
threat (as defined in section 102 of the Cybersecurity Act of 2015 (6
U.S.C. 1501)).\47\ We define Advanced Cybersecurity Technology
Information as information relating to Advanced Cybersecurity
Technology or proposed Advanced Cybersecurity Technology that is
generated by or provided to the Commission or another Federal
agency.\48\ In accordance with FPA section 219A(g), Advanced
Cybersecurity Technology Information is considered to be Critical
Electric Infrastructure Information as that term is defined in FPA
section 215A(a)(3) and Sec. 388.113(c)(1) of the Commission's
regulations.\49\ We also define CEII in new subpart K as having the
same meaning as that term is defined in Sec. 388.113 of the
Commission's regulations. In addition, we define Electric Reliability
Organization and Reliability Standard as having the same meanings as
those terms are defined in Sec. 39.1 of the Commission's
regulations.\50\
---------------------------------------------------------------------------

\46\ IIJA, Public Law 117-58, section 40123, 135 Stat. 429, 951
(to be codified at 16 U.S.C. 824s-1(a)(1), (2)).
\47\ Id. (to be codified at 16 U.S.C. 824s-1(a)(1)).
\48\ Id. (to be codified at 16 U.S.C. 824s-1(a)(2)).
\49\ 16 U.S.C. 824o-1(a)(3); 18 CFR 388.113(c)(1).
\50\ 18 CFR 39.1.
---------------------------------------------------------------------------

3. Cybersecurity Investment Eligibility Criteria
a. NOPR Proposal
28. In the NOPR, the Commission proposed that a cybersecurity
investment must satisfy two eligibility criteria to be considered for a
cybersecurity incentive.\51\ First, the cybersecurity investment would
need to materially improve cybersecurity through either an investment
in Advanced Cybersecurity Technology or participation in a
cybersecurity threat information sharing program. Second, the
cybersecurity investment could not already be mandated by CIP
Reliability Standards, or otherwise mandated by local, State, or
Federal law. Additionally, the Commission sought comment on whether,
and if so how, the Commission should evaluate and ensure that the
benefits of the cybersecurity investment exceed the combined costs of
the cybersecurity investment and incentive, to ensure that the proposed
rates are just and reasonable. The Commission also sought comment on
whether these would be the appropriate criteria and whether there are
additional criteria or limitations that the Commission should consider
(e.g., whether the Commission should consider an obligation imposed by
a State commission as a condition for a merger to be ineligible for an
incentive).
---------------------------------------------------------------------------

\51\ NOPR, 180 FERC ] 61,189 at P 20.
---------------------------------------------------------------------------

29. The Commission proposed that, in determining which
cybersecurity investments will materially improve a utility's security
posture, the Commission will consider the following sources: (1)
security controls enumerated in the NIST Special Publication (SP) 800-
53 ``Security and Privacy Controls for Information Systems and
Organizations'' catalog; \52\ (2) security controls satisfying an
objective found in the NIST Cybersecurity Framework; \53\ (3) a
specific recommendation from the Department of Homeland Security's
(DHS) Cybersecurity and Infrastructure Security Agency (CISA) or from
the Department of Energy (DOE); \54\ (4) a specific recommendation from
the CISA Shields Up Campaign; \55\ (5) participation in the
Cybersecurity Risk Information Sharing Program (CRISP) or similar
cybersecurity threat information sharing program; and/or (6) the
Cybersecurity Capability Maturity Model (C2M2) Domains \56\ at the
highest Maturity Indicator Level.\57\ The Commission proposed that
using these sources from other agencies responsible for addressing
sophisticated and rapidly evolving cyber threats as qualifiers for the
consideration of incentives would allow the Commission to benefit from
the expertise of other Federal agencies and help ensure that the
cybersecurity investments will be targeted and effective.
---------------------------------------------------------------------------

\52\ NIST, Special Publication 800-53, Revision 5, Security and
Privacy Controls for Information Systems and Organizations, (Dec.
12, 2020), <a href="https://www.nist.gov/privacy-framework/nist-privacy-framework-and-cybersecurity-framework-nist-special-publication-800-53">https://www.nist.gov/privacy-framework/nist-privacy-framework-and-cybersecurity-framework-nist-special-publication-800-53</a>.
\53\ See NIST, Cybersecurity Framework, <a href="https://www.nist.gov/cyberframework">https://www.nist.gov/cyberframework</a>.
\54\ See, e.g., CISA, National Cyber Awareness System Alerts,
<a href="https://www.cisa.gov/uscert/ncas/alerts">https://www.cisa.gov/uscert/ncas/alerts</a>.
\55\ See CISA, Shields Up, <a href="https://www.cisa.gov/shields-up">https://www.cisa.gov/shields-up</a>.
\56\ See DOE, Cybersecurity Capability Maturity Model, <a href="https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2">https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2</a>.
\57\ NOPR, 180 FERC ] 61,189 at P 21.
---------------------------------------------------------------------------

b. Comments
30. Microsoft Corporation (Microsoft) and the Michigan Public
Service Commission (Michigan Commission) support the proposed
eligibility criteria.\58\ The Office of the Ohio Consumers' Counsel
(Ohio Consumers' Counsel) also supports the proposed eligibility
criteria and recommends that the Commission require utilities to
demonstrate that their eligible expenditures provide quantifiable,
incremental benefits to rate payers that will exceed expenditure
cost.\59\
---------------------------------------------------------------------------

\58\ Microsoft Initial Comments at 1; Michigan Commission
Initial Comments at 5-6.
\59\ Ohio Consumers' Counsel Initial Comments at 4-5.
---------------------------------------------------------------------------

31. Alliant Energy Corporate Services, Inc. (Alliant), the
Interstate Natural Gas Association of America (INGAA), the National
Rural Electric Cooperative (NRECA), and APPA support the proposed
eligibility criterion that a utility must show that a cybersecurity
investment materially improves its cybersecurity posture for its
investment to be eligible for an incentive.\60\ While NRECA supports
the proposed eligibility criterion, it is concerned that ``materially
improves cybersecurity''

[[Page 28353]]

may be too subjective to ensure that cybersecurity investments provide
adequate benefits to customers.\61\ NRECA recommends that the
Commission specify additional criteria or establish a minimum level of
benefit or value a cybersecurity investment would provide to be
eligible.\62\
---------------------------------------------------------------------------

\60\ Alliant Initial Comments at 3-4; INGAA Initial Comments at
3; NRECA Initial Comments at 4-5; APPA Initial Comments at 3.
\61\ NRECA Initial Comments at 4-5.
\62\ Id. at 5.
---------------------------------------------------------------------------

32. The Public Utilities Commission of Ohio's Office of the Federal
Energy Advocate (Ohio FEA) and Edison Electric Institute (EEI) do not
support the proposed eligibility criterion that a cybersecurity
investment must materially improve cybersecurity.\63\ Ohio FEA asserts
that the term ``materially improves'' may be ambiguous and suggests
that the Commission should provide additional detail regarding this
criterion in order to achieve its objective and streamline review of
cybersecurity incentives.\64\ EEI argues that applying a ``materially
improve'' test will lead to subjective and inconsistent results because
it is unclear what additional insights the Commission would reference
beyond the six sources from other agencies to satisfy the
criterion.\65\ EEI argues that the materiality test is not part of the
statutory language and will not necessarily improve the cybersecurity
posture of the filing utility.\66\ EEI recommends that, instead, the
Commission give utilities the flexibility to propose other sources than
the six listed in the NOPR and provide context for why a cybersecurity
investment supports a targeted level of cyber maturity within a broader
cybersecurity risk management and control framework.\67\
---------------------------------------------------------------------------

\63\ EEI Initial Comments at 8; Ohio FEA Initial Comments at 5-
6.
\64\ Ohio FEA Initial Comments at 5-6.
\65\ EEI Initial Comments at 8.
\66\ Id. at 8.
\67\ Id. at 8.
---------------------------------------------------------------------------

33. Ohio FEA supports the Commission referencing other Federal
agencies and activities to determine whether a cybersecurity investment
materially improves cybersecurity but asserts that the final
determination should be based on the specific circumstances of the
filing utility.\68\ INGAA recommends that the Federal Bureau of
Investigation (FBI) and the National Security Agency (NSA) be added to
the sources used to inform the Commission's determination of whether a
particular cybersecurity investment satisfies the first eligibility
criterion.\69\ DOE states that, while the six sources listed in the
NOPR are beneficial and valuable, they are not a comprehensive list of
ways that cybersecurity can be measured.\70\ SecurityScorecard
recommends that international standards such as ISO/IEC 27000 and
Information Systems Audit and Control Association's Control Objectives
for Information and Related Technologies also be considered when
assessing the materiality criteria.\71\
---------------------------------------------------------------------------

\68\ Ohio FEA Initial Comments at 5-6.
\69\ INGAA Initial Comments at 3.
\70\ DOE Reply Comments at 6.
\71\ SecurityScorecard Initial Comments at 4.
---------------------------------------------------------------------------

34. DOE and EEI recommend that the Commission adjust the
eligibility criteria referencing the C2M2 Domains from the highest
Maturity Indicator Level to lower, incremental levels.\72\ DOE and EEI
argue that investments made to reach lower, incremental maturity levels
would be more valuable than overinvestment in unnecessary controls to
reach the highest Maturity Indicator Level.\73\
---------------------------------------------------------------------------

\72\ DOE Reply Comments at 8-9; EEI Initial Comments at 8-9.
\73\ DOE Reply Comments at 8; EEI Initial Comments at 8.
---------------------------------------------------------------------------

35. Most commenters support the idea that expenditures already
mandated by local, State, or Federal law or an enforceable CIP
Reliability Standard should not be eligible for an incentive. EEI,
NRECA, and INGAA support this eligibility criterion as proposed in the
NOPR. Other commenters argue that the proposed criterion should be
expanded to include other types of legally binding agreements or
Reliability Standards.\74\ TAPS, APPA, Ohio FEA, California Parties,
and the Maryland Public Service Commission and Pennsylvania Public
Utility Commission (Maryland and Pennsylvania Commissions) argue that
investments made to satisfy any type of legal obligation should be
ineligible for an incentive, including, for example, remedial measures
as a settlement of NERC compliance violations, a condition of a State
or Federal license, a condition of a merger proceeding, and an
obligation under a cybersecurity insurance policy.\75\ APPA further
recommends that the Commission clarify whether investments are
ineligible if mandated by only CIP Reliability Standards or also by any
other mandatory Reliability Standard.\76\ In addition to an expanded
definition of ``mandated,'' TAPS recommends that the Commission require
a filing utility to attest that a cybersecurity investment for which it
seeks incentives is not being made to satisfy any legal obligation.\77\
---------------------------------------------------------------------------

\74\ TAPS Initial Comments at 9-12; APPA Initial Comments at 13;
Ohio FEA Initial Comments at 6; California Parties Initial Comments
at 20; Maryland and Pennsylvania Commissions Initial Comments at 8.
\75\ TAPS Initial Comments at 12.
\76\ APPA Initial Comments at 13.
\77\ TAPS Initial Comments at 12.
---------------------------------------------------------------------------

36. The North American Electric Reliability Corporation and the six
Regional Entities \78\ (NERC) states that any voluntary incentives
should build upon and complement existing cybersecurity CIP Reliability
Standards.\79\ NERC recommends that the Commission consider the
relationship between voluntary cybersecurity investments and mandatory
CIP Reliability Standards and cautions that it may be a challenge for
the Commission to determine whether a particular investment is mandated
by the CIP Reliability Standards.\80\ NERC explains that, because the
CIP Reliability Standards are outcome oriented and do not prescribe
specific technologies, a utility may file for an incentive that, while
not mandated, is being used to comply with mandatory CIP Reliability
Standards.\81\ TAPS similarly states that the Commission should take a
nuanced approach to assess whether a technology exceeds the CIP
Reliability Standards when a technology has been used to comply with,
but is not specifically mandated by, a CIP Reliability Standard.\82\
NRECA urges the Commission to consider whether it will grant incentives
for cybersecurity expenditures that enhance the cybersecurity of low
impact BES Cyber Systems or only medium or high impact BES Cyber
Systems.\83\
---------------------------------------------------------------------------

\78\ The six Regional Entities include the following: Midwest
Reliability Organization, Northeast Power Coordinating Council,
Inc., ReliabilityFirst Corporation, SERC Reliability Corporation,
Texas Reliability Entity, Inc., and Western Electricity Coordinating
Council.
\79\ NERC Initial Comments at 3.
\80\ Id. at 4.
\81\ Id. at 4-5.
\82\ TAPS Initial Comments at 12.
\83\ NRECA Initial Comments at 5; see NERC Glossary defining BES
Cyber Systems.
---------------------------------------------------------------------------

37. California Parties support the addition of an eligibility
criterion for information-sharing programs that the incentives be
conditioned on utilities participating in all applicable regional and
State cybersecurity initiatives.\84\ DOE recommends that the Commission
establish attributes that the Commission will consider when determining
the eligibility of information-sharing programs for incentives.\85\
---------------------------------------------------------------------------

\84\ California Parties Initial Comments at 5.
\85\ DOE Reply Comments at 10.
---------------------------------------------------------------------------

c. Commission Determination
38. We adopt and modify the NOPR proposal by adding Sec. 35.48(d)
to the Commission's regulations to permit a utility to receive
incentive-based rate

[[Page 28354]]

treatment for a cybersecurity investment. We establish two eligibility
criteria that require that each cybersecurity investment: (1)
materially improves cybersecurity through either Advanced Cybersecurity
Technology or participation in a cybersecurity threat information
sharing program; and (2) is not already mandated by the Reliability
Standards, or otherwise mandated by local, State, or Federal law,
decision, or directive; otherwise legally mandated; or an action taken
in response to a Federal or State agency merger condition, consent
decree from Federal or State agency, or settlement agreement that
resolves a dispute between a utility and a public or private party.\86\
---------------------------------------------------------------------------

\86\ As the dissent points out, FPA section 219A(c) directs the
Commission to establish rate incentives for participation by public
utilities in cybersecurity threat information sharing programs and
investments by public utilities in Advanced Cybersecurity
Technology, which it defines as any technology, operational
capability, or service, including computer hardware, software, or a
related asset, that enhances the security posture of public
utilities through improvements in the ability to protect against,
detect, respond to, or recover from a cyber security threat. Public
Law 117-58, section 40123(a), 135 Stat. 429, 951 (codified 16 U.S.C.
824s-1(c)). FPA section 219A also specifies that such rate
treatments exist for the purpose of benefitting consumers and
requires that the Commission ensure that resulting rates be just and
reasonable. See Public Law 117-58, section 40123(a), 135 Stat. 429,
951 (codified 16 U.S.C. 824s-1(a) & (c)). The materially improves
incentive eligibility criterion seeks to balance these statutory
requirements. Solely focusing on the term enhance may result in the
Commission granting incentives that do not meet these other
statutory requirements mentioned above. It is thus reasonable for
the Commission to exercise its judgement via the materially improves
eligibility criterion to evaluate incentives requests.
---------------------------------------------------------------------------

39. In the NOPR, the Commission identified several sources that the
Commission would consider as part of its evaluation of whether a
cybersecurity investment would materially improve a utility's security
posture, thereby providing quantifiable cybersecurity benefits.\87\
Based on the comments received, we modify the NOPR proposal.
---------------------------------------------------------------------------

\87\ In section III.B., we discuss different methods that
utilities could use to show how their cybersecurity investments
satisfy the eligibility criteria.
---------------------------------------------------------------------------

40. As recommended by INGAA, we find that the Commission should
also consider specific recommendations from the FBI and NSA. Therefore,
we find that, in determining which cybersecurity investments will
materially improve a utility's security posture, the Commission will
consider the following sources: (1) security controls enumerated in the
NIST SP 800-53 ``Security and Privacy Controls for Information Systems
and Organizations'' catalog; \88\ (2) security controls satisfying an
objective found in the NIST Cybersecurity Framework \89\ technical
subcategory; (3) a specific cybersecurity recommendation from a
relevant Federal authority, such as DHS's CISA, the FBI, NSA, or DOE;
\90\ (4) participation in a relevant cybersecurity threat information
sharing program; and/or (5) achieving and sustaining one or more of the
C2M2 Domains at the highest Maturity Indicator Level.\91\ Considering
these sources as part of a Commission determination of whether a
particular cybersecurity investment would materially improve
cybersecurity will allow the Commission to approve objective, targeted,
and effective cybersecurity investments for incentive treatment.\92\
---------------------------------------------------------------------------

