Federal & State Lawfederalstatelaw.com
Home/Federal/Federal Register/2025-18395
Proposed Rule2025-18395

Virtualization Reliability Standards

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published
September 23, 2025

Issuing agencies

Energy DepartmentFederal Energy Regulatory Commission

Abstract

The Federal Energy Regulatory Commission (Commission) proposes to approve four new definitions and 18 modified definitions in the North American Electric Reliability Corporation (NERC) Glossary of Terms Used in Reliability Standards. The Commission also proposes to approve eleven modified Critical Infrastructure Protection (CIP) Reliability Standards. NERC, the Commission-certified electric reliability organization, submitted the proposed modifications to update the CIP Reliability Standards to enable the application of virtualization and other new technologies in a secure manner.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 182 (Tuesday, September 23, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 182 (Tuesday, September 23, 2025)]
[Proposed Rules]
[Pages 45679-45685]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-18395]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM24-8-000]


Virtualization Reliability Standards

AGENCY: Federal Energy Regulatory Commission.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Federal Energy Regulatory Commission (Commission) proposes 
to approve four new definitions and 18 modified definitions in the 
North American Electric Reliability Corporation (NERC) Glossary of 
Terms Used in Reliability Standards. The Commission also proposes to 
approve eleven modified Critical Infrastructure Protection (CIP) 
Reliability Standards. NERC, the Commission-certified electric 
reliability organization, submitted the proposed modifications to 
update the CIP Reliability Standards to enable the application of 
virtualization and other new technologies in a secure manner.

DATES: Comments are due November 24, 2025.

ADDRESSES: Comments, identified by docket number, may be filed in the 
following ways. Electronic filing through <a href="http://www.ferc.gov">http://www.ferc.gov</a>, is 
preferred.
    <bullet> Electronic Filing: Documents must be filed in acceptable 
native applications and print-to-PDF, but not in scanned or picture 
format.
    <bullet> For those unable to file electronically, comments may be 
filed by USPS mail or by hand (including courier) delivery.
    [cir] Mail via U.S. Postal Service Only: Addressed to: Federal 
Energy Regulatory Commission, Secretary of the Commission, 888 First 
Street NE, Washington, DC 20426.
    [cir] Hand (including courier) delivery: Deliver to: Federal Energy 
Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852.
    The Comment Procedures Section of this document contains more 
detailed filing procedures.

FOR FURTHER INFORMATION CONTACT: 
Mayur Manchanda (Technical Information), Office of Electric 
Reliability, Federal Energy Regulatory Commission, 888 First Street NE, 
Washington, DC 20426, (202) 502-6166, <a href="/cdn-cgi/l/email-protection#2a674b535f5804674b4449424b444e4b6a4c4f5849044d455c"><span class="__cf_email__" data-cfemail="602d011915124e2d010e0308010e040120060512034e070f16">[email&#160;protected]</span></a>
Chanel Chasanov (Legal Information), Office of General Counsel, Federal 
Energy Regulatory Commission, 888

[[Page 45680]]

First Street NE, Washington, DC 20426, (202) 502-8569, 
<a href="/cdn-cgi/l/email-protection#f7b49f9699929bd9b49f968496999881b791928594d9909881"><span class="__cf_email__" data-cfemail="90d3f8f1fef5fcbed3f8f1e3f1feffe6d0f6f5e2f3bef7ffe6">[email&#160;protected]</span></a>
Alan J. Rukin (Legal Information), Office of General Counsel, Federal 
Energy Regulatory Commission, 888 First Street NE, Washington, DC 
20426, (202) 502-8502, <a href="/cdn-cgi/l/email-protection#6b2a070a0545391e0002052b0d0e1908450c041d"><span class="__cf_email__" data-cfemail="37765b56591965425c5e59775152455419505841">[email&#160;protected]</span></a>

SUPPLEMENTARY INFORMATION:

I. Introduction

    1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA),\1\ 
we propose to approve the addition of four new and 18 proposed 
revisions to the North American Electric Reliability Corporation (NERC) 
Glossary of Terms Used in Reliability Standards (Glossary). We also 
propose to approve 11 proposed Critical Infrastructure Protection (CIP) 
Reliability Standards. NERC submitted the proposed modifications to 
update the CIP Reliability Standards to enable the application of 
virtualization and other new technologies in a secure manner.\2\ We 
also propose to approve the associated violation risk factors, 
violation severity levels, implementation plans, and effective dates 
for the proposed Reliability Standards, as well as to approve the 
retirement of the currently effective version of each proposed 
Reliability Standard.
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824o(d)(2).
    \2\ See NERC Petition at 2-5. Virtualization is ``the process of 
creating virtual, as opposed to physical, versions of computer 
hardware to minimize the amount of physical hardware resources 
required to perform various functions.'' NERC Petition at 12 
(quoting National Institute of Standards and Technology (NIST), 
Guide to Security for Full Virtualization Technologies, Special 
Publication 800-125 (Jan. 2011) (NIST Virtualization Security 
Special Publication)).
---------------------------------------------------------------------------

