Commission Information Collection Activities (FERC-725B). Comment Request; Extension

Issuing agencies

Abstract

In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comment on the currently approved information collection, FERC-725B, (Mandatory Reliability Standards, Critical Infrastructure Protection (CIP). There are no changes to the reporting requirements with this information collection. No comments were received on the 60-day notice that ended on April 20, 2026.

Full Text

<html>
<head>
<title>Federal Register, Volume 91 Issue 80 (Monday, April 27, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 80 (Monday, April 27, 2026)]
[Notices]
[Pages 22530-22533]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-08168]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. IC26-16-000]


Commission Information Collection Activities (FERC-725B). Comment 
Request; Extension

AGENCY: Federal Energy Regulatory Commission.

ACTION: Notice of information collection and request for comments.

-----------------------------------------------------------------------

[[Page 22531]]

SUMMARY: In compliance with the requirements of the Paperwork Reduction 
Act of 1995, the Federal Energy Regulatory Commission (Commission or 
FERC) is soliciting public comment on the currently approved 
information collection, FERC-725B, (Mandatory Reliability Standards, 
Critical Infrastructure Protection (CIP). There are no changes to the 
reporting requirements with this information collection. No comments 
were received on the 60-day notice that ended on April 20, 2026.

DATES: Comments on the collection of information are due May 27, 2026.

ADDRESSES: Send written comments on FERC-725B to OMB through <a href="https://www.reginfo.gov/public/do/PRA/icrPublicCommentRequest?ref_nbr=">https://www.reginfo.gov/public/do/PRA/icrPublicCommentRequest?ref_nbr=</a> 202604-
1902-005. You can also visit <a href="https://www.reginfo.gov/public/do/PRAMain">https://www.reginfo.gov/public/do/PRAMain</a> 
and use the drop-down under ``Currently under Review'' to select the 
``Federal Energy Regulatory Commission'' where you can see the open 
opportunities to provide comments. Comments should be sent within 30 
days of publication of this notice.
    Please submit a copy of your comments to the Commission via email 
to <a href="/cdn-cgi/l/email-protection#8ecaeffaefcde2ebeffcefe0edebcec8cbdccda0e9e1f8"><span class="__cf_email__" data-cfemail="e7a3869386a48b82869586898482a7a1a2b5a4c9808891">[email&#160;protected]</span></a>. You must specify Docket No. (IC26-16-000) 
and the FERC Information Collection number (FERC-725B) in your email. 
If you are unable to file electronically, comments may be filed by USPS 
mail or by hand (including courier) delivery:
    <bullet> Mail via U.S. Postal Service Only: Federal Energy 
Regulatory Commission, Secretary of the Commission, 888 First Street 
NE, Washington, DC 20426.
    <bullet> All other delivery methods: Federal Energy Regulatory 
Commission, Secretary of the Commission, 12225 Wilkins Avenue, 
Rockville, MD 20852.
    Docket: To view comments and issuances in this docket, please visit 
<a href="https://elibrary.ferc.gov/eLibrary/search">https://elibrary.ferc.gov/eLibrary/search</a>. Once there, you can also 
sign up for automatic notification of activity in this docket.

FOR FURTHER INFORMATION CONTACT: Kayla Williams, (202) 502-6468. 
<a href="/cdn-cgi/l/email-protection#2064415441634c454152414e434560666572630e474f56"><span class="__cf_email__" data-cfemail="de9abfaabf9db2bbbfacbfb0bdbb9e989b8c9df0b9b1a8">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: 
    Title: FERC-725B (Mandatory Reliability Standards, Critical 
Infrastructure Protection (CIP)).
    OMB Control No.: 1902-0248.
    Type of Request: Three-year extension of the FERC-725B information 
collection requirements with no changes to the reporting requirements.
    Abstract: On August 8, 2005, Congress enacted the Energy Policy Act 
of 2005.\1\ The Energy Policy Act of 2005 added a new section 215 to 
the FPA,\2\ which requires a Commission-certified Electric Reliability 
Organization to develop mandatory and enforceable Reliability 
Standards,\3\ including requirements for cybersecurity protection, 
which are subject to Commission review and approval. Once approved, the 
Reliability Standards may be enforced by the Electric Reliability 
Organization subject to Commission oversight, or the Commission can 
independently enforce Reliability Standards.
---------------------------------------------------------------------------