\88\ NIST, Special Publication 800-53, Revision 5, Security and
Privacy Controls for Information Systems and Organizations, (Dec.
12, 2020), <a href="https://www.nist.gov/privacy-framework/nist-privacy-framework-and-cybersecurity-framework-nist-special-publication-800-53">https://www.nist.gov/privacy-framework/nist-privacy-framework-and-cybersecurity-framework-nist-special-publication-800-53</a>.
\89\ See NIST, Cybersecurity Framework, <a href="https://www.nist.gov/cyberframework">https://www.nist.gov/cyberframework</a>.
\90\ See, e.g., CISA, National Cyber Awareness System Alerts,
<a href="https://www.cisa.gov/uscert/ncas/alerts">https://www.cisa.gov/uscert/ncas/alerts</a>.
\91\ See DOE, Cybersecurity Capability Maturity Model, <a href="https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2">https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2</a>.
\92\ As we discuss in section III.B.1., when considering whether
to add a cybersecurity investment to the PQ List, the Commission
will determine whether the cybersecurity investment would materially
improve cybersecurity for all utilities. As we discuss in section
III.B.2., when evaluating a utility case-by-case application for
incentive-based rate treatment for a particular cybersecurity
investment, the Commission will determine whether the cybersecurity
investment would materially improve cybersecurity for the utility
requesting the incentive-based rate treatment.
---------------------------------------------------------------------------

41. In addition, we agree with DOE's and Ohio FEA's recommendation
that the Commission expand the list of potential eligible cybersecurity
threat information sharing programs beyond CRISP. We clarify that a
utility may seek an incentive for participation in other cybersecurity
threat information sharing programs and the Commission will consider
whether such cybersecurity threat information sharing programs would
qualify for incentive treatment. We will not, as EEI suggests, consider
recommendations other than the five sources described above.
Considering other sources would increase subjectivity and
unpredictability of incentive-based rate treatment of cybersecurity
investments.
42. We agree with DOE's and California Parties' recommendation that
the Commission should establish eligibility criteria or attributes in
evaluating cybersecurity threat information-sharing programs. The
Commission will evaluate any proposed relevant cybersecurity threat
information-sharing program to determine whether the program: (1) is
sponsored by the Federal or State government; (2) provides two-way
communications from and to electric industry and government entities;
and (3) delivers relevant and actionable cybersecurity information to
program participants from the United States electricity industry.
43. We decline to adopt SecurityScorecard's recommendation that the
Commission consider international standards, such as ISO/IEC 27000,
when assessing the materiality criteria. Like NIST SP 800-53, ISO/IEC
27000 provides a catalog of information and cyber-related security
controls. While there are some differences in focus between the two
standards, for the context of determining how to successfully
categorize a cybersecurity investment used to improve the security
posture of a utility, both standards perform similar functions.
Therefore, we believe that considering such international standards in
assessing materiality would be duplicative and unnecessary and we will
not adopt this recommendation. Instead, we will use NIST SP 800-53 as
the foundation of security controls to evaluate whether a cybersecurity
investment materially improves the cybersecurity of a utility because
NIST SP 800-53 was developed by a Federal agency and is publicly
accessible without additional cost.
44. We also decline to adopt DOE and EEI's recommendation that the
Commission provide incentives for any incremental steps taken by
utilities in connection with C2M2 and not just for achieving the
highest Maturity Indicator Level. The C2M2 model contains descriptive
cybersecurity measures at a high level rather than prescriptive
requirements. Therefore, it would be difficult for the Commission to
determine that compliance with incremental steps necessarily materially
improves cybersecurity. For these reasons, we are requiring a utility
to demonstrate that its proposed cybersecurity investments will cause
the utility to achieve Maturity Indicator Level 3 of the C2M2 Domains
rather than the incremental steps of the lower Maturity Indicator
Levels in order to receive an incentive for its cybersecurity
investments.
45. TAPS, APPA, Ohio FEA, California Parties, and the Maryland and
Pennsylvania Commissions request that the Commission ensure that
investments made to satisfy any type of legal obligation be ineligible
for an incentive. The Maryland and Pennsylvania

[[Page 28355]]

Commissions comment that utilities should not receive incentives for
implementing cybersecurity measures that are already made mandatory by
existing and future obligations.\93\ APPA comments that the Commission
should broaden the second eligibility criterion to clarify that
incentives would not be available for cybersecurity investments for
mandatory Reliability Standards and that the Commission should replace
the reference to the CIP Reliability Standards with Reliability
Standards.\94\ We agree with both suggestions. Accordingly, we are
expanding the second eligibility criterion to emphasize the requirement
that the utility must undertake the specific cybersecurity investment
voluntarily in order to receive a cybersecurity incentive pursuant to
our regulations. Our revised Sec. 35.48(d)(2) provides that a
cybersecurity investment is only eligible for an incentive if it is not
already mandated by the Reliability Standards as maintained by the
Electric Reliability Organization, or otherwise mandated by local,
State, or Federal law, decision, or directive; otherwise legally
mandated; or an action taken in response to a Federal or State agency
merger condition, consent decree from Federal or State agency, or
settlement agreement that resolves a dispute between a utility and a
public or private party.\95\
---------------------------------------------------------------------------

\93\ Maryland and Pennsylvania Commissions Initial Comments at
8.
\94\ APPA Initial Comments at 5.
\95\ A mandate must either be for a utility to achieve a
specific outcome or to require a utility to take a prescribed
action. General mandates to improve a utility's cybersecurity may
still make specific cybersecurity investments voluntary for purposes
of the Commission's evaluation of the eligibility criteria.
---------------------------------------------------------------------------

46. Additionally, we recognize the concerns raised by NERC and TAPS
about the difficulty in determining whether a particular cybersecurity
investment is mandatory. Accordingly, as discussed in greater detail in
section III.D.3., we are adopting TAPS's suggestion that, in order to
demonstrate that the specific cybersecurity investment for which the
utility is seeking an incentive is voluntary, the applicant must
include an attestation in its filing so stating.\96\
---------------------------------------------------------------------------

\96\ The attestation must be made by a senior person within the
utility that the utility has authorized to act on behalf of the
utility. One example of a senior person could be the CIP Senior
Manager as NERC defines that term. NERC Glossary at 10 (defining CIP
Senior Manager to mean ``A single senior management official with
overall authority and responsibility for leading and managing
implementation of and continuing adherence to the requirements
within the NERC CIP Standards, CIP-002 through CIP-011.'').
---------------------------------------------------------------------------

47. TAPS raises issues about technologies that both meet and exceed
the Reliability Standards. We recognize that there could be a single
Advanced Cybersecurity Technology that provides multiple security
controls that allow the utility to meet and potentially exceed
compliance with a Reliability Standard. In that instance, where the
utility makes a single cybersecurity investment for security controls
to comply with a Reliability Standard, that investment will not be
incentive-eligible. However, there may be instances where a utility
invests in a single Advanced Cybersecurity Technology that while
complying with a Reliability Standard also provides enhanced
cybersecurity controls that go beyond compliance with a Requirement in
the Reliability Standard. In those instances, only the incremental
investment to exceed the Requirement of the Reliability Standard would
be eligible for an incentive.
48. In response to NRECA's concerns regarding the reliability and
security of low impact BES Cyber Systems, we are not requiring any
eligibility criteria other than the two discussed above. Therefore, low
impact BES Cyber Systems are not excluded from eligibility for
incentive-based rate treatment for cybersecurity investments.
49. We disagree with EEI's conclusion that we should omit
``materially improve'' as the standard for the first eligibility
criterion due to its absence from the statutory language and possible
subjectivity. FPA section 219A requires the Commission to offer
incentives for Advanced Cybersecurity Technology investments and
participation in information-sharing programs. It does not require that
the Commission provide incentives for all Advanced Cybersecurity
Investments or participation in any information-sharing program. FPA
section 219A also requires that the Commission ensure that rates are
just and reasonable and not unduly discriminatory or preferential.\97\
Without a materiality standard in the first criterion (or something
similar), any Advanced Cybersecurity Investment that is not mandatory
would be incentive-eligible, regardless of whether such investments
enhance a utility's security posture or result in just and reasonable
rates. Furthermore, use of such a standard is consistent with
Commission precedent. In Order No. 679, the Commission required
applicants for transmission incentives to show that requested
incentives are tailored to the risks and challenges of individual
projects, even though such a requirement is not included in the
statutory language of FPA section 219.\98\
---------------------------------------------------------------------------

\97\ FPA section 219A(e)(1). FPA section 219A(e)(2) also
prohibits unjust and unreasonable double recovery for Advanced
Cybersecurity Technology. IIJA, Public Law 117-58, section 40123,
135 Stat. at 952 (to be codified at 16 U.S.C. 824s-1(e)(2)).
\98\ See Promoting Transmission Investment Through Pricing
Reform, Order No. 679, 71 FR 43294 (July 31, 2006), 116 FERC ]
61,057, at P 26, order on reh'g, Order No. 679-A, 72 FR 1152 (Jan.
10, 2007), 117 FERC ] 61,345 (2006), order on reh'g, 119 FERC ]
61,062 (2007).
---------------------------------------------------------------------------

50. We recognize that the materially improves criterion requires
use of Commission subject matter expertise and judgement. In exercising
its subject matter expertise and judgement, the Commission will take
into account the findings of other Federal agencies to inform its
decisions, as described in section III.B.2.c. Although the Commission
seeks to maximize predictability and transparency in its provision of
incentives, some degree of judgement is necessary given the many types
of cybersecurity threats and investments and their rapid evolution. It
is for this reason that we also decline NRECA's request that the
Commission provide additional criteria or a baseline level of benefit.
As discussed in section III.C.3., quantification of benefits may be
difficult for cybersecurity investments, such that a bright line
benefit requirement is inappropriate. In this final rule, we are
establishing eligibility criteria that balance the need to ensure that
incentives are targeted at the most beneficial investments with
recognizing that there are many potential cybersecurity investments
which could provide a wide variety of benefits. We find that overly
prescriptive eligibility criteria may unduly preclude incentive-based
rate treatment of beneficial cybersecurity investments.
51. Although the Commission sought comment on whether, and if so
how, the Commission should evaluate and ensure that the benefits of the
cybersecurity investment exceed the combined costs of the cybersecurity
investment and the incentive, to ensure that the proposed rates are
just and reasonable, we will not at this time predicate incentive
eligibility on such a cost-benefit showing. As the Commission proposed
in the NOPR and we affirm here, the rates, including the costs of any
incentive, must remain within the zone of reasonableness. This is
necessary to ensure that the rates that include incentives for
cybersecurity investments are just and reasonable and not unduly
discriminatory or preferential.
52. Ohio Consumers' Counsel argues that there must be quantifiable,
incremental benefits that can be measured in cost-benefit savings to
consumers. Nevertheless, we find that quantification of the costs and
benefits for each cybersecurity investment is

[[Page 28356]]

neither required nor practical. Such a cost-benefit analysis is
particularly inapt for cybersecurity where benefits are even harder to
identify and quantify than are economic and reliability benefits for
transmission investments. The courts have long recognized that a
primary purpose of the FPA, and its counterpart the Natural Gas Act
(NGA), is to encourage the orderly development of plentiful supplies of
electricity and natural gas at reasonable prices.\99\ To carry out this
purpose, the Commission may consider non-cost factors as well as cost
factors.\100\ Moreover, Congress' enactment of section 219A reflects
its determination that incentives generally can spur cybersecurity
investments and their associated consumer benefits.
---------------------------------------------------------------------------

\99\ Order No. 679, 116 FERC ] 61,057 at P 65 (citing Pub. Util.
Comm'n of the State of Cal. v. FERC, 367 F.3d 925, 929 (D.C. Cir.
2004) (citing NAACP v. FPC, 425 U.S. 662, 670 (1976))).
\100\ Id. (citing Permian Basin Area Rate Cases, 390 U.S. 747,
791, 815 (1968); Me. Pub. Utils. Comm'n v. FERC, 454 F.3d 278, 288
(DC Cir. 2006)).
---------------------------------------------------------------------------

53. As the Commission proposed in the NOPR, we find that all
cybersecurity investments must satisfy both of the eligibility criteria
in order to be eligible for incentive treatment. In addition, we now
clarify that a utility may not request an incentive for a cybersecurity
investment that the utility has already been incurring for more than
three months prior to the filing of the incentive application, as
discussed in section III.C.2 of this final rule, unless that
cybersecurity investment is for participation in an incentive-eligible
cybersecurity threat information sharing program.

B. Cybersecurity Investment Incentive Requests

54. In order to maximize predictability and transparency in our
provision of incentives, we provide below a framework for evaluating
whether certain cybersecurity investments, including expenses and
capitalized costs, are eligible for a cybersecurity incentive. First,
as the Commission proposed in the NOPR, we include a list of pre-
qualified investments, the PQ List, to identify certain cybersecurity
investments that the Commission finds merit the rebuttable presumption
of eligibility for all utilities and are therefore eligible for
incentive-based rate treatment. We also discuss the procedures that we
will use to update the PQ List. Second, we adopt the cybersecurity
investments proposed in the NOPR for inclusion on the initial PQ List.
Third, we describe how the Commission will evaluate whether a utility's
cybersecurity investments that are not included on the PQ List may be
eligible for incentive-based rate treatment. Finally, we discuss how a
utility can seek incentive-based rate treatment for new cybersecurity
investments made to comply with a Reliability Standard during the
period after the Commission approves a new or modified cybersecurity
Reliability Standard but before that new or modified cybersecurity
Reliability Standard becomes mandatory and enforceable.
1. PQ List Approach
a. Structure of the PQ List
i. NOPR Proposal
55. In the NOPR, the Commission proposed to create a PQ List that
would identify cybersecurity investments that the Commission determined
would satisfy the eligibility criteria.\101\ The Commission proposed
that any cybersecurity investment that the Commission includes on the
PQ List would be entitled to a rebuttable presumption of eligibility
for an incentive.\102\ However, an applicant would still need to
demonstrate, and the Commission would need to find, that the proposed
rate, inclusive of the cybersecurity incentive, is just and reasonable.
The Commission proposed to provide an opportunity for protestors to
rebut this presumption by demonstrating that the cybersecurity
investment did not meet one or more of the eligibility criteria (e.g.,
that, given the unique circumstances of the utility, the expenditure
for which the utility seeks an incentive would not materially improve
cybersecurity or is otherwise mandatory for that utility) or the
Commission could make this finding based on other evidence.
---------------------------------------------------------------------------

\101\ NOPR, 180 FERC ] 61,189 at P 25.
\102\ Id. P 26.
---------------------------------------------------------------------------

56. The Commission explained that the PQ List approach would
provide efficiency and transparency benefits.\103\ The utility-specific
incentive filings under the PQ List approach could be substantially
streamlined compared to a case-by-case approach because the Commission
would have pre-reviewed the cybersecurity investments included on the
PQ List for eligibility for incentives.
---------------------------------------------------------------------------

\103\ Id. P 27.
---------------------------------------------------------------------------

57. In the NOPR, the Commission noted the rapidly evolving nature
of cybersecurity threats and solutions and that it expected to
regularly evaluate the PQ List and update it as necessary.\104\ When
updating the PQ List, the Commission could add, modify, or remove
cybersecurity investments to/from the PQ List. The Commission proposed
that it would update the PQ List via a rulemaking, whether sua sponte
or in response to a petition.
---------------------------------------------------------------------------

\104\ Id. P 31.
---------------------------------------------------------------------------

ii. Comments
58. INGAA, Microsoft, TAPS, the Michigan Commission, Ohio
Consumers' Counsel, ITC Companies, APPA, Anterix, Inc. (Anterix), OT
Coalition, Avangrid, Inc. (Avangrid), MISO Transmission Owners, EPSA,
and EEI support the PQ List approach.\105\ OT Coalition, Avangrid, MISO
Transmission Owners, EPSA, and EEI further urge the Commission to
consider using both the PQ List and case-by-case approaches.\106\ ITC
Companies agree with the Commission that the PQ List approach will
decrease the filing and review burden on utilities and the Commission
\107\ while INGAA and Microsoft agree that the PQ List approach will
provide transparency for utilities as to what expenditures will be
eligible for incentives.\108\ Microsoft and Anterix caveat their
support of the PQ List approach by suggesting other items for inclusion
on the PQ List, such as security incident and event monitoring, user
and entity behavior analysis,\109\ and private LTE wireless broadband
communication systems.\110\ TAPS, Michigan Commission, and Ohio
Consumers' Counsel recommend that the PQ List be updated
regularly,\111\ and APPA underscores the need for stakeholders to have
the opportunity to rebut the presumption of eligibility.\112\
---------------------------------------------------------------------------