    2. We support NERC's efforts to update the CIP Reliability 
Standards to accommodate virtualization and other nascent technologies. 
These proposed updates will allow responsible entities to enhance their 
reliability and security posture by adapting to emerging risks with 
forward-looking security models. As NERC explains, the current 
framework for CIP Reliability Standards ``was designed around the 
concept that devices have a one-to-one relationship between software 
and hardware,'' \3\ and CIP-mandated controls such as perimeter-based 
security were designed to fit this concept. However, ``technology 
supporting and enabling the industrial control systems that operate the 
Bulk-Power System has evolved rapidly.'' \4\ To accommodate this 
evolution, NERC has updated the CIP Reliability Standards to provide 
responsible entities the flexibility to adopt virtualization and other 
new technologies ``to operate their systems effectively and efficiently 
while maintaining a robust security posture.'' \5\ The proposed 
modifications do not obligate entities to adopt virtualization, rather, 
if approved, the proposed CIP Reliability Standards would accommodate 
responsible entities that choose to do so. NERC highlights the 
reliability benefits of virtualization, including ``increased uptime, 
fast recovery capability, and flexible architecture that can instantly 
adapt to changing workloads.'' \6\ We agree that these potential 
reliability benefits are worth pursuing, and we continue to support 
efforts by NERC and responsible entities to facilitate the use of 
technological advancements that enhance the reliability and security of 
the Bulk-Power System.
---------------------------------------------------------------------------

    \3\ NERC Petition at 4.
    \4\ Id. at 2.
    \5\ Id. at 16 & Ex. D (standard drafting team white paper titled 
Virtualization and Future Technologies: The Case for Change).
    \6\ Id. at 16.
---------------------------------------------------------------------------

    3. While we propose to approve the proposed CIP Reliability 
Standard modifications, we have questions regarding the proposed 
language (repeated in multiple Requirements) that would replace the 
phrase where technically feasible with the phrase per system 
capability.\7\ NERC explains that the revision would eliminate the 
technical feasibility exceptions and associated reporting and approval 
process. Going forward, responsible entities would still be required to 
document an identified limit to a system capability and simply retain 
the documentation for review upon audit or other compliance 
activity.\8\ We recognize NERC's efforts to alleviate administrative 
burdens associated with the current technical feasibility exception 
process. Nonetheless, we are concerned that the proposed phrase per 
system capability would eliminate transparency and meaningful 
Commission and NERC oversight by introducing a self-implementing 
exceptions process with no reporting obligations. Thus, as discussed 
below, we seek comments on this aspect of the NERC proposal, including 
alternative approaches, which will assist the Commission in formulating 
a possible directive in a final rule.
---------------------------------------------------------------------------

    \7\ See NERC Rules of Procedure section 412 (Requests for 
Technical Feasibility Exceptions to NERC Critical Infrastructure 
Protection Reliability Standards), Appendix 4D (Procedure for 
Requesting and Receiving Technical Feasibility Exceptions to NERC 
Critical Infrastructure Protection Reliability Standards).
    \8\ See NERC Petition at 29-30; see also NERC Supplemental 
Petition at 26 (an entity relying on the system capability exception 
``will need to document the limit to the system's capability and 
demonstrate during compliance monitoring activities that the 
system's incapability prevents the Responsible Entity from 
implementing the control within the requirement'').
---------------------------------------------------------------------------

II. Background

A. Section 215 and Mandatory Reliability Standards

    4. Section 215 of the FPA provides that the Commission may certify 
an Electric Reliability Organization (ERO), the purpose of which is to 
develop mandatory and enforceable Reliability Standards, subject to 
Commission review and approval.\9\ Reliability Standards may be 
enforced by the ERO, subject to Commission oversight, or by the 
Commission independently.\10\ Pursuant to section 215 of the FPA, the 
Commission established a process to select and certify an ERO,\11\ and 
subsequently certified NERC.\12\
---------------------------------------------------------------------------

    \9\ 16 U.S.C. 824o(c).
    \10\ Id. 824o(e).
    \11\ Rules Concerning Certification of the Elec. Reliability 
Org.; & Procs. for the Establishment, Approval, & Enf't of Elec. 
Reliability Standards, Order No. 672, 71 FR 8662 (Feb. 17, 2006), 
114 FERC ] 61,104, order on reh'g, Order No. 672-A, 71 FR 19814 
(Apr. 18, 2006), 114 FERC ] 61,328 (2006); see also 18 CFR 39.4(b).
    \12\ N. Am. Elec. Reliability Corp., 116 FERC ] 61,062, order on 
reh'g & compliance, 117 FERC ] 61,126 (2006), aff'd sub nom. Alcoa, 
Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
---------------------------------------------------------------------------

B. Virtualization

    5. Virtualization is the process of creating virtual, as opposed to 
physical, versions of computer hardware to minimize the amount of 
physical computer hardware resources required to perform various 
functions.\13\ NERC explains three virtualization concepts: (1) shared 
resources; (2) virtual machines; and (3) containers. First, 
virtualization allows the sharing of hardware, central processing 
units, memory, storage, and other resources among various operating 
systems (i.e., guest operating systems).\14\ Second, a virtual machine 
is a software version of a single physical computer and performs all 
the same functions. Virtual machines have operating systems and can run 
application programs, store data, connect to networks, and perform 
functions identical to a physical computer. Third, containers are 
considered software that encapsulate applications and their 
dependencies in isolated environments, separate from other applications 
or containers. A container is not a virtual machine; a container shares 
operating system resources from the host computer in

[[Page 45681]]

which it resides. The host computer can be either a physical or virtual 
machine. Containers interact with other applications and services on 
the host computer through defined interfaces.
---------------------------------------------------------------------------

    \13\ See Virtualization & Cloud Computing Servs., Notice of 
Inquiry, 170 FERC ] 61,110, at P 4 (2020) (Virtualization and Cloud 
NOI) (citing NIST Virtualization Security Special Publication).
    \14\ See NERC Petition at 13.
---------------------------------------------------------------------------