    \1\ Energy Policy Act of 2005, Public Law 109-58, sec. 1261 et 
seq., 119 Stat. 594 (2005).
    \2\ 16 U.S.C. 824o.
    \3\ FPA section 215 defines Reliability Standard as a 
requirement, approved by the Commission, to provide for reliable 
operation of existing bulk-power system facilities, including 
cybersecurity protection, and the design of planned additions or 
modifications to such facilities to the extent necessary to provide 
for reliable operation of the Bulk-Power System. However, the term 
does not include any requirement to enlarge such facilities or to 
construct new transmission capacity or generation capacity. Id. at 
824o(a)(3).
---------------------------------------------------------------------------

    On February 3, 2006, the Commission issued Order No. 672,\4\ 
implementing FPA section 215. The Commission subsequently certified 
NERC as the Electric Reliability Organization. The Reliability 
Standards developed by NERC become mandatory and enforceable after 
Commission approval and apply to users, owners, and operators of the 
Bulk-Power System, as set forth in each Reliability Standard.\5\ The 
CIP Reliability Standards require entities to comply with specific 
requirements to safeguard critical cyber assets. These standards are 
result-based and do not specify a technology or method to achieve 
compliance, instead leaving it up to the entity to decide how best to 
comply.
---------------------------------------------------------------------------

    \4\ Rules Concerning Certification of the Elec. Reliability 
Org.; and Procedures for the Establishment, Approval, and Enf't of 
Elec. Reliability Standards, Order No. 672, 71 FR 8661 (Feb. 17, 
2006), 114 FERC ] 61,104, order on reh'g, Order No. 672-A, 71 FR 
19814 (Apr. 28, 2006), 114 FERC ] 61,328 (2006).
    \5\ NERC uses the term ``registered entity'' to identify users, 
owners, and operators of the Bulk-Power System responsible for 
performing specified reliability functions with respect to NERC 
Reliability Standards. See, e.g., Version 4 Critical Infrastructure 
Protection Reliability Standards, Order No. 761, 77 FR 24594 (Apr. 
25, 2012), 139 FERC ] 61,058, at P 46, order denying clarification 
and reh'g, 140 FERC ] 61,109 (2012). Within the NERC Reliability 
Standards are various subsets of entities responsible for performing 
various specified reliability functions. We collectively refer to 
these as ``entities.''
---------------------------------------------------------------------------

    On January 18, 2008, the Commission issued Order No. 706,\6\ 
approving the initial eight CIP Reliability Standards, CIP version 1 
Standards, submitted by NERC. Subsequently, the Commission has approved 
multiple versions of the CIP Reliability Standards submitted by NERC, 
partly to address the evolving nature of cyber-related threats to the 
Bulk-Power System. On November 22, 2013, the Commission issued Order 
No. 791,\7\ approving CIP version 5 Standards, the last major revision 
to the CIP Reliability Standards. The CIP version 5 Standards implement 
a tiered approach to categorize assets, identifying them as high, 
medium, or low risk to the operation of the Bulk Electric System (BES) 
\8\ if compromised. High impact systems include large control centers. 
Medium impact systems include smaller control centers, ultra-high 
voltage transmission, and large substations and generating facilities. 
The remainder of the BES Cyber Systems \9\ are categorized as low 
impact systems. Most requirements in the CIP Reliability Standards 
apply to high and medium impact systems; however, a technical controls 
requirement in Reliability standard CIP-003, described below, applies 
only to low impact systems. Since 2013, the Commission has approved new 
and modified CIP Reliability Standards that address specific issues 
such as supply chain risk management, cyber incident reporting,

[[Page 22532]]

communications between control centers, and the physical security of 
critical transmission facilities.\10\
---------------------------------------------------------------------------