\105\ INGAA Initial Comments at 4; Microsoft Initial Comments at
2; TAPS Initial Comments at 4; Michigan Commission Initial Comments
at 6; Ohio Consumers' Counsel Initial Comments at 8-9; ITC Companies
Initial Comments at 4-5; APPA Initial Comments at 17; Anterix
Initial Comments at 5; OT Coalition Initial Comments at 2; Avangrid
Initial Comments at 5; MISO Transmission Owners Initial Comments at
6-7; EPSA Initial Comments at 5; EEI Initial Comments at 5.
\106\ OT Coalition Initial Comments at 2; Avangrid Initial
Comments at 5; MISO Transmission Owners Initial Comments at 6-7;
EPSA Initial Comments at 5; EEI Comments at 5.
\107\ ITC Companies Initial Comments at 4-5.
\108\ INGAA Initial Comments at 4; Microsoft Initial Comments at
2.
\109\ Microsoft Initial Comments at 1-2.
\110\ Anterix Initial Comments at 5.
\111\ TAPS Initial Comments at 6; Michigan Commission Initial
Comments at 6; Ohio Consumers' Counsel Initial Comments at 8-9.
\112\ APPA Initial Comments at 5.
---------------------------------------------------------------------------

59. In contrast, Alliant, the Maryland and Pennsylvania
Commissions, and DOE assert that that the PQ List approach with its
rebuttable presumption of eligibility will lessen innovation by
encouraging utilities to pursue the same types of cybersecurity
investments (i.e., those on the PQ List), regardless of the utility's
individual

[[Page 28357]]

needs and risks.\113\ California Parties, while not necessarily opposed
to the concept of a PQ List approach, strongly oppose giving filing
utilities a rebuttable presumption of eligibility for expenditures on
the PQ List.\114\ They argue that the burden on a party seeking to
rebut the presumption of eligibility is too great.\115\
---------------------------------------------------------------------------

\113\ Alliant Initial Comments at 4-5; Maryland and Pennsylvania
Commissions Initial Comments at 6.
\114\ California Parties Initial Comments at 28-29.
\115\ Id.; California Parties Reply Comments at 11-12.
---------------------------------------------------------------------------

60. Many commenters raise concerns that finding a balance between
transparency and security will prove challenging for the Commission.
NRECA cautions that a publicly accessible PQ List will alert
adversaries to the cybersecurity activities of utilities and create a
security risk.\116\ Alliant recommends that, if the Commission decides
to proceed with the PQ List approach, it defer to NERC for
identification of technologies and designate the PQ List as CEII to
protect it from public access.\117\ On the other hand, California
Parties and the Maryland and Pennsylvania Commissions underscore the
need for public transparency and access to allow stakeholders to rebut
the presumption of eligibility and utilities to know what types of
expenditures are eligible.\118\
---------------------------------------------------------------------------

\116\ NRECA Initial Comments at 7-8.
\117\ Alliant Initial Comments at 4-5.
\118\ California Parties Initial Comments at 28-29; Maryland and
Pennsylvania Commissions Initial Comments at 5-6.
---------------------------------------------------------------------------

61. Some commenters describe the challenges that maintaining an
updated PQ List will present for the Commission. Ohio FEA and the
Maryland and Pennsylvania Commissions express concern that the
Commission may be unable to maintain a current PQ List, due to the
lengthy regulatory process required,\119\ potentially leading to
overinvestment in outdated measures and underinvestment in cutting edge
technologies.\120\ Most commenters support frequent and regular review
and updates to the PQ List.\121\ EEI recommends that the Commission
commit to reviewing and updating the PQ List on a regular cadence no
less than annually, while Anterix, Avangrid, TAPS, and Ohio Consumers'
Counsel suggest regular and expeditious updates.\122\ TAPS and Ohio
Consumers' Counsel recommend that, when the Commission initiates a
rulemaking to modify the PQ List, it should assess whether existing
expenditures still meet the eligibility criteria in addition to
assessing new additions.\123\
---------------------------------------------------------------------------

\119\ Ohio FEA Initial Comments at 14; Maryland and Pennsylvania
Commissions Initial Comments at 5.
\120\ Maryland and Pennsylvania Commissions Initial Comments at
5.
\121\ Avangrid Initial Comments at 5; EEI Initial Comments at 6-
7; TAPS Initial Comments at 5; Ohio Consumers' Counsel Initial
Comments at 8; Anterix Reply Comments at 4.
\122\ EEI Initial Comments at 6-7; Anterix Reply Comments at 4.;
Avangrid Initial Comments at 5; TAPS Initial Comments at 5; Ohio
Consumers' Counsel Initial Comments at 7.
\123\ TAPS Initial Comments at 5; Ohio Consumers' Counsel
Initial Comments at 8.
---------------------------------------------------------------------------

62. California Parties and NRECA emphasize that modifications to
the PQ List should only be made via a full rulemaking process where
stakeholders and customers have the opportunity to comment.\124\
California Parties further argue that the Commission should not expand
the initial PQ List in its final rule without a full notice-and-comment
period for the suggested additions.\125\ TAPS highlights that the
rulemaking process will improve regulatory certainty for utilities and
customers and facilitate participation and input on whether proposed
expenditures meet the eligibility criteria.\126\
---------------------------------------------------------------------------

\124\ NRECA Initial Comments at 8-9; California Parties Initial
Comments at 33-34.
\125\ California Parties Initial Comments at 11-12.
\126\ TAPS Initial Comments at 5.
---------------------------------------------------------------------------

63. Indicated PJM Transmission Owners \127\ and Anterix recommend
that the Commission hold a technical conference to inform its decision
making on reviewing and updating the eligible expenditures on the PQ
List.\128\
---------------------------------------------------------------------------

\127\ Indicated PJM Transmission Owners consist of: American
Electric Power Service Corporation on behalf of its affiliates,
Appalachian Power Company, Indiana Michigan Power Company, Kentucky
Power Company, Kingsport Power Company, Ohio Power Company, Wheeling
Power Company, AEP Appalachian Transmission Company, Inc., AEP
Indiana Michigan Transmission Company, Inc., AEP Kentucky
Transmission Company, Inc., AEP Ohio Transmission Company, Inc., and
AEP West Virginia Transmission Company, Inc.; Dayton Power and Light
Company d/b/a AES Ohio; Dominion Energy Services, Inc. on behalf of
Virginia Electric and Power Company d/b/a Dominion Energy Virginia;
Duke Energy Corporation on behalf of its affiliates Duke Energy
Ohio, Inc., Duke Energy Kentucky, Inc., and Duke Energy Business
Services LLC; Duquesne Light Company; East Kentucky Power
Cooperative; Exelon Corporation; FirstEnergy Service Company, on
behalf of its affiliates American Transmission Systems,
Incorporated, Jersey Central Power & Light Company, Mid-Monongahela
Power Company, Keystone Appalachian Transmission Company, and Trans-
Allegheny Interstate Line Company; PPL Electric Utilities
Corporation; Public Service Electric and Gas Company; Rockland
Electric Company; and UGI Utilities Inc.
\128\ Indicated PJM Transmission Owners Initial Comments at 5;
Anterix Initial Comments at 12-13.
---------------------------------------------------------------------------

iii. Commission Determination
64. We adopt and modify the NOPR's proposal to create a PQ List by
adding Sec. 35.48(e)(1) to the Commission's regulations, which
establishes the framework for a PQ List of cybersecurity investments
that the Commission finds materially improves cybersecurity. We find
that the cybersecurity investments on the PQ List would be entitled to
a presumption of satisfying the eligibility criteria. As proposed in
the NOPR, protestors may seek to rebut this presumption by
demonstrating that, given the unique circumstances of the utility, the
cybersecurity investment on the PQ List would not materially improve
cybersecurity of the utility. We note that the utility would still need
to demonstrate that it would make the cybersecurity investment
voluntarily. In addition, the Commission will not presume anything
about the resulting rates. Utilities seeking an incentive under the PQ
List must still show that the proposed rate, including the
cybersecurity incentive, is just and reasonable and not unduly
discriminatory or preferential.
65. The PQ List approach is also in line with FPA section
219A(d)(2), which allows the Commission to reduce the cybersecurity
risks to the facilities of small or medium-sized public utilities with
limited cybersecurity resources.\129\ While all utilities would benefit
from the reduced filing obligations when requesting incentive treatment
for cybersecurity investments on the PQ List, we expect that this
approach would be particularly beneficial for small and medium-sized
utilities with limited cybersecurity resources.
---------------------------------------------------------------------------

\129\ FPA section 219A(d)(2) provides that the Commission may
provide additional incentives beyond incentive-based rate treatment
in any case which the Commission determines that an investment in
Advanced Cybersecurity Technology or in information sharing program
costs will reduce cybersecurity risks to facilities of small or
medium-sized public utilities with limited cybersecurity resources,
as determined by the Commission. IIJA, Public Law 117-58, section
40123, 135 Stat. at 952 (to be codified at 16 U.S.C. 824s-1(d)(2)).
---------------------------------------------------------------------------

66. We disagree with concerns that including cybersecurity
investments on the PQ List would lessen cybersecurity innovation or
alert adversaries of utility cybersecurity investment. Regarding
lessening innovation, as an initial matter, we note that utilities may
still seek to recover in their rates all prudently incurred
cybersecurity investments. Furthermore, as described in section
III.B.2, we are adding a case-by-case approach that may better incent
cybersecurity investments responding to rapidly evolving threats than
does the PQ List. Regarding concerns about alerting adversaries, we
find that such assertions are speculative and that describing and
providing incentives to broadly beneficial cybersecurity investments
will not unto itself

[[Page 28358]]

highlight either industry-wide or utility-specific vulnerabilities.
67. We disagree with comments recommending that we designate the PQ
List as CEII. The PQ List does not meet the definition of CEII, because
the list is general in nature and does not reveal specific
vulnerabilities.\130\ As discussed in section III.D.3.c., requests for
incentive-based rate treatment for cybersecurity investments may
include requests for CEII treatment consistent with our
regulations.\131\ As we approve additional PQ List items, we expect
that any future PQ List item will not be more specific than what can be
found in the already publicly available materials, such as the NIST
publications and CIP Reliability Standards. We decline to adopt
Alliant's recommendation that the Commission defer to NERC to identify
eligible technologies for the PQ List. The Commission will evaluate
potential cybersecurity technologies from time to time, and determine,
based on the record evidence, whether it would be appropriate to add
the proposed cybersecurity investments in these technologies to the PQ
List.
---------------------------------------------------------------------------

\130\ See 18 CFR 388.113(c).
\131\ See 18 CFR 388.113.
---------------------------------------------------------------------------

68. We disagree with comments that the PQ List approach places an
undue burden on parties seeking to rebut the presumption of
eligibility. We believe that the PQ List approach appropriately
balances the interests of the utilities and any potential protestors
seeking to rebut the presumption of eligibility. By starting with the
initial PQ List, we have identified specific cybersecurity investments
that we find will materially improve the cybersecurity of utilities
broadly, while enabling protestors to demonstrate that the eligibility
criteria are not met in a utility's particular circumstance.
69. We acknowledge the concerns raised by commenters regarding the
time necessary for the Commission to modify the PQ List. Some
commenters request that the Commission commit to a regular update cycle
for the PQ List. In this final rule, the Commission modifies the
proposed regulation to allow the Commission to post the PQ List on its
website and to update it subject to a notice and comment period or in a
rulemaking. In addition, the case-by-case approach allows the
Commission to evaluate whether a utility's cybersecurity investment
would satisfy the eligibility criteria as to that utility. This means
that utilities would not have to wait for the Commission to update the
PQ List before seeking incentives for cybersecurity investments not yet
included on the PQ List. In response to Indicated PJM Transmission
Owners and Anterix's suggestion to have a technical conference when
considering updates to the PQ List, we note that the Commission will
consider such action when undertaking its periodic PQ List reviews.
b. Initial PQ Lis
i. NOPR Proposal
70. The Commission proposed to include two eligible cybersecurity
investments on the initial PQ List: (1) expenditures associated with
participation in CRISP; \132\ and (2) expenditures associated with
internal network security monitoring within the utility's cyber
systems, which could include IT cyber systems and/or OT cyber systems,
and which could be associated with cyber systems that may or may not be
subject to the Reliability Standards.\133\ The Commission believed that
these cybersecurity investments would materially improve cybersecurity
\134\ and were not already mandated by the Reliability Standards \135\
or otherwise mandated by Federal law. The Commission proposed to
include CRISP, as its purpose is to facilitate the timely bi-
directional sharing of unclassified and classified threat information
and development of situational awareness tools that enhance the energy
sector's ability to identify, prioritize, and coordinate the protection
of critical infrastructure and key resources.\136\
---------------------------------------------------------------------------

\132\ See DOE, Energy Sector Cybersecurity Preparedness, <a href="https://www.energy.gov/ceser/energy-sector-cybersecurity-preparedness">https://www.energy.gov/ceser/energy-sector-cybersecurity-preparedness</a>.
\133\ NOPR, 180 FERC ] 61,189 at P 28.
\134\ E.g., both participation in CRISP and internal network
security monitoring would fall under recommendations in the NIST SP
800-53 ``Security and Privacy Controls for Information Systems and
Organizations'' catalog.
\135\ The Commission noted in the NOPR that it had already
proposed to require NERC to develop and submit for Commission
approval a mandatory Reliability Standard regarding internal network
analysis and monitoring technologies for high and medium impact bulk
electric system cyber systems. See NOPR, 180 FERC ] 61,189 at P 28
n.26 (citing Internal Network Sec. Monitoring for High & Medium
Impact Bulk Elec. Sys. Cyber Syss., Notice of Proposed Rulemaking,
87 FR 4173 (Jan. 27, 2022), 178 FERC ] 61,038 (2022)). The
Commission has since issued a final rule directing NERC to develop
and submit for Commission approval a Reliability Standard that
addresses internal network security monitoring for high impact bulk
electric system cyber systems and medium impact bulk electric system
cyber systems with external routable connectivity. Internal Network
Sec. Monitoring for High & Medium Impact Bulk Elec. Sys. Cyber
Syss., Order No. 887, 88 FR 8354 (Feb. 9, 2023), 182 FERC ] 61,021
(2023).
\136\ DOE, Energy Sector Cybersecurity Preparedness, <a href="https://www.energy.gov/ceser/energy-sector-cybersecurity-preparedness">https://www.energy.gov/ceser/energy-sector-cybersecurity-preparedness</a>.
---------------------------------------------------------------------------

71. The Commission also proposed to include internal network
security monitoring on the PQ List because internal network security
monitoring may better position a utility to detect malicious activity
that has circumvented perimeter controls.\137\ The Commission observed
that, while the currently effective Reliability Standards do not
require internal network security monitoring, NERC has recognized the
proliferation and usefulness of such technology.\138\ The Commission
also sought comments on whether to include any additional cybersecurity
investments on the initial PQ List.
---------------------------------------------------------------------------

\137\ NOPR, 180 FERC ] 61,189 at P 29.
\138\ Id. (citing NERC, ERO Enterprise CMEP Practice Guide:
Network Monitoring Sensors, Centralized Collectors, and Information
Sharing, 1 (June 4, 2021), <a href="https://www.nerc.com/pa/comp/guidance/CMEPPracticeGuidesDL/CMEP%20Practice%20Guide%20-%20Network%20Monitoring%20Sensors.pdf">https://www.nerc.com/pa/comp/guidance/CMEPPracticeGuidesDL/CMEP%20Practice%20Guide%20-%20Network%20Monitoring%20Sensors.pdf</a> (explaining that NERC
developed the guide in response to a DOE initiative ``to advance
technologies and systems that will provide cyber visibility,
detection, and response capabilities for [industrial control
systems] of electric utilities.'').
---------------------------------------------------------------------------

ii. Comments
72. NERC, DOE, and Microsoft support the inclusion of CRISP on the
PQ List.\139\ EEI and American Electric Power Service Corporation (AEP)
support incentives for both new and existing participants of
CRISP.\140\ EEI argues that, because participation in cybersecurity
threat information sharing programs is an ongoing action and CRISP
participants have to occasionally upgrade technology, existing
participants should be eligible to receive an incentive.\141\
---------------------------------------------------------------------------

\139\ NERC Initial Comments at 3; DOE Reply Comments at 7;
Microsoft Initial Comments at 2.
\140\ EEI Initial Comments at 11; EEI Reply Comments at 5. AEP
Initial Comments at 4.
\141\ EEI Initial Comments at 11; EEI Reply Comments at 5.
---------------------------------------------------------------------------