C. NERC Petition and Supplement

    6. On July 10, 2024, as supplemented on May 20, 2025,\15\ NERC 
submitted for Commission approval four newly defined terms (Cyber 
System, Management Interface, Shared Cyber Infrastructure, and Virtual 
Cyber Asset) to support the virtualization-related modifications to the 
proposed CIP Reliability Standards. Likewise, NERC submitted 18 
proposed revisions to defined terms within the NERC Glossary (BES Cyber 
Asset, BES Cyber System, BES Cyber System Information, CIP Senior 
Manager, Cyber Assets, Cyber Security Incident, Electronic Access 
Control or Monitoring Systems, Electronic Access Point, External 
Routable Connectivity, Electronic Security Perimeter, Interactive 
Remote Access, Intermediate System, Physical Access Control Systems, 
Physical Security Perimeter, Protected Cyber Asset, Removable Media, 
Reportable Cyber Security Incident, and Transient Cyber Asset).
---------------------------------------------------------------------------

    \15\ On May 20, 2025, NERC submitted a supplemental petition 
identifying errata to proposed Reliability Standards CIP-006-7, CIP-
007-7, CIP-008-7, CIP-009-7, and CIP-011-4, as well as additional 
justifications for technical concepts within the proposed Standards.
---------------------------------------------------------------------------

    7. NERC submitted 11 proposed CIP Reliability Standards and the 
associated violation risk factors and violation severity levels, 
implementation plans, and effective dates for the relevant CIP 
Standards.\16\ Finally, NERC proposed the retirement of the 
corresponding versions of the currently effective Reliability 
Standards.\17\
---------------------------------------------------------------------------

    \16\ The proposed Reliability Standards are not attached to this 
notice of proposed rulemaking (NOPR). The proposed Reliability 
Standards are available on the Commission's eLibrary document 
retrieval system in Docket No. RM24-8-000 and on the NERC website, 
<a href="http://www.nerc.com">www.nerc.com</a>.
    \17\ See NERC Petition at 1-2. In addition to the 
virtualization-related modifications in the proposed Reliability 
Standards, NERC included administrative revisions throughout the 
proposed Reliability Standards. For example, some revisions aligned 
the proposed Reliability Standards to other Standards or NERC 
initiatives. Id. at 55-56.
---------------------------------------------------------------------------

    8. Specifically, NERC seeks Commission approval of the following 11 
modified CIP Reliability Standards:

<bullet> CIP-002-7 (Cyber Security--BES Cyber System Categorization)
<bullet> CIP-003-10 (Cyber Security--Security Management Controls) \18\
---------------------------------------------------------------------------

    \18\ On December 24, 2024, NERC submitted a petition for 
approval of proposed Reliability Standard CIP-003-11 (Cyber 
Security--Security Management Controls), in Docket No. RM25-8-000. 
In the NOPR for Docket No. RM25-8-000 issued concurrent with this 
NOPR, the Commission proposes to take action on proposed Reliability 
Standard CIP-003-11, Critical Infrastructure Protection Reliability 
Standard CIP-003-11, 192 FERC ] 61,227 (2025).
---------------------------------------------------------------------------

<bullet> CIP-004-8 (Cyber Security--Personnel & Training)
<bullet> CIP-005-8 (Cyber Security--Electronic Security Perimeter(s))
<bullet> CIP-006-7.1 (Cyber Security--Physical Security of BES Cyber 
Systems) \19\
---------------------------------------------------------------------------

    \19\ See NERC Supp. Petition at 3 (making errata corrections to 
several CIP Standards, designated with a ``.1'' in the version 
number, e.g., CIP-006-7.1).
---------------------------------------------------------------------------

<bullet> CIP-007-7.1 (Cyber Security--Systems Security Management)
<bullet> CIP-008-7.1 (Cyber Security--Incident Reporting and Response 
Planning)
<bullet> CIP-009-7.1 (Cyber Security--Recovery Plans for BES Cyber 
Systems)
<bullet> CIP-010-5 (Cyber Security--Configuration Change Management and 
Vulnerability Assessments)
<bullet> CIP-011-4.1 (Cyber Security--Information Protection)
<bullet> CIP-013-3 (Cyber Security--Supply Chain Risk Management)

    9. NERC asserts that the proposed Reliability Standards would 
facilitate the use of the full range of virtualization 
technologies.\20\ According to NERC, the proposed Reliability Standards 
would allow responsible entities to fully implement virtualization and 
address risks associated with virtualized environments, such as ``side 
channel'' attacks where virtual systems executing on the same hardware 
could affect one another.\21\ NERC also states that the use of security 
objectives within the CIP Reliability Standards establishes a framework 
adaptable to newer technologies.\22\
---------------------------------------------------------------------------

    \20\ See NERC Petition at 4.
    \21\ NERC Petition at 4.
    \22\ Id. at 5.
---------------------------------------------------------------------------

    10. NERC explains that its revisions would: (1) support different 
security models by adjusting language around perimeter-based models to 
accommodate other security models; (2) recognize ``virtualization 
infrastructure and virtual machines through new and revised terms in 
the NERC Glossary;'' (3) broaden ``change management approaches beyond 
a baseline-only configuration to recognize the dynamic nature of 
virtualized technologies,'' e.g., where such virtualized systems are no 
longer installed on specific servers; and (4) manage ``accessibility 
and attack surfaces of a virtualized configuration.'' \23\ In addition 
to the changes to facilitate virtualization, the proposed Reliability 
Standards incorporate clarifications found during the implementation of 
prior versions of the CIP Standards.\24\
---------------------------------------------------------------------------