    \6\ Order No. 706, 122 FERC ] 61,040 at P 1.
    \7\ Version 5 Critical Infrastructure Protection Reliability 
Standards, Order No. 791, 78 FR 72755 (Dec. 13, 2013), 145 FERC ] 
61,160 (2013), order on reh'g, Order No. 791-A, 146 FERC ] 61,188 
(2014).
    \8\ In general, NERC defines BES to include all Transmission 
Elements operated at 100 kV or higher and Real Power and Reactive 
Power resources connected at 100 kV or higher. This does not include 
facilities used in the local distribution of electric energy. See 
NERC, Bulk Electric System Definition Reference Document, Version 3, 
at page iii (August 2018). In Order No. 693, the Commission found 
that NERC's definition of BES is narrower than the statutory 
definition of Bulk-Power System. The Commission decided to rely on 
the NERC definition of BES to provide certainty regarding the 
applicability of Reliability Standards to specific entities. See 
Mandatory Reliability Standards for the Bulk-Power System, Order No. 
693, 72 FR 16415 (Apr. 4, 2007), 118 FERC ] 61,218, at PP 75, 79, 
491, order on reh'g, Order No. 693-A, 72 FR 49717 (July 25, 2007), 
120 FERC ] 61,053 (2007).
    \9\ NERC defines BES Cyber System as ``[o]ne or more BES Cyber 
Assets logically grouped by a responsible entity to perform one or 
more reliability tasks for a functional entity.'' NERC, Glossary of 
Terms Used in NERC Reliability Standards, at 5 (2020), <a href="https://www.nerc.com/files/glossary_of_terms.pdf">https://www.nerc.com/files/glossary_of_terms.pdf</a> (NERC Glossary of Terms). 
NERC defines BES Cyber Asset as
    A Cyber Asset that if rendered unavailable, degraded, or misused 
would, within 15 minutes of its required operation, mis-operation, 
or non-operation, adversely impact one or more Facilities, systems, 
or equipment, which, if destroyed, degraded, or otherwise rendered 
unavailable when needed, would affect the reliable operation of the 
Bulk Electric System. Redundancy of affected Facilities, systems, 
and equipment shall not be considered when determining adverse 
impact. Each BES Cyber Asset is included in one or more BES Cyber 
Systems.
    ID. at 4.
    \10\ See, e.g., Order No. 791, 78 FR 72755; Revised Critical 
Infrastructure Protection Reliability Standards, Order No. 822, 81 
FR 4177 (Jan. 26, 2016), 154 FERC ] 61,037, reh'g denied, Order No. 
822-A, 156 FERC ] 61,052 (2016); Revised Critical Infrastructure 
Protection Reliability Standard CIP-003-7--Cyber Security--Security 
Management Controls, Order No. 843, 163 FERC ] 61,032 (2018).
---------------------------------------------------------------------------

    The CIP Reliability Standards currently consist of 12 standards 
specifying a set of requirements that entities must follow to ensure 
the cyber and physical security of the Bulk-Power System. There are 12 
currently effective cybersecurity standards and one cybersecurity 
standard that has been approved by the Commission and was enforceable 
as of July 1, 2022. There is also one physical security standard.
    <bullet> CIP-002-5.1a Bulk Electric System Cyber System 
Categorization: requires entities to identify and categorize BES Cyber 
Assets for the application of cyber security requirements commensurate 
with the adverse impact that loss, compromise, or misuse of those BES 
Cyber Systems could have on the reliable operation of the BES.
    <bullet> CIP-003-10 Security Management Controls: requires entities 
to specify consistent and sustainable security management controls that 
establish responsibility and accountability to protect BES Cyber 
Systems against compromise that could lead to mis-operation or 
instability in the BES.
    <bullet> CIP-004-8 Personnel and Training requires entities to 
minimize the risk against compromise that could lead to mis-operation 
or instability in the BES from individuals accessing BES Cyber Systems 
by requiring an appropriate level of personnel risk assessment, 
training, and security awareness in support of protecting BES Cyber 
Systems.
    <bullet> CIP-005-8 Electronic Security Perimeter(s): requires 
entities to manage electronic access to BES Cyber Systems by specifying 
a controlled Electronic Security Perimeter in support of protecting BES 
Cyber Systems against compromise that could lead to mis-operation or 
instability in the BES.
    <bullet> CIP-006-7.1 Physical Security of Bulk Electric System 
Cyber Systems: requires entities to manage physical access to BES Cyber 
Systems by specifying a physical security plan in support of protecting 
BES Cyber Systems against compromise that could lead to mis-operation 
or instability in the BES.
    <bullet> CIP-007-7.1 System Security Management: requires entities 
to manage system security by specifying select technical, operational, 
and procedural requirements in support of protecting BES Cyber Systems 
against compromise that could lead to mis-operation or instability in 
the BES.
    <bullet> CIP-008-7.1 Incident Reporting and Response Planning: 
requires entities to mitigate the risk to the reliable operation of the 
BES as the result of a cybersecurity incident by specifying incident 
response requirements.
    <bullet> CIP-009-7.1 Recovery Plans for Bulk Electric System Cyber 
Systems: requires entities to recover reliability functions performed 
by BES Cyber Systems by specifying recovery plan requirements in 
support of the continued stability, operability, and reliability of the 
BES.
    <bullet> CIP-010-5 Configuration Change Management and 
Vulnerability Assessments: requires entities to prevent and detect 
unauthorized changes to BES Cyber Systems by specifying configuration 
change management and vulnerability assessment requirements in support 
of protecting BES Cyber Systems from compromise that could lead to mis-
operation or instability in the BES.
    <bullet> CIP-011-4.1 Information Protection: requires entities to 
prevent unauthorized access to BES Cyber System Information by 
specifying information protection requirements in support of protecting 
BES Cyber Systems against compromise that could lead to mis-operation 
or instability in the BES.
    <bullet> CIP-012-2 Communications between Control Centers: requires 
entities to protect the confidentiality and integrity of Real-time 
Assessment and Real-time monitoring data transmitted between Control 
Centers.
    <bullet> CIP-013-3 Supply Chain Risk Management: requires entities 
to mitigate cybersecurity risks to the reliable operation of the BES by 
implementing security controls for supply chain risk management of BES 
Cyber Systems.
    <bullet> CIP-014-3 Set out to identify and protect Transmission 
stations and Transmission substations, and their associated primary 
control centers, that if rendered inoperable or damaged as a result of 
a physical attack could result in instability, uncontrolled separation, 
or Cascading within an Interconnection.
    <bullet> CIP-015-1 purpose is to improve the probability of 
detecting anomalous or unauthorized network activity in order to 
facilitate improved response and recovery from an attack.
    The CIP Reliability Standards, viewed as a whole, implement a 
defense-in-depth approach to protecting the security of BES Cyber 
Systems at all impact levels.\11\ The CIP Reliability Standards are 
objective-based and allow entities to choose compliance approaches best 
tailored to their systems.\12\
---------------------------------------------------------------------------