73. APPA and California Parties oppose the Commission providing
incentives for existing CRISP participants.\142\ APPA and California
Parties argue that an incentive must be an inducement for future action
and cannot provide an incentive for actions already taken, such as
recovery of an incentive for ongoing participation in CRISP if a
utility is already a participant.\143\ APPA further adds that CRISP
participants report high satisfaction with the program and thus do not
need an incentive to continue participation.\144\ The Maryland and
Pennsylvania Commissions and California Parties note that most major

[[Page 28359]]

investor-owned utilities are already part of CRISP, whether
individually or as members of a respective regional transmission
organization or independent system operator.\145\
---------------------------------------------------------------------------

\142\ APPA Initial Comments at 5; California Parties Initial
Comments at 10; California Parties Reply Comments at 8-9.
\143\ APPA Initial Comments at 12-13; California Parties Initial
Comments at 10; California Parties Reply Comments at 8-9.
\144\ APPA Initial Comments at 13-14.
\145\ Maryland and Pennsylvania Commissions Initial Comments at
9; California Parties Initial Comments at 7-8.
---------------------------------------------------------------------------

74. EEI, UMass Lowell Applied Research Corporation (UMLARC), Ohio
FEA, and Microsoft recommend that the Commission consider for inclusion
on the PQ List additional eligible cybersecurity threat information
sharing programs.\146\ EEI recommends that the PQ List be expanded to
include other federally funded or supported cybersecurity threat
information sharing programs,\147\ while Ohio FEA suggests that the
National Cyber Security Division cyber-response programs under DHS
should be included in the PQ List.\148\ Microsoft recommends modifying
the proposed language to be solution-neutral and outcome-focused to
accommodate other timely bi-directional threat information-sharing
programs.\149\
---------------------------------------------------------------------------

\146\ EEI Initial Comments at 6; UMLARC Initial Comments at 4;
Ohio FEA Initial Comments at 7-8.; Microsoft Initial Comments at 2.
\147\ EEI Initial Comments at 6.
\148\ Ohio FEA Initial Comments at 7-8.
\149\ Microsoft Initial Comments at 2.
---------------------------------------------------------------------------

75. Microsoft and EEI support the inclusion of internal network
security monitoring on the initial PQ List.\150\ EEI further recommends
that the Commission broaden the eligibility for incentives to
cybersecurity capabilities across protective and detective controls,
not only those limited to internal network security monitoring.\151\
Similarly, SecurityScorecard suggests that the Commission broaden its
focus from internal network security monitoring to continuous
monitoring so as to secure both the perimeter and internal
network.\152\ Microsoft supports eligible expenditures associated with
internal network security monitoring as cybersecurity best practices
consistent with a Zero Trust security model, including technologies
associated with asset discovery, inventory and management, network
monitoring, traffic classification, and behavior analytics within the
internal environment.\153\
---------------------------------------------------------------------------

\150\ Id.; EEI Initial Comments at 5.
\151\ EEI Initial Comments at 5.
\152\ SecurityScorecard Initial Comments at 6.
\153\ Microsoft Initial Comments at 2.
---------------------------------------------------------------------------

76. While acknowledging the cybersecurity benefits of internal
network security monitoring, APPA and California Parties do not support
its inclusion on the PQ List.\154\ California Parties state that
utilities have sufficient financial incentives to allocate funding
towards internal network security monitoring through the Commission's
existing cost recovery mechanisms, and that mandatory CIP Reliability
Standards are better suited than incentives for facilitating widespread
adoption of internal network security monitoring.\155\ APPA argues that
internal network security monitoring is not a category of expenditures
that can be presumed to materially improve cybersecurity prior to
agreement on best practices.\156\ In their reply comments, California
Parties echo APPA's concerns and note the lack of consensus between
commenters as to what qualifies as internal network security
monitoring.\157\
---------------------------------------------------------------------------

\154\ APPA Initial Comments at 18; California Parties Initial
Comments at 13-14.
\155\ California Parties Initial Comments at 13-14.
\156\ APPA Initial Comments at 18.
\157\ California Parties Reply Comments at 10.
---------------------------------------------------------------------------

77. NERC notes that the CIP Reliability Standards are technology-
neutral and do not prescribe specific technological methods, tools, or
approaches to reach compliance.\158\ NERC states that utilities and
other NERC-registered entities may already be using internal network
security monitoring in combination with other tools or processes to
comply with Reliability Standards and therefore cautions that it may be
difficult to determine whether a particular cybersecurity investment is
mandatory for purposes of analyzing the second eligibility criterion.
---------------------------------------------------------------------------

\158\ NERC Initial Comments at 4-5.
---------------------------------------------------------------------------

78. UMLARC argues that defense communities face particular
cybersecurity risks. UMLARC explains that certain defense communities
are implementing community cyber force pilot programs. UMLARC
recommends that the Commission place community cyber forces for
information-sharing programs on the PQ List, while noting that these
programs are still in pilot phases.\159\
---------------------------------------------------------------------------

\159\ UMLARC Initial Comments at 4.
---------------------------------------------------------------------------

79. NERC recommends that the Commission consider the deployment of
sensors as part of an operational technology visibility program,
administered by the Electricity Information Sharing and Analysis Center
(E-ISAC), for inclusion on the PQ List.\160\ Microsoft, MISO
Transmission Owners,\161\ and EEI support the inclusion of internal
network security monitoring on the PQ List but recommend that internal
network security monitoring expenditures be consistent with a Zero
Trust security model.\162\ EEI suggests that technology and processes
to implement, manage, and monitor user and endpoint behavioral analysis
be added to the PQ List.\163\
---------------------------------------------------------------------------

\160\ NERC Initial Comments at 4.
\161\ MISO Transmission Owners consist of: Ameren Services
Company, as agent for Union Electric Company d/b/a Ameren Missouri,
Ameren Illinois Company d/b/a Ameren Illinois and Ameren
Transmission Company of Illinois; American Transmission Company LLC;
Big Rivers Electric Corporation; Central Minnesota Municipal Power
Agency; City Water, Light & Power (Springfield, IL); Cleco Power
LLC; Dairyland Power Cooperative; Duke Energy Business Services, LLC
for Duke Energy Indiana, LLC; East Texas Electric Cooperative;
Entergy Arkansas, LLC; Entergy Louisiana, LLC; Entergy Mississippi,
LLC; Entergy New Orleans, LLC; Entergy Texas, Inc.; Great River
Energy; GridLiance Heartland LLC; Hoosier Energy Rural Electric
Cooperative, Inc.; Indiana Municipal Power Agency; Indianapolis
Power & Light Company; Lafayette Utilities Systems; MidAmerican
Energy Company; Minnesota Power (and its subsidiary Superior Water,
L&P); Montana-Dakota Utilities Co.; Northern Indiana Public Service
Company LLC; Northern States Power Company, a Minnesota corporation,
and Northern States Power Company, a Wisconsin corporation,
subsidiaries of Xcel Energy, Inc.; Northwestern Wisconsin Electric
Company; Otter Tail Power Company; Prairie Power, Inc.; Republic
Transmission, LLC; Southern Illinois Power Cooperative; Southern
Indiana Gas & Electric Company (d/b/a CenterPoint Energy Indiana
South); Southern Minnesota Municipal Power Agency; Wabash Valley
Power Association, Inc.; and Wolverine Power Supply Cooperative,
Inc.
\162\ Microsoft Initial Comments at 2; MISO Transmission Owners
Initial Comments at 6-7; EEI Initial Comments at 5-6.
\163\ EEI Initial Comments at 5-6.
---------------------------------------------------------------------------

80. DOE states that the PQ List should be expanded to include other
information sharing programs, as well as permit case-by-case basis
evaluation of other investments.\164\ When considering whether to
expand eligible information-sharing programs on the PQ List, DOE
recommends that the Commission consider whether investments for
participating in other Department-led cybersecurity programs, such as
C2M2, materially improve the security posture of the utility.\165\ DOE
suggests the specific inclusion of the Cybersecurity for the
Operational Technology Environment program on the PQ List.\166\ EEI
broadly suggests that the Commission expand the PQ List to include
other federally funded or supported cybersecurity threat information
sharing programs.\167\
---------------------------------------------------------------------------

\164\ DOE Reply Comments at 6-12.
\165\ Id. at 10.
\166\ Id.
\167\ EEI Initial Comments at 6.
---------------------------------------------------------------------------

81. Anterix recommends that the Commission include expenditures for
private LTE wireless broadband communication systems as an item
eligible for incentives on the PQ List.\168\ MISO Transmission Owners
and International Transmission Companies

[[Page 28360]]

(ITC Companies) \169\ recommend that the Commission add expenditures
for utility-owned private fiber networks to the PQ List, as well as
expenditures made to upgrade or replace legacy operating systems.\170\
They further suggest that the Commission should expand the PQ List to
include advanced cybersecurity expenditures to address physical
security, such as biometric identification, access cards or access
control systems.\171\
---------------------------------------------------------------------------

\168\ Anterix Initial Comments at 5.
\169\ ITC Companies d/b/a ITCTransmission, Michigan Electric
Transmission Company, LLC, ITC Midwest LLC, and Great Plains, LLC.
\170\ MISO Transmission Owners Initial Comments at 6-7; ITC
Companies Initial Comments at 5-6.
\171\ MISO Transmission Owners Initial Comments at 6-7; ITC
Companies Initial Comments at 5-6.
---------------------------------------------------------------------------

82. Microsoft and EEI both recommend inclusion of user and endpoint
behavioral analysis.\172\ Avangrid and the Operational Technology
Cybersecurity Coalition (OT Coalition) advocate for the addition of
hardware and software risk management tools aimed to help identify
cybersecurity threats to suppliers and vendors.\173\ MISO Transmission
Owners additionally propose that the Commission expand the PQ List to
include cybersecurity expenditures such as for DHS's CyberSentry
hardware and software.\174\
---------------------------------------------------------------------------

\172\ Microsoft Initial Comments at 2; EEI Initial Comments at
6-7.
\173\ Avangrid Initial Comments at 6; OT Coalition Initial
Comments at 3.
\174\ MISO Transmission Owners Initial Comments at 6.
---------------------------------------------------------------------------

83. Microsoft recommends expanding the PQ List to include cloud-
enabled security solutions, threat intelligence, vulnerability
assessment, access control and privileged access management, endpoint
detection and response, firewall and network management, and
multifactor authentication and biometrics.\175\ EEI suggests that the
Commission consider adding technology and processes to develop threat
hunting capability within IT and OT environments (e.g., incident
response retainer fees, penetration tests, or vulnerability
assessments; secure coding practices and consulting services to
navigate Software Bill of Materials requirements; and data loss
prevention capabilities).\176\
---------------------------------------------------------------------------

\175\ Microsoft Initial Comments at 2.
\176\ EEI Initial Comments at 5-6.
---------------------------------------------------------------------------

iii. Commission Determination
84. We adopt and modify the NOPR's proposal and add Sec.
35.48(e)(1) to the Commission's regulations to include two
cybersecurity investments on the initial PQ List: (1) cybersecurity
investments associated with participation in CRISP and (2)
cybersecurity investments associated with internal network security
monitoring within the utility's cyber systems. We find that both of
these cybersecurity investments satisfy the eligibility criteria and
both merit the rebuttable presumption.
85. First, we include cybersecurity investments associated with a
utility's participation in CRISP. We find that a utility's
participation in CRISP materially improves cybersecurity because it
involves utility participation in a cybersecurity threat information
sharing program. We note that such participation falls under the
recommendations in the NIST SP 800-53 Security and Privacy Controls for
Information Systems and Organizations catalog. In addition, CRISP: (1)
is facilitated by the Federal Government; (2) provides two-way
communications from and to electric industry and government entities;
and (3) delivers relevant and actionable cybersecurity information to
participants within the United States electricity industry. Having
found that participation in CRISP satisfies the first eligibility
criterion, we include it on the initial PQ List.
86. We are aware that many, but not all, utilities already
participate in CRISP. Our inclusion of CRISP on the initial PQ List
reflects the mandate in FPA section 291A(c) to establish incentive-
based rate treatments by encouraging participation in cybersecurity
threat information sharing programs. The mandate to incentivize
participation indicates that all CRISP participants, not just new
entrants, should be eligible to seek an incentive for any new
cybersecurity investment associated with their participation, so long
as that participation is voluntary.
87. Second, we include cybersecurity investments associated with a
utility's investment in internal network security monitoring within the
utility's cyber systems. As the Commission explained in the NOPR, a
utility's cybersecurity investments associated with internal network
security monitoring could include IT cyber systems and/or OT cyber
systems and could be associated with cyber systems that may or may not
be subject to the Reliability Standards.
88. We find that cybersecurity investments associated with internal
network security monitoring within the utility's cyber systems
materially improves cybersecurity because they are investments in
Advanced Cybersecurity Technology. Internal network security monitoring
falls under the recommendations in the NIST SP 800-53 Security and
Privacy Controls for Information Systems and Organizations catalog.
Having found that cybersecurity investments associated with internal
network security monitoring within the utility's cyber systems
satisfies the first eligibility criterion, we will include it on the
initial PQ List.
89. NERC observes that some utilities may already use internal
network security monitoring as part of their compliance with
Reliability Standards and therefore cautions that it may be difficult
to determine whether a particular cybersecurity investment is mandatory
for purposes of determining whether such expenditures would qualify for
incentive-based rate treatment. We have addressed this concern
primarily in section III.A.3.c., and we reiterate that a utility's
cybersecurity investments, including internal network security
monitoring, made to comply with a Reliability Standard, will not be
incentive-eligible because the utility did not make those investments
voluntarily. However, there may be instances where a utility invests in
internal network security monitoring that while complying with a
Reliability Standard also provides enhanced cybersecurity protections
that go beyond compliance with a Requirement in the Reliability
Standard.\177\ Those incremental cybersecurity investments in internal
network security monitoring that go beyond compliance with a
Requirement in a Reliability Standard would be eligible for incentive-
based rate treatment provided that the utility demonstrates that the
incremental cybersecurity investments satisfy the eligibility
criteria.\178\ With regard to NERC's concern regarding the potential
difficulty of discerning which cybersecurity investments for internal
network security monitoring qualify for incentive-based rate treatment,
it is incumbent upon the utility to demonstrate in its filing seeking
an incentive that the associated expenses are for new internal network
security monitoring that is in addition to its preexisting
cybersecurity programs and go beyond compliance with a Requirement in
the Reliability Standard.
---------------------------------------------------------------------------

\177\ See infra section III.C.2.c. (discussing the availability
of incentive-based rate treatment for new cybersecurity
investments).
\178\ We discuss in section III.D.3.c. the types of information
that a utility would need to include in is filing of a request for
incentive-based rate treatment for its cybersecurity investment. A
utility seeking an incentive-based rate treatment for the
incremental voluntary portion of its cybersecurity investment would
need to identify its additional, voluntary cybersecurity investments
that exceed the legal requirement. The utility would also need to
distinguish the portion of the cybersecurity investment it made to
comply with a legal requirement from the voluntary portion.
---------------------------------------------------------------------------