    \23\ Id.
    \24\ Id. at 6.
---------------------------------------------------------------------------

    11. NERC explains that to accommodate different security models, 
the proposed revisions would allow responsible entities to either 
continue to use a perimeter-model or more policy-based controls through 
virtual environments. For example, NERC explains that the requirement 
in currently effective Reliability Standard CIP-005-7 (to implement a 
perimeter-based network security model) limited responsible entities to 
a single security model, and so NERC proposed to revise the standard to 
focus on the security objective of securing communications to and from 
BES Cyber Systems. The standard drafting team updated language that 
removes the concepts of ``inside'' an electronic security perimeter and 
replaces it with broader language, such as ``protected by'' an 
electronic security perimeter and revised the definitions of Electronic 
Security Perimeter, Electronic Access Point, and External Routable 
Connectivity.\25\
---------------------------------------------------------------------------

    \25\ Id. at 21-22.
---------------------------------------------------------------------------

    12. To better recognize virtualization infrastructure and address 
how hardware relates to the software and data, NERC explains that the 
proposed Reliability Standards permit responsible entities to use 
protections that are appropriate and secure for virtualization by 
applying protections where they are needed rather than relying on a 
one-to-one relationship between hardware and software in the currently 
defined cyber assets. To account for virtual machines and their 
underlying infrastructure, the standard drafting team also revised the 
definition of Cyber Asset and Virtual Cyber Asset, Shared Cyber 
Infrastructure, Management Interface, and Cyber Systems.\26\
---------------------------------------------------------------------------

    \26\ NERC Petition at 22-24.
---------------------------------------------------------------------------

    13. NERC explains that the proposed Reliability Standards broaden 
configuration change management to reflect characteristics of the 
technologies enabled by virtualization.\27\ According to NERC, 
controlling configuration changes helps ensure that ``neither adverse 
impacts nor unauthorized changes occur'' \28\ and that the proposed 
revisions to the Standards would let responsible entities ``focus more 
on a forward-looking authorization of a change rather than a

[[Page 45682]]

backward-looking baseline update for compliance purposes.'' \29\
---------------------------------------------------------------------------

    \27\ Id. at 24-26.
    \28\ Id. at 25.
    \29\ Id. at 26.
---------------------------------------------------------------------------

    14. Finally, NERC describes the updated approach to managing 
accessibility and reducing the attack surface in virtualized 
environments due to shared resources.\30\ For example, where the 
currently-effective Reliability Standard CIP-007-6, Requirement R1 
focuses on disabling or restricting unneeded ports or services, the 
proposed Reliability Standard CIP-007-7.1, Requirement R1, holds the 
security objective of preventing unneeded routable protocol network 
accessibility, thereby accommodating more varied security controls.
---------------------------------------------------------------------------

    \30\ Id.
---------------------------------------------------------------------------

    15. In addition to the virtualization modifications described 
above, NERC proposes to replace the phrase technical feasibility, which 
appears in nine Requirements of the currently effective CIP Standards, 
with the phrase per system capability.\31\ NERC also proposes to add 
the phrase per system capability in six Requirements with no existing 
technical feasibility exception language.\32\ NERC explains that the 
phrase per system capability is used to ``account for different types 
of technology that will be expected to meet the security objective of a 
particular CIP Reliability Standard.'' \33\ According to NERC, ``should 
a Responsible Entity choose to rely on the new term, the Responsible 
Entity will need to document the limit to the system's capability and 
demonstrate during compliance monitoring activities that the system's 
incapability prevents the Responsible Entity from implementing the 
control within the requirement.'' \34\ NERC adds that it and the 
Regional Entities have observed a significant decrease in the number of 
submitted technical feasibility exceptions and the replacement with the 
phrase per system capability would ease the administrative burden 
associated the current process.
---------------------------------------------------------------------------

    \31\ NERC Petition at 28-29.
    \32\ In all, NERC proposes to add the phrase per system 
capability to proposed Reliability Standards as follows: CIP-005-8, 
Requirements R1.3, R1.4, R2; CIP-006-7.1, Requirement R1.3; CIP-007-
7.1, Requirements R1.1, R4.1, R4.2, R4.3, R5.1, R5.4, R5.6, R5.7; 
CIP-009-7.1 Requirement R1.5; and CIP-010-5, Requirements R2.1, 
R3.2.
    \33\ NERC Petition at 28.
    \34\ NERC Supplemental Petition at 26.
---------------------------------------------------------------------------

    16. NERC's proposed implementation plan provides that the proposed 
Reliability Standards and definitions shall become effective on the 
later of April 1, 2026, or the first day of the first calendar quarter 
that is 24 months after the effective date of the applicable 
governmental authority's order approving the Reliability Standards and 
definitions, or as otherwise provided for by the applicable 
governmental authority. NERC states that its proposed implementation 
plan balances the urgency to implement the requirements with the time 
needed to develop any relevant capabilities.\35\
---------------------------------------------------------------------------

    \35\ NERC Petition at 59.
---------------------------------------------------------------------------