    \11\ Order No. 822, 154 FERC ] 61,037 at 32.
    \12\ Order No. 706, 122 FERC ] 61,040 at 72.
    \13\ The number of respondents is based on the NERC Compliance 
Registry as of June 22, 2025. Currently there are 1,508 unique NERC 
Registered, subtracting 16 Canadians Entities yields 1492 U.S. 
entities.
    \15\ The estimates for cost per hour are $77.30/hour (averaged 
based on the following occupations):

 FERC-725B--(Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards) After Adding Filers From Cybersecurity
                                                             Incentives Investment Activity
                                                      [Submitted as a separate IC within FERC-725B]
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                     Number and
                                       type of      Annual number   Total number   Average burden per response     Total annual burden (hours) & total
                                     respondent     of responses    of responses     (hours) \14\ & cost per              annual cost \15\ ($)
                                        \13\       per respondent                            response
                                              (1)             (2)     (1) * (2) =  (4)........................  (3) * (4) = (5)
                                                                              (3)
--------------------------------------------------------------------------------------------------------------------------------------------------------
CIP-003-10.......................           1,579          156.15      246,560.85  1.56 hrs.; $120.59.........  384,634.93 hrs.; $29,732,280.09.
CIP-002-7, CIP-004-8, CIP-005-8,              400               1             400  600 hrs.; $46,380..........  240,000 hrs.; $18,552,000.
 CIP-006-7.1, CIP-007-7.1, CIP-
 008-7.1, CIP-009-7.1, CIP-010-5,
 CIP-011-4.1.
CIP-013-3........................             400               1             400  30 hrs.; $2,319............  12,000 hrs.; $927,600.
CIP-014-3........................             321               1             321  2 hrs.; $154.6.............  642 hrs.; $49,626.60.
CIP-012-2........................             724               1             724  83 hrs.; $6,415.90.........  60,092 hrs.; $4,645,111.60.
CIP-15-1.........................             400               6           2,400  56.67 hrs.; $4,380.59......  136,008 hrs.; $10,513,418.40.
                                  ----------------------------------------------------------------------------------------------------------------------

[[Page 22533]]

 
    Total Burden of FERC-725B....  ..............  ..............         250,805  ...........................  833,376.93 hrs.; $64,420,036.689.
--------------------------------------------------------------------------------------------------------------------------------------------------------

    Comments: Comments are invited on: (1) whether the collection of 
information is necessary for the proper performance of the functions of 
the Commission, including whether the information will have practical 
utility; (2) the accuracy of the agency's estimate of the burden and 
cost of the collection of information, including the validity of the 
methodology and assumptions used; (3) ways to enhance the quality, 
utility and clarity of the information collection; and (4) ways to 
minimize the burden of the collection of information on those who are 
to respond, including the use of automated collection techniques or 
other forms of information technology.

    Dated: April 22, 2026.
Debbie-Anne A. Reese,
Secretary.
[FR Doc. 2026-08168 Filed 4-24-26; 8:45 am]
BILLING CODE 6717-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>