90. We decline at this time to add any additional cybersecurity
investments to

[[Page 28361]]

the initial PQ List. Because of the rebuttable presumption afforded to
items on the PQ List, it is important that the Commission have a high
degree of confidence that such items will likely materially improve
cybersecurity for all utilities. While many of the additional
cybersecurity investments commenters suggest to include on the initial
PQ List may indeed be beneficial investments that would improve
cybersecurity, we find that suggestions offered by commenters either
lack sufficient evidence to show they will materially improve
cybersecurity across all utilities or lack sufficient specificity to be
included on the PQ List at this time.
91. As discussed in section III.B.1.a., the Commission will, from
time to time, evaluate whether it would be appropriate to modify the PQ
List. As the Commission updates the PQ List over time, entities may
propose to add the items that the Commission does not accept in this
final rule as well as other items, assuming that the entities can
provide adequate support as to why it is appropriate to include these
items. We also note that we are adding a case-by-case approach in
addition to the PQ List approach, and utilities can seek an incentive
for these investments on an individual basis, albeit without the
presumption of eligibility.
92. In response to SecurityScorecard's suggestion that the
Commission broaden its focus from internal network security monitoring
to continuous monitoring, we do not agree that the PQ List should be so
expanded at this time, as we note that the CIP Reliability Standards
already mandate perimeter monitoring in some form. In response to
Microsoft and EEI's suggestions, we recognize the benefits of both the
Zero Trust security model and deploying Security Information and Event
Management processes. However, both are considered to be frameworks
that guide cybersecurity investments rather than specific cybersecurity
investments themselves. We note that the Commission could consider
providing incentives to specific applications of either the Zero Trust
security model or Security Information and Event Management on a case-
by-case basis, and, in the future, the Commission could consider adding
specific applications of these concepts to the PQ List.
93. We disagree with UMLARC that community cyber force
informational-sharing programs should be on the PQ List. Community
cyber forces are currently pilot programs. By their nature as pilot
programs, community cyber forces do not have standardized specific
attributes, nor do they have a proven track record for placement on a
pre-qualified list. Given that we do not have a clear understanding of
these pilot programs or any associated investments, at this time, we
decline to add community cyber forces to the PQ List.
94. We disagree with Anterix, MISO Transmission Owners, and ITC
Companies' proposals to include investments in private communication
systems such as LTE wireless and fiber networks on the PQ List. The use
of private communication systems does not necessarily provide a
cybersecurity benefit because the confidentiality of data transiting
those networks may not be encrypted.
95. The MISO Transmission Owners recommend that the Commission
consider adding expenditures associated with the Department of Homeland
Security's CyberSentry hardware and software to the PQ List.\179\
CyberSentry is a pilot program, and the record in this proceeding does
not include enough evidence for us to determine whether CyberSenrty
would materially improve the cybersecurity of all utilities.
Nevertheless, CyberSentry uses sensors to monitor the IT and OT
Networks for cyber security threats, and incentive-based rate treatment
for these cybersecurity investments may already be eligible
cybersecurity investments as internal network security monitoring.
---------------------------------------------------------------------------

\179\ Department of Homeland Security, ICS Security Offerings
Fact Sheet, <a href="https://www.cisa.gov/sites/default/files/publications/ics_security_offerings_fact_sheet_S508C.pdf">https://www.cisa.gov/sites/default/files/publications/ics_security_offerings_fact_sheet_S508C.pdf</a> (explaining that
``CyberSentry is a voluntary pilot program that leverages best in
breed, commercial off-the-shelf technologies, such as network
intrusion detection tools, to identify malicious activity in
Critical infrastructure (CI) ICS and corporate networks. CyberSentry
participation increases real-time visibility into U.S. CI and
provides the capability to detect nation-state adversaries on CI
networks and derive cross-sector analytic insights.'').
---------------------------------------------------------------------------

96. DOE recommends that the Commission consider including the
Cybersecurity for the Operational Technology Environment
(CyOTETM) program on the PQ List. According to DOE, this
program enhances OT threat information-gathering for the energy
sector.\180\ CyOTE is currently under development, and the record in
this proceeding does not include enough evidence for us to determine
whether cybersecurity investments associated with CyOTE would
materially improve cybersecurity for all utilities. We find that MISO
Transmission Owners' and ITC Companies' proposals to include
investments made for physical access control systems, access cards, and
biometrics are beyond the scope for this proceeding because they are
not investments in Advanced Cybersecurity Technology or related to
participation in a cybersecurity threat information sharing program.
MISO Transmission Owners and ITC Companies also propose including
investments for upgrading or replacing legacy systems. We find there is
insufficient evidence in the record to determine whether the specific
applications could be considered cybersecurity investments.
Accordingly, we decline to include these investments on the PQ List.
---------------------------------------------------------------------------

\180\ DOE, Cybersecurity for the Operational Technology
Environment (CyOTE), <a href="https://www.energy.gov/ceser/cybersecurity-operational-technology-environment-cyote">https://www.energy.gov/ceser/cybersecurity-operational-technology-environment-cyote</a> (stating that CyOTE is a
``research initiative, led by CESER in partnership with Idaho
National Laboratory and energy sector partners, aims to develop
tools and capabilities that can provide energy asset owners and
operators with timely alerts and actionable information.'').
---------------------------------------------------------------------------

97. Cybersecurity investments in Advanced Cybersecurity Technology
included on the PQ List must include at least one specific security
control that materially improves the cybersecurity of all utilities,
thus meriting a rebuttable presumption. We find that the proposals from
Microsoft and EEI to expand the PQ List to cover a broader set of
advanced cybersecurity solutions such as threat intelligence,
vulnerability management, access control, and others are vague and lack
the specificity needed to establish a record for inclusion on the PQ
List. Proposals from Avangrid and the OT Coalition to include
investments for hardware and software risk management tools similarly
lack specificity. We therefore decline to include these investments on
the PQ List at this time.
98. While proposals from EEI to consider investments related to
threat hunting, penetration tests, and consulting services for Software
Bill of Materials requirements describe efforts to detect cybersecurity
vulnerabilities, they also lack specificity with regard to mitigation
and remediation of identified deficiencies. Microsoft and EEI both
propose including investments for user and endpoint behavioral
analysis, and NERC proposes including investments for the deployment of
OT sensors. However, commenters do not demonstrate that these items are
different in scope than what is already covered by internal network
security monitoring on the PQ List. Therefore, we decline to include
these investments on the PQ List at this time.
99. As discussed in section III.B.1.a., the Commission will, from
time to time, evaluate whether it would be appropriate to modify the PQ
List. We also note that, because we are adding a case-by-case approach
in addition to the PQ List approach, utilities can seek an incentive
for investments not identified

[[Page 28362]]

on the PQ List, albeit without the presumption of eligibility.
2. Case-by-Case Approach
a. NOPR Proposal
100. In the NOPR, the Commission recognized the limitations of only
adopting the PQ List approach and sought comment on whether and, if so,
how it should implement a case-by-case approach to grant
incentives.\181\ The Commission explained that it could permit a
utility to file for incentive-based rate treatment for any
cybersecurity investment that the utility believes satisfies the
eligibility criteria, and that the Commission would review such filings
on a case-by-case basis, to determine whether the proposed
cybersecurity expenditure satisfies the eligibility criteria.
---------------------------------------------------------------------------

\181\ NOPR, 180 FERC ] 61,189 at P 32.
---------------------------------------------------------------------------

101. The Commission further explained that its evaluation of a
utility's application under the case-by-case approach would differ from
its evaluation of a filing seeking incentives for items on the PQ List,
although the eligibility criteria would be the same under either
approach. Specifically, the case-by-case application would not receive
a presumption of eligibility for any cybersecurity investment and the
utility would bear the full burden to demonstrate in its filing that
its cybersecurity investment meets the eligibility criteria. Just as it
would in a filing for incentive treatment of a cybersecurity investment
on the PQ List, the filing utility would also need to demonstrate that
its proposed rate, inclusive of the incentive, is just and reasonable.
b. Comments
102. OT Coalition, Avangrid, MISO Transmission Owners, EPSA, INGAA,
EEI, Microsoft, Ohio Consumers' Counsel, Anterix, and DOE support the
adoption of a case-by-case approach in addition to the PQ List
approach.\182\ Alliant and the Maryland and Pennsylvania Commissions
support the adoption of a case-by-case approach instead of the PQ List
approach.\183\ TAPS, the Michigan Commission, APPA, and California
Parties oppose the Commission adoption of a case-by-case approach.\184\
---------------------------------------------------------------------------

\182\ OT Coalition Initial Comments at 2-3; Avangrid Initial
Comments at 5, 6. MISO Transmission Owners Initial Comments at 4;
EPSA Initial Comments at 5; INGAA Initial Comments at 4; EEI Initial
Comments at 4-5; Microsoft Initial Comments at 2; Ohio Consumers'
Counsel Initial Comments at 9; Anterix Initial Comments at 12-13;
Anterix Reply Comments at 12; DOE Reply Comments at 10.
\183\ Alliant Initial Comments at 4-5; Maryland and Pennsylvania
Commissions Initial Comments at 7-8.
\184\ TAPS Initial Comments at 7; Michigan Commission Initial
Comments at 6; APPA Initial Comments at 5; California Parties
Initial Comments at 31-32; California Parties Reply Comments at 12-
13.
---------------------------------------------------------------------------

103. EEI, MISO Transmission Owners, INGAA, and Anterix describe the
role of a case-by-case approach as a supplement to the PQ List
approach, providing flexibility for the filing utilities.\185\
Microsoft, OT Coalition, and Ohio Consumers' Counsel highlight the use
of the case-by-case approach as a mechanism both for utilities to file
for incentives not on the PQ List and to inform additions to the PQ
List.\186\ INGAA asserts that the case-by-case approach will encourage
utilities to make qualifying investments not included on the PQ List,
which will result in strengthening the security posture of the Bulk-
Power System.\187\ Avangrid states that the Commission should allocate
sufficient human and financial resources to ensure timely review of
case-by-case incentive requests.\188\
---------------------------------------------------------------------------

\185\ EEI Initial Comments at 4-5; MISO Transmission Owners
Initial Comments at 4; INGAA Initial Comments at 4; Anterix Initial
Comments at 12-13; Anterix Reply Comments at 12.
\186\ Microsoft Initial Comments at 2; OT Coalition Initial
Comments at 2, 3; Ohio Consumers' Counsel Initial Comments at 9.
\187\ INGAA Initial Comments at 4.
\188\ Avangrid Initial Comments at 4.
---------------------------------------------------------------------------

104. Alliant and the Maryland and Pennsylvania Commissions support
the adoption of a case-by-case approach over the PQ List. Alliant
argues that, due to the dynamic and rapid pace at which cybersecurity
solutions become obsolete, the case-by-case approach will allow the
Commission to review incentive requests in light of the most current
technologies available and the overall needs of the utility.\189\ The
Maryland and Pennsylvania Commissions assert that the case-by-case
approach would encourage utilities to be more innovative in their
cybersecurity improvements and allows an applicant to demonstrate how a
particular incentive addresses the utility's actual needs or meets the
statutory criteria specific to the individual utility.\190\ Ohio FEA
argues that the PQ List approach alone is an inadequate approach
because it will be unable to stay abreast of the ever-changing
cybersecurity landscape.\191\
---------------------------------------------------------------------------

\189\ Alliant Initial Comments at 4-5.
\190\ Maryland and Pennsylvania Commissions Initial Comments at
7-8.
\191\ Ohio FEA Initial Comments at 9.
---------------------------------------------------------------------------

105. TAPS, the Michigan Commission, APPA, and California Parties
oppose the adoption of the case-by-case approach. The Michigan
Commission supports the transparency and efficiency that the PQ List
provides over the case-by-case approach.\192\ The Michigan Commission
argues that, if a cybersecurity investment materially improves
security, the investment should be considered for inclusion in the CIP
Reliability Standards.\193\ TAPS also enumerates concerns with the
efficiency and transparency of the case-by-case approach, as well as
the potential for increased litigation expenses and slower adoption of
Advanced Cybersecurity Technologies.\194\ APPA states that the case-by-
case approach would be administratively burdensome and lead to
incentives for routine, best practice cybersecurity expenditures.\195\
California Parties argue that a case-by-case approach would be
administratively infeasible and reduce regulatory certainty for filing
utilities.\196\
---------------------------------------------------------------------------

\192\ Michigan Commission Initial Comments at 6.
\193\ Id. at 9.
\194\ TAPS Initial Comments at 7-9.
\195\ APPA Initial Comments at 17.
\196\ California Parties Initial Comments at 31-32.
---------------------------------------------------------------------------

106. The Iowa Utilities Board states that incentives under the
case-by-case approach should be higher than those granted under the PQ
List because the case-by-case approach drives innovation.\197\
---------------------------------------------------------------------------

\197\ Iowa Utilities Board Initial Comments at 5-6.
---------------------------------------------------------------------------

c. Commission Determination
107. We adopt a case-by-case approach to granting incentives by
adding Sec. 35.48(e)(2) to the Commission's regulations, which permits
a utility to demonstrate that a cybersecurity investment satisfies each
of the eligibility criteria. Unlike the PQ List approach, the
Commission will not presume that the requested cybersecurity investment
satisfies the eligibility criteria. The utility requesting incentive-
based rate treatment would need to demonstrate in its filing that the
cybersecurity investment(s) would materially improve cybersecurity for
the utility requesting the incentive-based rate treatment.
108. We find that allowing utilities to make case-by-case
cybersecurity incentive requests in addition to PQ List requests
provides several benefits. The case-by-case approach offers greater
flexibility than the PQ List approach alone for utilities to respond to
cybersecurity threats. In addition, reviewing cybersecurity investments
on a case-by-case basis can help to inform the Commission about
potential new additions that it could make to the PQ List in future
proceedings. We believe

[[Page 28363]]

that, by allowing utilities to use more than one approach to show that
a cybersecurity investment satisfies the eligibility criteria, we
strike the right balance between customer protection, transparency,
efficiency, and responsiveness to cybersecurity threats.
109. In order to determine on a consistent and transparent basis
whether a cybersecurity investment satisfies the first eligibility
criterion, the Commission will consider evidence showing that the
utility would invest in cybersecurity improvements that: (1) are based
on a documented and recommended technical cybersecurity mitigation
action published in an alert or advisory by a relevant Federal agency
(e.g., CISA, DOE, FBI, DOD, NSA); \198\ and (2) respond to an alert or
advisory that meets the objective of a subcategory of the NIST
Cybersecurity Framework, or its successor, and references the related
NIST 800-53 Security Control, or its successor.\199\ The Commission
would base its assessment of the evidence on whether an incentive is
appropriate on the mitigation actions detailed in the specified
agencies' alerts and advisories along with the NIST Cybersecurity
Framework and NIST 800-53 Security Controls to determine whether the
utility's proposed cybersecurity investment would materially improve
its cybersecurity.
---------------------------------------------------------------------------

\198\ Technical cybersecurity mitigation action means a
recommended action requiring the purchase of software, hardware, or
third-party services.
\199\ Some alerts may reference specific NIST 800-53 Security
Controls, while others may reference security controls generally.
One example of a case-by-case request for incentive-based rate
treatment of cybersecurity investments is a utility requesting an
incentive for an implementation of data backup procedures on both
the IT and OT networks. This type of action is specifically
recommended in the CISA ``Shields Up'' Alert. See CISA, Essential
Element: Your Data (Oct. 15, 2020), <a href="https://www.cisa.gov/sites/default/files/publications/Cyber%20Essentials%20Toolkit%205%2020201015_508.pdf">https://www.cisa.gov/sites/default/files/publications/Cyber%20Essentials%20Toolkit%205%2020201015_508.pdf</a>. Further, this
action is covered by the NIST Cybersecurity Framework Category
Information Protection Processes and Procedures, subcategory 4 and
thus would be evidence that this proposed implementation would
materially improve the utility's cybersecurity.
---------------------------------------------------------------------------

110. As discussed in section III.A.3. and consistent with the
Commission's evaluations of PQ List cybersecurity investments in
section III.B.1.a., under the case-by-case approach a utility would
still need to demonstrate that it would make the cybersecurity
investment voluntarily, and that the proposed rate, including the
cybersecurity incentive, is just and reasonable and not unduly
discriminatory or preferential.
111. We decline to add any additional eligibility criteria to our
regulations that would apply only to cybersecurity investments that are
not included on the PQ List. We find that the eligibility criteria in
our regulations are sufficient for incentive requests that use either
the PQ List or case-by-case approach. Similarly, we decline to offer
different forms of incentives for cybersecurity investments based on
whether or not the investment appears on the PQ List. We are not
convinced that the benefits of cybersecurity investments made that are
on the PQ List or for which a utility requests incentives on a case-by-
case basis differ and would therefore merit disparate incentive levels
because all incentive-eligible investments under both mechanisms must
satisfy the requirement to materially improve cybersecurity in the
first eligibility criterion.
3. Early Compliance With Approved Reliability Standards
a. NOPR Proposal
112. In the NOPR, the Commission proposed the second eligibility
criterion limiting incentive-based rate treatment to cybersecurity
investments that a utility made voluntarily.\200\ The NOPR also sought
comment on whether the second eligibility criterion was appropriate and
whether there were additional criteria or limitations that the
Commission should consider, including any potential refinements, and
any other criteria for incentive eligibility that the Commission should
adopt in the final rule. Finally, the NOPR proposed to allow a utility
granted a cybersecurity incentive to receive that incentive until the
investment or activity that serves as the basis of that incentive
become mandatory pursuant to a Reliability Standard approved by the
Commission.\201\ This would include cybersecurity investments made by a
utility to comply with Reliability Standards that the Commission has
already approved pursuant to Sec. 39.5(d) of the Commission's
regulations, but that have not yet taken effect pursuant to the
implementation plan approved by the Commission.
---------------------------------------------------------------------------