III. Discussion

    17. Pursuant to section 215(d)(2) of the FPA, we propose to approve 
the 11 proposed modified CIP Reliability Standards, as well as four 
newly proposed definitions and 18 proposed revisions to the definitions 
set forth in the NERC Glossary, as just, reasonable, not unduly 
discriminatory or preferential, and in the public interest. The 
proposed new and revised definitions should provide a clear and 
consistent understanding of the terms across all Reliability Standards. 
We also propose to approve the associated violation risk factors, 
violation severity levels, implementation plans, and effective dates of 
the 11 modified CIP Reliability Standards, as well as to approve the 
retirement of the associated currently effective Reliability Standards.
    18. As described by NERC, the proposed CIP Reliability Standards 
would provide the opportunity for responsible entities to implement 
virtualization technologies in a secure manner. We are supportive of 
NERC's efforts to allow responsible entities to take advantage of the 
efficiencies and flexibilities afforded by virtualization and other 
emerging technologies, and encourage interested responsible entities to 
do so, while mindful of the need for a secure electric grid. We believe 
that the proposed modifications represent a necessary and forward-
looking progression of cybersecurity requirements for the bulk electric 
system, designed to enhance reliability and accommodate technological 
advancements. While below we solicit comment regarding our concerns 
pertaining to one proposed modification, we seek comments on all 
aspects of these proposed Reliability Standards and definitions.
    19. The initial (version 1) set of eight CIP Reliability Standards, 
submitted by NERC in 2006, included the phrase technical feasibility to 
allow an exception from compliance with certain CIP Standard provisions 
based on the concern that strict compliance would force the early 
retirement of some long-life legacy equipment. In Order No. 706, the 
Commission approved the version 1 CIP Reliability Standards but 
expressed concern about self-implementing technical feasibility 
exceptions.\36\ To assure accountability, the Commission directed NERC 
to develop procedures for an entity to seek approval by submitting an 
application to the ERO that includes justification for the technical 
feasibility exception, plans for alternative mitigation, and 
remediation plans to eventually eliminate use of the technical 
feasibility exception.\37\ Order No. 706 also required that the ERO 
submit to the Commission an annual report on the use of technical 
feasibility exceptions and reliability impacts. NERC developed and the 
Commission approved the directed technical feasibility procedures.\38\
---------------------------------------------------------------------------

    \36\ Mandatory Reliability Standards for Critical Infrastructure 
Protection, Order No. 706, 73 FR 7368 (Feb. 7, 2008), 122 FERC ] 
61,040, order on clarification, Order No. 706-A, 123 FERC ] 61,174 
(2008), order on clarification, Order No. 706-B, 74 FR 12544 (Mar. 
25, 2009), 126 FERC ] 61,229, order deny'g request for 
clarification, Order No. 706-C, 74 FR 30067 (Jun. 24, 2009), 127 
FERC ] 61,273 (2009).
    \37\ Id. PP 192-194, 209-211, 222.
    \38\ E.g., N. Am. Elec. Reliability Corp., 130 FERC ] 61,050 
(2010).
---------------------------------------------------------------------------

    20. NERC now proposes to replace technical feasibility exception 
language within currently effective CIP Reliability Standards with the 
phrase per system capability. We are mindful that the NERC proposal 
would eliminate the administrative burden associated with the technical 
feasibility exception process, which requires a responsible entity to 
submit a request with supporting documentation to a Regional Entity for 
review and approval. Nonetheless, we are concerned that the replacement 
language, ``per system capability'' within certain of the proposed CIP 
Reliability Standards, would allow responsible entities to self-
implement an exception with marginal oversight and no alternative 
mitigation obligation, in contrast to the current accountability-based 
process for technical feasibility exceptions.\39\
---------------------------------------------------------------------------

    \39\ Id. at section 3.2 (``A [Technical Feasibility Exception] 
does not relieve the Responsible Entity of its obligation to comply 
with the Applicable Requirement. Rather, a [Technical Feasibility 
Exception] authorizes an alternative . . . means of compliance with 
the Applicable Requirement through the use of compensating measures 
and/or mitigating measures that achieve at least a comparable level 
of security. . . .''); see also Order No. 706, 122 FERC ] 61,040 at 
P 222.
---------------------------------------------------------------------------

    21. As we understand NERC's petition, responsible entities 
declaring the new system capability exceptions must document them. This 
documentation must be made available if and when audited by a Regional 
Entity (or other compliance activity). We are concerned that under 
NERC's proposal neither the ERO nor the Commission would have any 
information on the number of

[[Page 45683]]

exceptions that entities have taken and in what circumstances, except 
for those that were identified during an audit (or other compliance 
activity). Further, because neither the proposed Reliability Standards 
nor the NERC petition provides any definition or parameters for 
entities to self-declare a capability exception,\40\ we are concerned 
about potential inconsistent outcomes both in the entity self-
implementation and Regional Entity audits. Based on similar concerns, 
the Commission has demurred on previous proposals to allow self-
implementing CIP exceptions.\41\
---------------------------------------------------------------------------

    \40\ Cf., id. at section 3.1 (delineating six parameters for 
seeking a Technical Feasibility Exception).
    \41\ See, e.g., Order No. 706, 122 FERC ] 61,040 at P 150 
(directing NERC to remove ``acceptance of risk'' language from CIP 
Standards because the term represents ``an uncontrolled exception 
from compliance that creates unnecessary uncertainty about the 
existence of potential vulnerabilities. Responsible entities should 
not be able to opt out of compliance with mandatory Reliability 
Standards''); Version 5 CIP Standards Infrastructure Protection 
Reliability Standards, Order No. 791, 78 FR 72756 (Dec. 3, 2013), 
145 FERC ] 61,160, at PP 67-71 (2013) (rejecting proposed 
``identify, assess, and correct'' language within CIP Standards as 
``ambiguous and results in an unacceptable amount of uncertainty 
with regard to consistent application, responsible entities 
understanding their obligations, and NERC and the regions providing 
consistent application in audits and other compliance settings.'').
---------------------------------------------------------------------------