\200\ Id. PP 20, 22.
\201\ Id. P 46.
---------------------------------------------------------------------------

b. Comments
113. Many commenters discuss how the NOPR's proposed incentives
would interact with and affect the CIP Reliability Standards and
development processes. Indicated PJM Transmission Owners, the Michigan
Commission, and EPSA note that incentives could supplement the time-
intensive NERC standards development process.\202\ APPA and Alliant
express concern that providing incentives for cybersecurity investments
would disincentivize the timely development of CIP Reliability
Standards.\203\ NERC advises the Commission to develop rate incentives
for voluntary cybersecurity investments that build upon and complement
existing CIP Reliability Standards.\204\ NERC and TAPS advise the
Commission to consider how the proposed incentives will affect
compliance with the CIP Reliability Standards.\205\
---------------------------------------------------------------------------

\202\ Indicated PJM Transmission Owners Initial Comments at 5;
Michigan Commission Initial Comments at 9; EPSA Initial Comments at
2.
\203\ APPA Initial Comments at 13-14; Alliant Initial Comments
at 7-8.
\204\ NERC Initial Comments at 3.
\205\ Id. at 4; TAPS Initial Comments at 12.
---------------------------------------------------------------------------

114. Indicated PJM Transmission Owners support the availability of
incentives to early adopters of cybersecurity technology.\206\ The
Michigan Commission discusses an approach in which the proposed
Cybersecurity Regulatory Asset Incentive would be used to facilitate
cybersecurity investments during the period in which said investments
are evaluated for inclusion in the CIP Reliability Standards.\207\ EPSA
notes that the nature of the long, detailed process to develop and
implement NERC CIP Reliability Standards may not be able to keep up
with the rapidly evolving nature of cybersecurity threats.\208\ EPSA
states that it is prudent to provide incentives for protections to
address rapidly evolving technologies to ensure a reliable, resilient,
and operational electric grid.\209\
---------------------------------------------------------------------------

\206\ Indicated PJM Transmission Owners Initial Comments at 5.
\207\ Michigan Commission Initial Comments at 9.
\208\ EPSA Initial Comments at 2.
\209\ Id.
---------------------------------------------------------------------------

115. The Maryland and Pennsylvania Commissions argue that making
incentives available in the period before the completion of mandatory
standards does not expedite the standards process or the voluntary
adoption of improvements.\210\ On the contrary, they assert that the
proposed incentives actually would encourage delays in the standards
development process so utilities could recover incentives for voluntary
implementation.\211\ The Maryland and Pennsylvania Commissions further
note that the proposed incentives do not provide a tapering off period,
such as over the time frame in which a CIP Reliability Standard is
being developed. They assert that such a tapering period would

[[Page 28364]]

motivate utilities to implement material improvements as early as
possible.\212\
---------------------------------------------------------------------------

\210\ Maryland and Pennsylvania Commissions Initial Comments at
10.
\211\ Id. at 10.
\212\ Id. at 10.
---------------------------------------------------------------------------

116. APPA recommends that the Commission modify the proposed
eligibility criteria in a manner that would disallow incentives for
early adoption of CIP Reliability Standards.\213\ Instead of a
cybersecurity expenditure losing eligibility when it becomes mandatory
pursuant to a CIP Reliability Standard, APPA recommends that the cut
off for incentives should be the earlier of: (1) the date of any
Commission directive that would require the investment; or (2) the date
that a Standards Authorization Request is submitted to NERC to require
that incentive.\214\ APPA argues that it would not be just or
reasonable to provide an incentive to a utility for an investment where
a new or revised mandatory Reliability Standard is pending.\215\
---------------------------------------------------------------------------

\213\ APPA Initial Comments at 13-14.
\214\ Id. at 13-14.
\215\ Id. at 13-14.
---------------------------------------------------------------------------

c. Commission Determination
117. We adopt an application of the case-by-case method for
utilities to satisfy the eligibility criteria by adding Sec.
35.48(e)(3) to the Commission's regulations, which permits utilities to
receive incentives for cybersecurity investments made to comply with a
cybersecurity-related CIP Reliability Standard (i.e., excluding CIP
Reliability Standards that may be related to physical security and not
cybersecurity) approved by the Commission before that CIP Reliability
Standard becomes mandatory and enforceable for that utility. In
general, cybersecurity investments made by a utility to comply and
maintain its compliance with a Commission-approved Reliability Standard
will materially improve the utility's cybersecurity. Filing utilities
would need to demonstrate that the cybersecurity investment(s) it will
make are necessary to comply with the Reliability Standard, and that it
will make those cybersecurity investments prior to the date that the
Reliability Standard is mandatory and enforceable for that
utility.\216\ Those cybersecurity investments made by the utility
before the newly-approved Reliability Standard becomes effective (i.e.,
mandatory and enforceable) are voluntary. Those cybersecurity
investments made by the utility after the newly-approved Reliability
Standard becomes effective and mandatory are no longer voluntary. As
required by the second eligibility criteria, all of the utility's
cybersecurity investments incurred to comply with a Reliability
Standard after the Reliability Standard becomes mandatory and
enforceable for that utility are ineligible for incentive-based rate
treatment.
---------------------------------------------------------------------------

\216\ In addition, as explained below, filings seeking the
incentives would have to comply with the filed rate doctrine. See
Exxon Mobil Corp. v. FERC, 571 F.3d 1208, 1211 (D.C. Cir. 2009)
(citing Towns of Concord, Norwood, & Wellesley v. FERC, 955 F.2d 67,
71 & n.2 (D.C. Cir. 1992); Ark. La. Gas Co. v. Hall, 453 U.S. 571,
577-578 (1981)) (``The Commission may not retroactively alter a
filed rate to compensate for prior over- or underpayments. A
corollary to this rule against retroactive ratemaking, the filed
rate doctrine, forbids a regulated entity to charge rates for its
services other than those properly filed with the appropriate
regulatory authority. Together, these rules generally limit the
relief the Commission may order to prospective [rates].'') (cleaned
up).
---------------------------------------------------------------------------

118. We find that allowing utilities to receive an incentive to
comply with a Commission-approved cybersecurity-related CIP Reliability
Standard before it becomes mandatory and enforceable could materially
improve their cybersecurity posture during that period. In addition, we
find that permitting an incentive for early compliance with approved
cybersecurity-related CIP Reliability Standards will help to bridge
gaps between voluntary cybersecurity measures and the cybersecurity
measures mandated in the CIP Reliability Standards. It is possible that
allowing utilities to receive incentives for early compliance could
unintentionally incentivize standards drafting teams' artificial
lengthening of the implementation period to increase the amount of time
a utility could receive incentives. Nevertheless, the Commission would
continue to consider whether the implementation time is reasonable when
determining whether to approve the proposed CIP Reliability
Standard.\217\
---------------------------------------------------------------------------

\217\ See Rules Concerning Certification of the Elec.
Reliability Org.; & Procs. for the Establishment, Approval, & Enf't
of Elec. Reliability Standards, Order No. 672, 71 FR 8662 (Feb. 17,
2006), 114 FERC ] 61,104, at P 333, order on reh'g, Order No. 672-A,
71 FR 19814 (Apr. 18, 2006), 114 FERC ] 61,328 (2006) (``In
considering whether a proposed Reliability Standard is just and
reasonable, the Commission will consider also the timetable for
implementation of the new requirements, including how the proposal
balances any urgency in the need to implement it against the
reasonableness of the time allowed for those who must comply'').
---------------------------------------------------------------------------

119. We clarify that the cybersecurity investments made by a
utility to achieve early compliance with an approved cybersecurity-
related CIP Reliability Standard may be eligible for incentive-based
rate treatment. We reiterate that, after receiving Commission
authorization for incentive-based rate treatment, the utility may only
collect the incentive during the period that begins with the utility
achieving compliance with the approved cybersecurity-related CIP
Reliability Standard and that ends according to the duration provisions
of Sec. 35.48(g), as further discussed in section III.D.\218\
Therefore, the earlier that a utility complies with a new CIP
Reliability Standard, the longer the utility's incentive recovery
period may be.
---------------------------------------------------------------------------

\218\ In addition to having its rate that includes incentive-
based treatment on file with the Commission, a utility must submit
an informational filing to the Commission notifying the Commission
of the date that it has achieved compliance with the approved
cybersecurity-related CIP Reliability Standard.
---------------------------------------------------------------------------

C. Cybersecurity Investment Rate Incentives

120. The Commission proposed two potential rate incentive options
for utilities that make eligible cybersecurity investments: (1) the
Cybersecurity ROE Incentive, an ROE adder of 200 basis points that
would be applied to the incentive-eligible investments; \219\ and (2)
the Cybersecurity Regulatory Asset Incentive, deferral of certain
eligible expenses for rate recovery, enabling them to be part of rate
base such that a return can be earned on the unamortized portion.\220\
The Commission stated that both offer meaningful incentives to
encourage cybersecurity investments that improve a utility's
cybersecurity posture.\221\ The Commission also sought comment on
whether, and if so how, the principles of performance-based regulation
could apply to utilities with respect to cybersecurity
investments.\222\
---------------------------------------------------------------------------

\219\ NOPR, 180 FERC ] 61,189 at P 36.
\220\ Id. P 39.
\221\ Id. P 33.
\222\ Id. P 45.
---------------------------------------------------------------------------

121. The Commission also noted that most utility IT investments
(general and intangible plant) and expenses (administrative and general
costs) support functions of the entire utility, not just the
transmission function.\223\ Consequently, the Commission found that
only a portion of those costs are allocated to transmission customers,
typically based on wages and salaries allocators.\224\
---------------------------------------------------------------------------

\223\ Id. P 36.
\224\ Id. P 36.
---------------------------------------------------------------------------

1. Cybersecurity ROE Incentive
a. NOPR Proposal
122. The Commission proposed to allow a utility that makes
cybersecurity investments that are eligible for incentives to request
the Cybersecurity ROE Incentive that would be applied to the incentive-
eligible investments.\225\ The Commission explained that any

[[Page 28365]]

incentive granted under this proposal would be subject to the total
base and incentive return being capped at the top of the utility's zone
of reasonableness.\226\ The Commission stated that the 200-basis point
ROE adder would provide a meaningful incentive to encourage utilities
to improve their systems' cybersecurity. The Commission recognized that
this amount exceeds the ROE incentives for transmission facilities that
the Commission typically provides pursuant to FPA section 219. The
Commission explained that, because cybersecurity investments are
relatively small compared to conventional transmission projects, a
higher ROE may be necessary to affect the expenditure decisions of
utilities, without unduly burdening ratepayers.
---------------------------------------------------------------------------

\225\ Id. P 36.
\226\ See, e.g., Emera Me. v. FERC, 854 F.3d 9, 23 (D.C. Cir.
2017) (``The zone of reasonableness informs FERC's selection of a
just and reasonable rate.''); see also Permian Basin, 390 U.S. 747,
767 (1968) (stating that as long as the rate selected by the
Commission is within the zone of reasonableness, the Commission is
not required to adopt as just and reasonable any particular rate
level).
---------------------------------------------------------------------------

123. The Commission also proposed that enterprise-wide investments,
which are not specific to transmission or the sale for resale of
electric energy in interstate commerce, but a portion of which are
recovered through rates on file with the Commission, may also be
eligible for the 200-basis point ROE adder incentive if the Commission
determines that the investments merit incentives, based on the
eligibility criteria described above.\227\ However, consistent with
both longstanding cost-causation ratemaking principles \228\ and the
statutory requirement that rates inclusive of incentives be just and
reasonable and not unduly discriminatory or preferential, the
Commission proposed that only the conventionally allocated portion of
such investments that flows through to cost-of-service rates on file
with the Commission would be eligible for this rate treatment.
---------------------------------------------------------------------------

\227\ NOPR, 180 FERC ] 61,189 at P 37.
\228\ See Old Dominion Elec. Coop. v. FERC, 898 F.3d 1254, 1255
(D.C. Cir. 2018), (``For decades, the Commission and the courts have
understood this requirement to incorporate a `cost-causation
principle'--the rates charged for electricity should reflect the
costs of providing it.''); see, e.g., Ala. Elec. Coop., Inc. v.
FERC, 684 F.2d 20, 27 (D.C. Cir. 1982).
---------------------------------------------------------------------------

b. Comments
124. EEI, MISO Transmission Owners, and Indicated PJM Transmission
Owners support the proposed ROE incentive.\229\ EEI notes that some
cybersecurity investments involve relatively low dollar amounts,
compared with other capital investments.\230\ Therefore, in addition to
the fact that these investments are recovered over a short period, EEI
believes that the proposed 200-basis point adder is reasonable and has
the potential to create an incentive that will shift utility
cybersecurity expenditures in the manner intended by the Commission and
Congress.\231\
---------------------------------------------------------------------------

\229\ EEI Initial Comments at 9; MISO Transmission Owners
Initial Comments at 10; Indicated PJM Transmission Owners Initial
Comments at 4.
\230\ EEI Initial Comments at 9-10.
\231\ Id. at 9-10.
---------------------------------------------------------------------------

125. EEI and MISO Transmission Owners support the Commission's
proposal to include enterprise-wide costs as eligible for incentive
treatment.\232\ EEI states that the Commission's enterprise-wide
approach avoids the potential for investments to be funneled to only
certain assets, leaving other areas (e.g., network assets, generation)
potentially ineligible, and aligns with Commission policies on enabling
access for, and deployment of, distributed energy resources and
advanced technologies.\233\ MISO Transmission Owners state that the
inclusion of enterprise-wide costs encourages enterprise-wide strategic
security investments, which provide benefits to a utility's security
program efficiency more broadly, as well as to ratepayers.\234\
---------------------------------------------------------------------------

\232\ MISO Transmission Owners Initial Comments at 10.
\233\ EEI Initial Comments at 10.
\234\ MISO Transmission Owners Initial Comments at 10-11.
---------------------------------------------------------------------------

126. APPA and Alliant agree with the proposal in the NOPR to cap
total base and incentive ROE at the top of the zone of
reasonableness.\235\ APPA asks the Commission to clarify that, in
applying the cap at the top end of the zone of reasonableness, a public
utility would be required to take into account ROE adders other than
the cybersecurity investment adder.\236\
---------------------------------------------------------------------------

\235\ APPA Initial Comments at 19; Alliant Initial Comments at
6.
\236\ APPA Initial Comments at 19.
---------------------------------------------------------------------------

127. Alliant, APPA, Iowa Utilities Board, Joint Consumer Advocates,
the Michigan Commission, Ohio FEA, Ohio Consumers' Counsel, and TAPS do
not support the proposed ROE adder of 200 basis points.\237\ Alliant,
APPA, California Parties, Ohio Consumers' Counsel, and Ohio FEA argue
that the proposed 200-basis points adder is not just and
reasonable.\238\ APPA, California Parties, and TAPS also argue that the
Commission has not sufficiently supported or explained why a 200-basis
point return is necessary.\239\
---------------------------------------------------------------------------

\237\ Alliant Initial Comments at 6, APPA Initial Comments at
10; Iowa Utilities Board Initial Comments at 4; Joint Consumer
Advocates Initial Comments at 3; Michigan Commission at 9; Ohio FEA
Initial Comments at 10; TAPS Initial Comments at 16.
\238\ Alliant Comments at 5-6; California Parties Initial
Comments at 22; ITC Companies Initial Comments at 3; Joint Consumer
Advocates Initial Comments at 3; Michigan Commission Initial
Comments at 9; Ohio Consumers' Counsel Initial Comments at 12; Ohio
FEA Initial Comments at 11.
\239\ Alliant Comments at 5-6; APPA Initial Comments at 11;
California Parties Initial Comments at 22; Ohio Consumers' Counsel
Initial Comments at 12; Ohio FEA Initial Comments at 11.
---------------------------------------------------------------------------

128. APPA, California Parties, and TAPS argue that eligible
cybersecurity investments are not ``relatively small'' as the NOPR
suggests.\240\ California Parties state that, in recent years, the
California Public Utilities Commission has authorized significant
amounts for State jurisdictional cybersecurity capital expenditures and
annual IT physical and cybersecurity activities for utilities.\241\
TAPS comments that the Commission has found that Duke Energy has made
over $137 million in capital investments as part of its cybersecurity
program that is designed based on the NIST Framework.\242\ TAPS further
states that, in 2019, Dominion Energy Virginia received State approval
to spend $910.3 million on cyber and physical security and
telecommunications over 10 years, with $154.4 being spent in the first
three years related to improved monitoring and alarm capabilities and
enhanced utility security.\243\ TAPS argues that these sums illustrate
that cybersecurity investments are not relatively small compared to
conventional transmission projects.\244\
---------------------------------------------------------------------------

\240\ APPA Initial Comments at 11; California Parties Initial
Comments at 23; TAPS Initial Comments at 17.
\241\ California Parties Initial Comments at 23.
\242\ TAPS Initial Comments at 17.
\243\ Id. at 17.
\244\ Id. at 17.
---------------------------------------------------------------------------

129. The Michigan Commission states that the potential financial
risks that cyberattacks can pose on electric utilities already serve as
a strong incentive for investment, much stronger than an additional 200
basis points would provide when applied to what the NOPR recognizes are
relatively low-cost investments.\245\
---------------------------------------------------------------------------

\245\ Michigan Commission Initial Comments at 8-9.
---------------------------------------------------------------------------

130. Alliant states that using a 200-basis point ROE incentive
would impose unnecessary administrative burdens on the Commission and
all parties affected, as processing requests for incentives would
consume valuable and limited resources of the Commission.\246\ Iowa
Utilities Board argues that an incentive rate adder could have a
cascading impact on

[[Page 28366]]

economic activity, might adversely impact inflation, and could provide
a perverse incentive to invest in unneeded technologies.\247\ Ohio
Consumers' Counsel comments that a 200-basis point adder is not
necessary and is unreasonably costly for consumers, and also defies the
logic of Order No. 679, which contemplated ROE adders of 100 and 150
basis points only, with the higher ROEs for more complicated and
expensive transmission projects.\248\
---------------------------------------------------------------------------

\246\ Alliant Initial Comments at 6.
\247\ Iowa Utilities Board Initial Comments at 4.
\248\ Ohio Consumers' Counsel Initial Comments at 12-13.
---------------------------------------------------------------------------

131. Several commenters argue for a modification to the
Commission's proposal of 200 basis points. NRECA requests that the
Commission revise its proposal to allow for a request of up to 200-
basis points, and questions whether it is appropriate to grant the same
ROE adder for all cybersecurity expenditures or whether the Commission
instead should tie the amount of the ROE incentive to the projected
impact of the cybersecurity expenditure.\249\ APPA asks whether the
Commission has considered whether applying a smaller ROE adder would be
sufficient to encourage investment.\250\ Ohio Consumers' Counsel states
that, instead of proposing a flat 200-basis point ROE adder, the
Commission should provide for a pool of potential adders, ranging from
25 basis points up to a cap of 50 basis points, depending on the
magnitude of the investment and the complexity or proven track record
for the technology or activity.\251\
---------------------------------------------------------------------------

\249\ NRECA Initial Comments at 10.
\250\ APPA Initial Comments at 11.
\251\ Ohio Consumers' Counsel Initial Comments at 13.
---------------------------------------------------------------------------

132. The Maryland and Pennsylvania Commissions suggest tapering
incentives over time to encourage utilities to implement material
improvements as early as possible. They argue that such tapering adds a
``performance-based'' aspect to the NOPR proposals.
133. AEP and ITC Companies request that the Commission apply
incentives to the entire rate base.\252\ ITC Companies state that it
might be better to offer a general rather than asset-specific ROE adder
for utilities that adopt a sufficient level of additional Advanced
Cybersecurity Technologies and cybersecurity threat information sharing
program participation.\253\ ITC Companies argue that this would reflect
the fact that an entity's individual cybersecurity assets and practices
are part of a cohesive defensive framework that applies to its entire
operation.\254\ ITC Companies explain that the type of cybersecurity
investment to which the ROE incentive might apply is not a financially
significant portion of total rate base for most responsible entities
and, in many instances, it is likely that the marginal benefit of this
incentive will not justify the administrative cost of obtaining this
incentive (even with a PQ List in place), especially where the zone of
reasonableness applicable to a responsible entity's overall rate of
return further diminishes the impact of the incentive.\255\ AEP argues
that an incentive adder applied system-wide to the transmission rate
base would not need to rise to the level contemplated in the NOPR,
e.g., 50 basis points, and would be sufficient to incentivize industry
participants to adopt cybersecurity programs that go above and beyond
existing cybersecurity requirements.\256\
---------------------------------------------------------------------------

\252\ AEP Initial Comments at 6; ITC Companies Initial Comments
at 4.
\253\ ITC Companies Initial Comments at 4.
\254\ Id. at 4.
\255\ Id. at 3.
\256\ AEP Initial Comments at 6.
---------------------------------------------------------------------------

c. Commission Determination
134. We decline to adopt an ROE incentive adder, as proposed in the
NOPR. We conclude that the Cybersecurity Regulatory Asset Incentive
satisfies the statutory obligation to benefit consumers by encouraging
investments by utilities in Advanced Cybersecurity Technology and
participation by utilities in cybersecurity threat information sharing
programs. We believe that expenses, which include cybersecurity
assessments, architectural reviews, maturity model evaluations,
software subscriptions, monitoring, training, procuring outside
services, and cloud computing services, constitute a large portion of
overall expenditures for many cybersecurity investments, including
cybersecurity threat information sharing programs. We find that the
provision of the Cybersecurity Regulatory Asset Incentive alone
provides the encouragement that Congress intended without unduly
increasing costs on consumers.
2. Cybersecurity Regulatory Asset Incentive
a. NOPR Proposal
135. The Commission proposed a Cybersecurity Regulatory Asset
Incentive to allow a utility that makes cybersecurity investments that
are eligible for incentives to seek deferred cost recovery.\257\ The
Commission explained that, in limited circumstances, it may be
appropriate to allow a utility to defer recovery of certain
cybersecurity costs that are generally expensed as they are incurred,
and treat them as regulatory assets, while also allowing such
regulatory assets to be included in transmission rate base. Many costs
associated with cybersecurity are in the form of expenses, often to
third-party vendors, rather than capital investments. Moreover, certain
cost categories that companies historically have purchased and
capitalized, such as software, are now often procured as services with
periodic payments to vendors that are recorded as expenses. Therefore,
to encourage investment in cybersecurity, the Commission proposed to
allow utilities to defer and amortize eligible costs that are typically
recorded as expenses, including those that are associated with third-
party provision of hardware, software, and computing and networking
services. The Commission also sought comment on whether it would be
preferable to permit only 50% of incentive-eligible expenses to be
treated as regulatory assets.
---------------------------------------------------------------------------

\257\ NOPR, 180 FERC ] 61,189 at P 39.
---------------------------------------------------------------------------

136. The Commission observed that a range of implementation costs
associated with cybersecurity investments could be eligible for
deferred rate treatment.\258\ Such costs may include, for example,
training to implement new cybersecurity practices and systems. However,
the Commission proposed that, to be eligible for the incentive of
deferred cost recovery, such training costs must be distinct from costs
associated with pre-existing training on cybersecurity practices. The
Commission stated that another potentially eligible implementation cost
may be internal system evaluations and assessments or analyses by third
parties, to the extent that they are associated with a capitalizable
item and are part of eligible capitalizable costs. The Commission
proposed that any implementation costs that are not conventionally
booked as plant and thus capitalized can be considered for deferral as
a regulatory asset. Recurring costs may be eligible for deferral as a
regulatory asset and may include, for example, subscriptions, service
agreements, and post-implementation training costs. Specifically, the
Commission proposed to allow utilities, under this incentive, to
include ongoing dues and other expenses directly associated with
participation by utilities in cybersecurity threat information sharing
programs that satisfy the eligibility criteria.
---------------------------------------------------------------------------

\258\ Id. P 40.

---------------------------------------------------------------------------

[[Page 28367]]

137. The Commission observed that, because FPA section 219A(c)(2)
directs the Commission to offer incentives to encourage participation
by public utilities in cybersecurity threat information sharing
programs, it proposed to allow utilities that are currently
participating in such programs to seek incentives for any new
cybersecurity investment associated with their participation, so long
as that participation is voluntary.\259\ The Commission sought comment
on whether to allow utilities who are already participating in an
eligible cybersecurity threat information sharing program to be
eligible for this incentive.\260\
---------------------------------------------------------------------------

\259\ Id. P 41.
\260\ Id. P 41.
---------------------------------------------------------------------------

138. The Commission also noted that the Commission's rules and
regulations in the Uniform System of Accounts \261\ already require
public utilities to maintain records supporting any entries to the
regulatory asset account so that the public utility can furnish full
information as to the nature and amount of, and justification for, each
regulatory asset recorded in the account.\262\ The Commission explained
that, pursuant to its existing regulations, utilities must maintain
sufficient records to support the distinction of any investments that
are afforded incentive-based rate treatment.\263\
---------------------------------------------------------------------------

\261\ See 18 CFR pt. 101, Account Definition Account 182.3,
Other Regulatory Assets, paragraph D.
\262\ NOPR, 180 FERC ] 61,189 at P 42.
\263\ Id.
---------------------------------------------------------------------------

139. Additionally, the Commission proposed that only directly-
assigned utility costs or the conventionally allocated portion of
enterprise-wide expenses (e.g., using the wages and salaries allocator)
would be eligible for the Cybersecurity Regulatory Asset Incentive in
rates on file with the Commission.\264\
---------------------------------------------------------------------------

\264\ Id. P 43.
---------------------------------------------------------------------------

b. Comments
140. EEI, Iowa Utilities Board, the Michigan Commission, and MISO
Transmission Owners support the Commission's proposal.\265\ The
Michigan Commission states that the Commission's acknowledgement that
many cybersecurity costs have shifted to expenses rather than capital
costs is valid.\266\ The Michigan Commission adds that the proposed
Cybersecurity Regulatory Asset Incentive could help facilitate these
types of investments during the time in which such investments are
evaluated for inclusion in the CIP Reliability Standards, and that the
proposed Cybersecurity Regulatory Asset Incentive would allow for
reasonable facilitation of cybersecurity investments in advance of CIP
Reliability Standard updates and would avoid unjust and unreasonable
rates.\267\ Iowa Utilities Board comments that allowing a utility to
capitalize the operational expenses for cybersecurity expenditures is
by itself an adequate incentive because it reduces cash flow demands
and provides an opportunity for the utility to earn a return on those
expenditures.\268\
---------------------------------------------------------------------------

\265\ EEI Initial Comments at 11; Iowa Utilities Board Initial
Comments at 3-4; Michigan Commission Initial Comments at 9; MISO
Transmission Owners Initial Comments at 11.
\266\ Michigan Commission Initial Comments at 9.
\267\ Id.
\268\ Iowa Utilities Board Initial Comments at 4.
---------------------------------------------------------------------------

141. MISO Transmission Owners support the proposal to allow
utilities to defer and amortize eligible costs that are typically
recorded as expenses that are associated with third-party hardware,
software, and computing and networking services.\269\ MISO Transmission
Owners state that allowing transmission owners to capitalize costs and
investments associated with cybersecurity investment, including up-
front training and implementation expenses, will enable utilities to
fully realize the relative security benefits that rapid adoption of
cybersecurity investment can generate, as well as the often-lower cost
that such solutions impose on ratepayers relative to physical
infrastructure.\270\
---------------------------------------------------------------------------

\269\ MISO Transmission Owners Initial Comments at 11.
\270\ Id.
---------------------------------------------------------------------------

142. MISO Transmission Owners ask the Commission to clarify that
cybersecurity-related operation and maintenance expenses, labor costs,
and post-implementation training costs may be included as part of the
Cybersecurity Regulatory Asset Incentive.\271\ EEI suggests that the
Commission include training, implementation, software costs, and allow
cloud computing expenses to also be allowed to be deferred as a
regulatory asset.\272\ EEI expresses concern with the proposal to limit
the eligible costs to those associated with implementing cybersecurity
upgrades and to not include ongoing costs including system maintenance,
surveillance, and other labor costs, either in the form of employee
salaries or third-party service contracts.\273\ EEI argues that
including these costs would support the Commission's cybersecurity
goals, incent best practices, and benefit customers by reducing the
possibility of interruptions from cyber-attacks.\274\
---------------------------------------------------------------------------

\271\ Id.
\272\ EEI Initial Comments at 11.
\273\ Id. at 11.
\274\ Id. at 11-12.
---------------------------------------------------------------------------

143. Ohio Consumers' Counsel opposes the proposal to allow deferred
accounting and recovery of a return on the unamortized portion of the
costs for cybersecurity expenses.\275\ Ohio Consumers' Counsel states
that deferred accounting and cost collection of cybersecurity expenses
as regulatory assets will cost consumers more over time than would
recovery of the expense all in one year.\276\
---------------------------------------------------------------------------

\275\ Ohio Consumers' Counsel Initial Comments at 10.
\276\ Id.
---------------------------------------------------------------------------

144. APPA and California Parties contend that the Cybersecurity
Regulatory Asset Incentive should be limited to 50% of eligible
investment in cybersecurity initiatives.\277\ California Parties
comment that the Commission should allow no more than 50% of eligible
expenses to be treated as a regulatory asset included in transmission
rate base to reduce the burden on consumers.\278\ California Parties
argue that the Commission failed to offer any explanation as to why its
proposal that 100% of eligible expenses should be able to receive
incentive treatment is properly calibrated to induce the desired
investment.\279\
---------------------------------------------------------------------------

\277\ APPA Initial Comments at 12; California Parties Initial
Comments at 24.
\278\ California Parties Initial Comments at 24.
\279\ Id. at 24.
---------------------------------------------------------------------------

c. Commission Determination
145. We adopt the NOPR's proposal to add Sec. 35.48(f) to the
Commission's regulations to include a Cybersecurity Regulatory Asset
Incentive that allows a utility to seek deferred cost recovery for
cybersecurity investments that are eligible for incentives. We find
that, in limited circumstances that are specific to cybersecurity
investments, it is appropriate to allow a utility to defer recovery of
certain cybersecurity costs that are generally expensed as they are
incurred, and treat them as regulatory assets, while also allowing such
regulatory assets to be included in the utility's rate base.
146. In response to Ohio Consumers' Counsel's concerns about
consumer costs, as an initial matter, we note that increased consumer
costs in isolation do not impugn the reasonableness of an incentive,
provided the rates are still just and reasonable. The Commission has
long offered transmission incentives, which increase rates, because
they encourage investments and activities that the Commission has found
provide consumer benefits. The Cybersecurity Regulatory Asset

[[Page 28368]]

Incentive nominally increases rates, though consumers benefit from the
time value of money associated with later recovery through rate base
than immediate recovery as an expense. Based on the expense-heavy
nature of many cybersecurity investments, we find this appropriate to
effectuate Congress' requirement that the Commission offer
cybersecurity incentives. We also will not, as suggested by California
Parties and APPA, limit this incentive to 50% of eligible expenses.
Given the comparatively small amount of many cybersecurity expenses, we
find that such a limitation may inadequately provide incentives to
meaningfully encourage utilities to improve their cybersecurity
posture.
147. In response to MISO Transmission Owners' and EEI's comments,
we clarify that utilities may seek this incentive for a range of
expenses including operation and maintenance expenses, labor costs,
implementation costs, network monitoring, and training costs.
Additionally, ongoing expenses, either incurred by utility employees or
utility payments to third parties may be eligible. Software purchases
typically would not qualify for the Cybersecurity Regulatory Asset
Incentive because they generally constitute capital investments;
however, software-as-a-service expenses could qualify for the
Cybersecurity Regulatory Asset Incentive.
148. We find it appropriate to limit eligibility for incentive-
based rate treatment to new cybersecurity investments. As also
discussed in section III.D.3.c., we add Sec. 35.48(h)(5) to our
regulations to provide that the Cybersecurity Regulatory Asset
Incentive may be applied to new cybersecurity investments that: (1)
occur after the effective date of the Commission's approval of
incentive-based rate treatment; and (2) are materially different from
cybersecurity investments already incurred by the utilities more than
three months prior to the incentive request. Utilities may seek
incentives for one-time cybersecurity expenses and/or recurring ones.
149. We generally define new cybersecurity investments to include
investments for those activities that have occurred no more than three
months prior to the date that the utility files its incentive request
with the Commission. We provide one exception and one clarification to
this general three-month rule. First, a utility may seek incentive-
based rate treatment for its future cybersecurity investments made to
participate in cybersecurity threat information sharing programs even
if the utility began its participation and therefore made cybersecurity
investments related to its participation more than three months before
filing its request for incentive-based rate treatment with the
Commission. We clarify that utilities seeking incentive-based rate
treatment for cybersecurity investments made to comply with a
Commission-approved cybersecurity-related CIP Reliability Standard
before it becomes mandatory and enforceable for that utility will be
permitted to seek incentive-based rate treatment for its cybersecurity
expenses that began no earlier than three months before the date that
the Commission's approval of the Reliability Standard becomes
effective. A utility's cybersecurity expenses that began more than
three months before the date that the Commission order or final rule
approving a new or modified Reliability Standard becomes effective will
not be considered new and will be considered materially similar and
duplicative. Therefore, the cybersecurity investments made more than
three months before the Commission approves a new or modified
Reliability Standard would be ineligible to receive incentive-based
rate treatment as early compliance with an approved Reliability
Standard.
150. To be clear, this prior three-month provision only determines
whether a utility's cybersecurity investment is new and therefore
eligible for incentive-based rate treatment. The filed rate doctrine
and the rule against retroactive ratemaking preclude the Commission
from granting a utility incentive-based rate treatment for
cybersecurity investments made before the Commission acts on a request
for declaratory order or the effective date of an FPA section 205
filing requesting the incentive-based rate treatment for cybersecurity
incentives.\280\
---------------------------------------------------------------------------