    22. Moreover, we note that the technical feasibility exception 
process was initiated in the earliest versions of the CIP Reliability 
Standards to primarily address legacy equipment that was incapable of 
CIP compliance without early retirement or other unduly burdensome 
costs.\42\ It has been over 15 years since NERC began to approve 
technical feasibility exceptions; thus, it is reasonable to think that 
legacy equipment would have been replaced, absolving the need for any 
sort of exception language. Yet technical feasibility exceptions 
continue.\43\
---------------------------------------------------------------------------

    \42\ See Order No. 706, 122 FERC ] 61,040 at P 181 (explaining 
that ``the justification for technical feasibility exceptions is 
rooted in the problem of long-life legacy equipment and the economic 
considerations involved in the replacement of such equipment before 
the end of its useful life'' and eventually all equipment should 
achieve full compliance when legacy equipment is retired or 
upgraded).
    \43\ See N. Am. Elec. Reliability Corp., Annual Report of the 
North American Electric Reliability Corporation on Wide-Area 
Analysis of Technical Feasibility Exceptions, Docket Nos. RR10-1-
000, RR13-3-000 at 7-8 (filed Sept. 27, 2024).
---------------------------------------------------------------------------

    23. In light of the above discussion, we are inclined to direct 
that NERC develop modifications that would either remove any form of 
exception (i.e., technical feasibility and per system capability) or 
reinstate the technical feasibility language. Considering the maturity 
of the technical feasibility exception program over the past 15 years 
and NERC's interest in minimizing the administrative burden, the 
Commission is also interested in comments on a potential streamlined 
process that satisfies the fundamental needs for consistency, oversight 
and alternative mitigation. To assist the Commission in determining the 
need for a directive on this matter in a final rule and fashioning its 
content, we seek comment on the following three areas of inquiry.
    24. First, regarding the efficacy of the technical feasibility 
exception program: (1) why is there still a need to maintain an 
exception process for legacy equipment after 15 years; and (2) specify 
the administrative burdens associated with the current Technical 
Feasibility Exception program--have the burdens changed with the 
maturity of the program?
    25. Second, regarding the proposed per system capability language, 
do NERC or stakeholders anticipate that the proposed CIP changes to 
accommodate virtualization technology would result in responsible 
entities seeking new exceptions using the per system capability 
language (beyond the legacy technical feasibility exceptions)? For new 
exceptions: (1) how will NERC and/or the Regional Entities monitor 
system capability exceptions other than through CIP compliance 
activities (i.e., audits); (2) what parameters or guidance will inform 
responsible entities on legitimate circumstances to self-implement a 
system capability exception; (3) what obligations does a responsible 
entity have to implement alternative mitigation measures in lieu of 
strict compliance; \44\ and (4) how will NERC assure consistency in the 
review of system capability exceptions across all Regional Entities?
---------------------------------------------------------------------------

    \44\ See NERC Rules of Procedure App. 4D at 3.2 (stating that a 
technical feasibility exception does not relieve an entity from a 
CIP compliance obligation but rather authorizes an alternative to 
strict compliance).
---------------------------------------------------------------------------

    26. Third, we seek comment on possible alternative approaches that 
would streamline the process while also satisfying the need for 
effective regulatory oversight. For example, we would be interested in 
comments on an approach that would streamline the administrative burden 
of the current technical feasibility exception process for system 
capability exceptions while maintaining a requirement to mitigate the 
noncompliance and reporting of exceptions (and material changes 
thereto) to the applicable Regional Entity. Comments supporting an 
alternative approach should include an estimate of the administrative 
burden, the periodicity for reassessment (if any) and Regional Entity 
validation (if any), and any other relevant features or details (e.g., 
reporting requirements to the Commission).

IV. Information Collection Statement

    27. The Commission bases its paperwork burden estimates on the 
additional paperwork burden presented by the proposed revisions to 
Reliability Standards filed by NERC for Commission approval. Proposed 
revisions focus on security objectives rather than specific controls 
for system security management to accommodate virtualized environments. 
Proposed Reliability Standards are objective-based and allow entities 
to choose compliance approaches best tailored to their systems. The 
proposed revisions to the CIP Reliability Standards would allow 
responsible entities the opportunity to take advantage of the benefits 
of advanced virtualization features while also preserving their choice 
to maintain current secure perimeter-based network architecture, which 
continues to be a valid network security model.
    28. Proposed Reliability Standards do not require responsible 
entities to submit any filings with either the Commission or NERC as 
the ERO. Entities, however, are required to maintain documentation 
adequate to demonstrate compliance with the proposed Reliability 
Standards. Commission and NERC staff conduct periodic audits of 
entities and auditors rely on the entity's documentation in determining 
compliance with Reliability Standards. While entities retain 
flexibility on how they choose to demonstrate compliance, the 
Reliability Standards include Compliance Measures providing examples of 
the type of documentation an entity may want to develop and maintain to 
demonstrate compliance. The reporting burden below is based on the 
Compliance Measurements provided in the revised Reliability Standards.
    29. As of June 2025, the NERC Compliance Registry identifies 
approximately 1,673 unique U.S. entities that are subject to mandatory 
compliance with CIP Reliability Standards. All 1,673 entities would 
need to conform to modifications proposed under Reliability Standard 
CIP-002-7. However, as stated in NERC petition, the revisions in 
proposed Reliability Standard CIP-002-7 are minor, mostly aligning the 
standard with updates to the NERC Glossary.\45\