\280\ See n.216, supra.
---------------------------------------------------------------------------

151. Moreover, we find it appropriate that only new cybersecurity
investments, and not duplicative or materially similar ones to existing
expenses, be eligible. As discussed in section III.D.3., we will
require utilities to attest that the cybersecurity investments that are
the basis for the incentive-based rate treatments are new cybersecurity
investment and not duplicative or materially similar to preexisting
expenses. For instance, investment in training associated with a new
cybersecurity system may be eligible while annual basic cybersecurity
training may not, even if the contents slightly change year-to-year.
This will ensure that incentives encourage cybersecurity investments
that improve a utility's cybersecurity posture rather than just reward
ongoing or recurring activities. The three-month period to determine
eligibility of incentives for pre-existing expenses allows for
utilities making new cybersecurity investments to respond to immediate
cybersecurity vulnerabilities while giving them time to request
incentives. We reiterate that utilities may not recover incentives on
specific investments that predate the effective date of filing
requesting incentive-based rate treatment. We find that this grace
period could incentivize utilities not to wait until the effective date
of requested incentives to undertake urgent cybersecurity action.
152. FPA section 219A(c)(2) requires the Commission to offer
incentives to encourage participation by public utilities in
cybersecurity threat information sharing programs. Furthermore,
participation in information-sharing programs provides cybersecurity
benefits to the participating utility that applies for an incentive-
based rate treatment, the other program participants, and their
customers. Consequently, unlike other expenses, we find that utilities
may request the Cybersecurity Regulatory Asset Incentive for expenses
associated with participation in cybersecurity threat information
sharing programs regardless of how long the utilities have participated
in the programs--although only expenses prospective from the effective
date of the Commission's approval of the cybersecurity incentives in
the utility's rate(s) on file with the Commission shall be eligible.
153. The Commission's rules and regulations in the Uniform System
of Accounts \281\ require public utilities to maintain records
supporting any entries to the regulatory asset account so that the
public utility can furnish full information as to the nature and amount
of, and justification for, each regulatory asset recorded in the
account. Pursuant to our existing regulations, any utility receiving an
incentive must maintain sufficient records to support the distinction
of any investments that are afforded incentive-based rate
treatment.\282\ Given the novelty of allowing incentive recipients to
include certain expenses in rate base, it is essential that the
utilities keep records in a manner that allows the Commission and other
parties to ensure that no double-recovery occurs.
---------------------------------------------------------------------------

\281\ See 18 CFR pt. 101, Account Definition Account 182.3,
Other Regulatory Assets, paragraph D.
\282\ Id.

---------------------------------------------------------------------------

[[Page 28369]]

154. We also find that, consistent with the Commission's
longstanding cost-causation ratemaking principles, only costs directly
assigned to a function or the conventionally allocated portion of
enterprise-wide expenses (e.g., using the wages and salaries allocator)
would be eligible for the Cybersecurity Regulatory Asset Incentive in
rates specific to that function. For example, only incentives for
transmission-specific or transmission-allocated costs may be recovered
in transmission rates.
3. Performance-Based Rates
a. NOPR Proposal
155. In the NOPR, the Commission noted that FPA section 219A(c)
directs the Commission to establish incentive-based, including
performance-based, rate treatments.\283\ The Commission observed that,
because it is difficult to directly observe the level of effort a
utility expends on ensuring cybersecurity, performance-based regulation
could theoretically provide a valuable tool to motivate utilities to
maintain and operate their systems reliably and efficiently. The
Commission explained that performance-based ratemaking can take
multiple forms, but ultimately requires the ability to measure and tie
rate treatments to actual performance.\284\
---------------------------------------------------------------------------

\283\ NOPR, 180 FERC ] 61,189 at P 44.
\284\ Id. P 44.
---------------------------------------------------------------------------

156. The Commission sought comment on performance-based rates and
whether and how the principles of performance-based regulation could
apply to utilities with respect to cybersecurity investments.\285\ The
Commission also sought comment on specific cybersecurity performance
metrics that could be subject to a performance standard.\286\ In
particular, the Commission sought comment on whether any widely
accepted metrics for cybersecurity performance could lend themselves as
benchmarks for performance-based rates, or whether new appropriate
metrics could be developed. The Commission further sought comment on
what rate mechanisms could accompany such metrics. The Commission asked
that any proposed mechanisms: (1) rely on cybersecurity performance
benchmarks and not expenditures or practices; and (2) consider
ratepayer impacts, given the relatively small costs of cybersecurity
expenditures compared to utilities' overall cost-of-service.
---------------------------------------------------------------------------

\285\ The Commission also explained that, consistent with Order
No. 679, which implemented FPA section 219, it interpreted the
directive to establish incentive-based, including performance-based,
rate treatments in FPA section 219A to require the Commission to
consider performance-based rates as an option among incentive
ratemaking treatments. Id. P 46 n.41.
\286\ Id. P 45.
---------------------------------------------------------------------------

b. Comments
157. No commenter explicitly supports performance-based rates with
respect to cybersecurity investments. EEI, Iowa Utilities Board, and
Ohio Consumers' Counsel all filed comments opposing this approach.\287\
EEI argues that, without clear, industry-wide metrics, a performance-
based program would be difficult to implement.\288\ Ohio Consumers'
Counsel states that setting a performance threshold for advanced
cybersecurity investment and activities is likely to be challenging,
given the rapid pace of development in both the types of cybersecurity
threats experienced and the technological advances used to counter
those threats.\289\ Iowa Utilities Board comments that performance
measurement for cybersecurity investments is difficult because, more
often than not, it would be difficult to pinpoint the root cause of
failure on a particular entity or process when there is a performance
failure.\290\
---------------------------------------------------------------------------

\287\ EEI Initial Comments at 12-13; Iowa Utilities Board
Initial Comments at 4; Ohio Consumers' Counsel Initial Comments at
14.
\288\ EEI Initial Comments at 12.
\289\ Ohio Consumers' Counsel Initial Comments at 14.
\290\ Iowa Utilities Board Initial Comments at 4.
---------------------------------------------------------------------------

158. Ohio FEA states that, if the Commission adopts performance-
based rates for cybersecurity incentives, it should neither choose
which expenses to approve nor check whether incurred expenses comply
with the utility's plans but should simply verify whether predetermined
outcomes have been achieved.\291\ Ohio FEA recommends that the
Commission consider developing resources, such as C2M2, to achieve a
performance monitoring tool that will aid in performance-based
rates.\292\
---------------------------------------------------------------------------

\291\ Ohio FEA Initial Comments at 12.
\292\ Id. at 12.
---------------------------------------------------------------------------

c. Commission Determination
159. We interpret the directive to establish incentive-based,
including performance-based, rate treatments in FPA section 219A to
require the Commission to consider performance-based rates as an option
among incentive ratemaking treatments. This interpretation is
consistent with the Commission's finding in Order. No. 679 regarding
the directive to establish incentive-based (including performance-
based) rate treatments for investments in transmission infrastructure
in FPA section 219.\293\ Because of the Congressional directive to
encourage performance-based rates, the Commission signaled its
intention to reevaluate previous Commission policies on performance-
based rate treatments and attempt to offer such incentives in the
cybersecurity context. We recognize that performance-based regulation
could theoretically provide a valuable tool to motivate utilities to
maintain and operate their systems reliably and efficiently.
Performance-based ratemaking can take multiple forms, but ultimately
requires the ability to measure and tie rate treatments to actual
performance (i.e., the number and severity of cybersecurity incidents)
rather than intermediate steps such as specific cybersecurity protocols
or cybersecurity investments that intend to achieve that performance.
---------------------------------------------------------------------------

\293\ Order No 679, 116 FERC ] 61,057 at P 270.
---------------------------------------------------------------------------

160. However, after evaluating the comments, we continue to find
that it is difficult to directly observe the success of a cybersecurity
investment. We share the view of commenters that it would be premature
to adopt generic performance-based rate measures at this time. However,
the development of performance-based rate measures may represent a
long-term goal for utilities and the Commission to pursue.

D. Cybersecurity Investment Incentive Implementation

1. Cybersecurity ROE Incentive Duration
a. NOPR Proposal
161. The Commission proposed to allow a utility granted a
Cybersecurity ROE Incentive to receive that incentive until the
earliest of: (1) the conclusion of the depreciation life of the
underlying asset; (2) five years from when the cybersecurity
investment(s) enter service; \294\ (3) the time that the investment(s)
or activities that serve as the basis of that incentive become
mandatory pursuant to a Reliability Standard approved by the
Commission, or local, State, or Federal law; or (4) the recipient no
longer meets the requirements for receiving the incentive.\295\ The
Commission recognized that incentive-eligible cybersecurity investments
primarily include equipment or system modifications that typically have
short depreciation lives, as opposed to long-lived assets like physical
structures. The Commission believed that most cybersecurity incentives
granted under this rulemaking would remain in effect

[[Page 28370]]

until the conclusion of the depreciation life of the underlying asset.
However, for investments with useful lives exceeding five years, the
Commission proposed that the incentive end at the conclusion of five
years from the time that the asset receiving the cybersecurity
incentive entered service, noting that most IT investments feature
useful lives no longer than five years. The Commission preliminarily
found that five years is a reasonable expected life to encourage
utilities to make an investment and to ensure just and reasonable
rates. The Commission also sought comment on whether the proposed
duration should be three years instead of five years.
---------------------------------------------------------------------------

\294\ For participation in a cybersecurity threat information
sharing program, the ``investment'' would recur annually.
\295\ NOPR, 180 FERC ] 61,189 at P 46.
---------------------------------------------------------------------------

b. Comments
162. EEI comments that the five-year depreciation period may be
reasonable, but, if the utility has a cybersecurity asset with a longer
depreciation life, the utility should have the option to make an
argument for a longer incentives period, depending on the investment on
a case-by-case basis.\296\ EEI further comments that, if an incentive
becomes mandatory, it is not clear why it must end automatically. EEI
argues that, for example, if the investment is in year three and then
in year four it becomes a mandatory standard, the utility would lose
the incentive moving forward and that this approach will dampen
potential incentives to do the work to be an early adopter of
promising, qualifying cybersecurity measures.\297\ AEP comments that
the proposed five-year duration is unlikely to drive utilities to
meaningfully reconsider their current and future investment in
cybersecurity.\298\
---------------------------------------------------------------------------

\296\ EEI Initial Comments at 13.
\297\ Id. at 14.
\298\ AEP Initial Comments at 4-5.
---------------------------------------------------------------------------

163. APPA, California Parties, the Electricity Consumers Resource
Council (ELCON), Ohio Consumers' Counsel, and TAPS state that the
Commission should limit the duration proposal to a maximum of three
years.\299\ California Parties, TAPS, and Ohio Consumers' Counsel argue
that setting the limit at three years better aligns with the fast-
evolving nature of cybersecurity technology, and that consumers should
not have to pay for technology that has become obsolete.\300\ APPA
comments that, where an asset has a useful life of no more than five
years, a three-year Cybersecurity ROE Incentive would apply to a large
portion, and potentially all, of the asset's useful life.\301\ APPA
states that the value of the Cybersecurity ROE Incentive to a utility
would decline over time as the underlying asset depreciates and reduces
the rate base to which the ROE adder is applied.\302\
---------------------------------------------------------------------------

\299\ APPA Initial Comments at 5; California Parties Initial
Comments at 22; ELCON Initial Comments at 4; Ohio Consumers' Counsel
Initial Comments at 15; TAPS Initial Comments at 18-19.
\300\ California State Parties Initial Comments at 25; Ohio
Consumers' Counsel Initial Comments at 15; TAPS Initial Comments at
19.
\301\ APPA Initial Comments at 16.
\302\ Id. at 16.
---------------------------------------------------------------------------

c. Commission Determination
164. As discussed in section III.C.1.c., we do not adopt the NOPR's
proposed Cybersecurity ROE Incentive. Consequently, we need not address
the duration of this incentive.
2. Cybersecurity Regulatory Asset Incentive Duration and Amortization
Period
a. NOPR Proposal
165. The Commission proposed to specify that a utility granted the
Cybersecurity Regulatory Asset Incentive must amortize the regulatory
asset over five years.\303\ The Commission stated that this may reflect
the generally short-lived nature of cybersecurity activities and
corresponds to the depreciation rates for investments described
above.\304\ The Commission observed that this period generally relates
to the expected useful life and associated cost-of-service amortization
period of cybersecurity investments.
---------------------------------------------------------------------------

\303\ As noted above, the cybersecurity investment for
participation in a cybersecurity threat information sharing program
would recur annually.
\304\ NOPR, 180 FERC ] 61,189 at P 47.
---------------------------------------------------------------------------

166. The Commission also proposed to specify that a utility granted
the Cybersecurity Regulatory Asset Incentive may defer eligible
expenses for up to five years from the date of Commission approval of
the incentive.\305\ Under this provision, the Commission proposed that
eligible expenses incurred for five years could be added to the
regulatory asset that is allowed in rate base and amortized over five
subsequent years.\306\ The Commission preliminarily found that this
limit would be appropriate, given the potentially indefinite nature of
certain expenses. The Commission stated that such a limit would also
reflect that cybersecurity risks and solutions evolve over time and
matches the proposed five-year maximum duration of the Cybersecurity
ROE Incentive. The Commission preliminarily found that a five-year
limit appropriately balances the goal of providing an incentive of a
sufficient size to encourage utilities to make eligible improvements in
their cybersecurity posture with the requirement to protect ratepayers.
---------------------------------------------------------------------------

\305\ Id. P 48.
\306\ The Commission proposed that, in their FPA section 205
filings, incentive recipients must include notes to their formula
rates specifying the Commission order(s) which approved the
incentive and stating that the associated Cybersecurity Regulatory
Asset Incentive must terminate in the earlier of: (1) five years
from the date of the later of the Commission approving the incentive
or the expense being incurred; or (2) the cybersecurity investment
becoming mandatory.
---------------------------------------------------------------------------

167. However, the Commission proposed to make an exception to this
sunsetting provision for eligible cybersecurity threat information
sharing programs.\307\ The Commission noted that FPA section 219A(c)(2)
directs the Commission to provide incentives for participation in
cybersecurity threat information sharing programs. The Commission
preliminarily found that participation in such cybersecurity threat
information sharing programs, which provide participants with ongoing
updates about active cybersecurity threats and are therefore distinct
from other cybersecurity investments that may become obsolete with the
passage of time, warrants a different incentive treatment than other
investments. Consequently, the Commission proposed that utilities be
able to continue deferring these ongoing expenses and including them in
their rate base for each annual tranche of expenses, for as long as:
(1) the utility continues incurring costs for its participation in the
program; and (2) the program remains eligible for incentives.
---------------------------------------------------------------------------

\307\ NOPR, 180 FERC ] 61,189 at P 49.
---------------------------------------------------------------------------

b. Comments
168. EEI supports the NOPR proposal to make an exception to the
sunsetting provision for eligible cybersecurity threat information
sharing programs on the basis that they are distinct from discrete
cybersecurity investments that may become obsolete with the passage of
time.\308\ EEI comments that sharing information about the nature of
threats can help electric utilities react to and mitigate the
threat.\309\
---------------------------------------------------------------------------

\308\ EEI Initial Comments at 14.
\309\ Id. at 14.
---------------------------------------------------------------------------

169. EEI requests clarification that the amortization period would
be up to five years, but that five years is not the only duration
permissible for amortization.\310\
---------------------------------------------------------------------------

\310\ Id. at 14.
---------------------------------------------------------------------------

170. TAPS agrees with the Commission's preliminary finding that the
five-year limit balances the goals of ratepayer protection with
inducing the desired investment.\311\ Howev

[…truncated; see source link]

View on FederalRegister.gov →Plain-text source

Indexed from Federal Register on May 3, 2023.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.