[[Page 45684]]

Therefore, we do not envision an increased paperwork burden 
specifically pertaining to any modifications in proposed Reliability 
Standard CIP-002-7. However, of the 1,673 total entities, we estimate 
that 400 entities will face an increased paperwork burden under the 
revisions proposed in Reliability Standards CIP-003-10, CIP-004-8, CIP-
005-8, CIP-006-7.1, CIP-007-7.1, CIP-008-7.1, CIP-009-7.1, CIP-010-5, 
CIP-011-4.1, and CIP-013-3. Based on these assumptions, the estimated 
reporting burden is as follows:
---------------------------------------------------------------------------

    \45\ NERC Petition at 38.
    \46\ The paperwork burden estimate includes costs associated 
with the initial development of a policy to address the 
requirements.
    \47\ This burden applies in Year One to Year Three.
    The loaded hourly wage figure (includes benefits) is based on 
the average of three occupational categories for May 2024 Wages 
found on the Bureau of Labor Statistics website (<a href="http://www.bls.gov/oes/current/naics2_22.htm">http://www.bls.gov/oes/current/naics2_22.htm</a>). The loaded hourly wage includes fringe 
benefits divided by 81.70 percent. See <a href="https://data.bls.gov/oes/#/industry/000000:">https://data.bls.gov/oes/#/industry/000000:</a>.
    Legal Occupations (90th percentile)(Occupation Code: 23-0000): 
$140.76.
    Electrical Engineer (mean)(Occupation Code: 17-2071): $71.19.
    Office and Administrative Support (90th percentile)(Occupation 
Code: 43-0000): $43.83.
    ($140.76 + $71.19 + $43.83) / 3 = $85.26.
    The figure is rounded to $85.00 for use in calculating wage 
figures in this NOPR.
    The estimated responses and burden hours for Years 1-3 will 
total respectively as follows:
    <bullet> Year 1-3 total: 400 responses; 230,800 hours.
    The annual cost burden for each year One to Three is $6,539,333.

                                              Total Changes Proposed by the NOPR in Docket RM24-8-000 \46\
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                      Annual
                                                     number of                                               Total annual burden
                                       Number of     responses    Total number of   Average burden & cost   hours & total annual    Cost per respondent
                                      respondents       per          responses        per response \47\             cost                    ($)
                                                    respondent
                                              (1)           (2)   (1) * (2) = (3)  (4)...................  (3) * (4) = (5).......  (5) / (1)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Conforming to modifications                 1,673             1             1,673  Commission does not     Commission does not     Commission does not
 proposed under Reliability                                                         anticipate any          anticipate any          anticipate any
 Standard CIP-002-7.                                                                material information    material information    material information
                                                                                    collection costs        collection costs        collection costs
                                                                                    associated with CIP-    associated with CIP-    associated with CIP-
                                                                                    002-7.                  002-7.                  002-7.
Update compliance related                     400             1               400  577 hrs.; $49,045.....  230,800 hrs.;           $49,045.
 documentation of one or more                                                                               $19,618,000.
 process(es) pertaining to proposed
 Reliability Standards: CIP-003-10,
 CIP-004-8, CIP-005-8, CIP-006-7.1,
 CIP-007-7.1, CIP-008-7.1, CIP-009-
 7.1, CIP-010-5, CIP-011-4.1, and
 CIP-013-3.
Total burden.......................  ............  ............               400  ......................  230,800 hrs.;           $49,045.
                                                                                                            $19,618,000.
--------------------------------------------------------------------------------------------------------------------------------------------------------

V. Environmental Analysis

    30. The Commission is required to prepare an Environmental 
Assessment or an Environmental Impact Statement for any action that may 
have a significant adverse effect on the human environment.\48\ The 
Commission has categorically excluded certain actions from this 
requirement as not having a significant effect on the human 
environment. Included in the exclusion are rules that are clarifying, 
corrective, or procedural or that do not substantially change the 
effect of the regulations being amended.\49\ The actions proposed 
herein falls within this categorical exclusion in the Commission's 
regulations.
---------------------------------------------------------------------------

    \48\ Reguls. Implementing the Nat'l Env't. Pol'y Act, Order No. 
486, 52 FR 47897 (Dec. 17, 1987), FERC Stats. & Regs. ] 30,783 
(1987) (cross-referenced at 41 FERC ] 61,284).
    \49\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------

VI. Regulatory Flexibility Act Analysis

    31. The Regulatory Flexibility Act of 1980 (RFA) \50\ generally 
requires a description and analysis of proposed rules that will have 
significant economic impact on a substantial number of small entities. 
The Small Business Administration's (SBA) Office of Size Standards 
develops the numerical definition of a small business.\51\ The SBA 
revised its size standard for electric utilities (effective March 17, 
2023) to a standard based on the number of employees, including 
affiliates (from the prior standard based on megawatt hour sales).\52\
---------------------------------------------------------------------------

    \50\ 5 U.S.C. 601-612.
    \51\ 13 CFR 121.101.
    \52\ 13 CFR 121.201, Subsector 221 (Utilities).
---------------------------------------------------------------------------

    32. The SBA sets the threshold for what constitutes a small 
business. Under SBA's size standards, transmission owners all fall 
under the category of Electric Bulk Power Transmission and Control 
(NAICS code 221121), with a size threshold of 950 employees (including 
the entity and its associates). Based on the Compliance Registry, we 
have selected Generator Owner (GO) and Generator Operator (GOP) 
entities applicable of 288 entities and we have determined that 
approximately 87% GOs and 67% GOPs of the listed entities are small 
entities (i.e., with fewer than 950 employees).
    33. According to SBA guidance, the determination of significance of 
impact ``should be seen as relative to the size of the business, the 
size of the competitor's business, the number of filers received 
annually, and the impact this regulation has on larger competitors.'' 
\53\
---------------------------------------------------------------------------

    \53\ U.S. Small Business Admin., A Guide for Government Agencies 
How to Comply with the Regulatory Flexibility Act, 18 (Aug. 2017), 
<a href="https://advocacy.sba.gov/wp-content/uploads/2019/06/How-to-Comply-with-the-RFA.pdf">https://advocacy.sba.gov/wp-content/uploads/2019/06/How-to-Comply-with-the-RFA.pdf</a>.
---------------------------------------------------------------------------

    34. Moreover, this NOPR involves voluntary actions by utilities for 
the purpose of accommodating virtualized environments. The proposal 
does not mandate or require action by any utility other than updating 
compliance documentation for processes related to the proposed 
Reliability Standards. As a result, we certify that the proposals in 
this NOPR will not have a significant economic impact on a substantial 
number of small entities.
    35. NERC developed the proposed revisions through its consensus-
based standard drafting and approval processes. The proposed revisions 
are expected to impose minimal obligations on the affected responsible 
entities. These burdens primarily involve updating compliance 
documentation for processes related to the proposed Reliability 
Standards since the proposed

[[Page 45685]]

revisions permit responsible entities the opportunity to take advantage 
of the benefits of advanced virtualization features while also 
preserving their choice to maintain current secure perimeter-based 
network architecture, which continues to be a valid network security 
model. We believe that because the obligations imposed upon industry 
are directed only at entities that own or operate high-impact or 
medium-impact BES Cyber Systems, only a minimal number of entities will 
meet the SBA revised standard for electric utilities. Only a minimal 
number of entities will satisfy the SBA revised standard because small 
entities do not typically own or operate any kind of high or medium 
impact BES Cyber Systems.

VII. Regulatory Planning and Review

    36. Executive Orders 12866 and 13563 direct agencies to assess the 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. The Office of Information and Regulatory Affairs (OIRA) 
has determined this proposed regulatory action is not a ``significant 
regulatory action,'' under section 3(f) of Executive Order 12866, as 
amended. Accordingly, OIRA has not reviewed this proposed regulatory 
action for compliance with the analytical requirements of Executive 
Order 12866.

VIII. Comment Procedures

    37. The Commission invites interested persons to submit comments on 
the matters and issues proposed in this notice to be adopted, including 
any related matters or alternative proposals that commenters may wish 
to discuss. Comments are due November 24, 2025. Comments must refer to 
Docket No. RM24-8-000, and must include the commenter's name, the 
organization they represent, if applicable, and their address in their 
comments. All comments will be placed in the Commission's public files 
and may be viewed, printed, or downloaded remotely as described in the 
Document Availability section below. Commenters on this proposal are 
not required to serve copies of their comments on other commenters.
    38. The Commission encourages comments to be filed electronically 
via the eFiling link on the Commission's website at <a href="http://www.ferc.gov">http://www.ferc.gov</a>. The Commission accepts most standard word processing 
formats. Documents created electronically using word processing 
software must be filed in native applications or print-to-PDF format 
and not in a scanned format. Commenters filing electronically do not 
need to make a paper filing.
    39. Commenters that are not able to file comments electronically 
may file an original of their comment by USPS mail or by courier-or 
other delivery services. For submission sent via USPS only, filings 
should be mailed to: Federal Energy Regulatory Commission, Office of 
the Secretary, 888 First Street NE, Washington, DC 20426. Submission of 
filings other than by USPS should be delivered to: Federal Energy 
Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852.

IX. Document Availability

    40. In addition to publishing the full text of this document in the 
Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
internet through the Commission's Home Page (<a href="http://www.ferc.gov">http://www.ferc.gov</a>).
    41. From the Commission's Home Page on the internet, this 
information is available on eLibrary. The full text of this document is 
available on eLibrary in PDF and Microsoft Word format for viewing, 
printing, and/or downloading. To access this document in eLibrary, type 
the docket number excluding the last three digits of this document in 
the docket number field.
    42. User assistance is available for eLibrary and the Commission's 
website during normal business hours from FERC Online Support at 202-
502-6652 (toll free at 1-866-208-3676) or email at 
<a href="/cdn-cgi/l/email-protection#5a3c3f283935343633343f292f2a2a35282e1a3c3f2839743d352c"><span class="__cf_email__" data-cfemail="9dfbf8effef2f3f1f4f3f8eee8ededf2efe9ddfbf8effeb3faf2eb">[email&#160;protected]</span></a>, or the Public Reference Room at (202) 502-
8371, TTY (202)502-8659. Email the Public Reference Room at 
<a href="/cdn-cgi/l/email-protection#c0b0b5a2aca9a3eeb2a5a6a5b2a5aea3a5b2afafad80a6a5b2a3eea7afb6"><span class="__cf_email__" data-cfemail="1a6a6f7876737934687f7c7f687f74797f687575775a7c7f6879347d756c">[email&#160;protected]</span></a>.

    By direction of the Commission.

    Issued: September 18, 2025.
Carlos D. Clay,
Deputy Secretary.
[FR Doc. 2025-18395 Filed 9-22-25; 8:45 am]
BILLING CODE 6717-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>
View on FederalRegister.gov →Plain-text source
Indexed from Federal Register on September 23, 2025.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.