[Federal Register: June 24, 2009 (Volume 74, Number 120)]
[Notices]
[Page 30067-30068]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr24jn09-68]
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
[Docket No. RM06-22-006; Order No. 706-C]
Mandatory Reliability Standards for Critical Infrastructure
Protection
Issued June 18, 2009.
AGENCY: Federal Energy Regulatory Commission.
ACTION: Order denying request for clarification.
-----------------------------------------------------------------------
SUMMARY: On March 19, 2009, the Commission issued Order No. 706-B which
clarified the scope of Critical Infrastructure Protection Reliability
Standards which were approved in Commission Order No. 706. The
Commission is denying a request for clarification of Order No. 706-B
filed by the Edison Electric Institute.
DATES: Effective Date: This rule will become effective June 24, 2009.
FOR FURTHER INFORMATION CONTACT:
Jonathan First (Legal Information), Office of General Counsel, 888
First Street, NE., Washington, DC 20426, (202) 502-8529.
Regis Binder (Technical Information), Office of Electric Reliability,
888 First Street, NE., Washington, DC 20426, (301) 665-1601.
SUPPLEMENTARY INFORMATION:
Before Commissioners: Jon Wellinghoff, Chairman; Suedeen G. Kelly,
Marc Spitzer, and Philip D. Moeller.
Order Denying Request for Clarification
Issued June 18, 2009.
1. In this order, the Commission denies the Edison Electric
Institute's
[[Page 30068]]
(EEI's) request for clarification of Order No. 706-B.\1\ Specifically,
the Commission denies EEI's request that the Commission clarify its
views with regard to the need and the time frame for the Commission's
developing a memorandum of understanding or other means of coordinating
cyber-security related activities with the U.S. Nuclear Regulatory
Commission (NRC). Likewise, the Commission denies EEI's request that
the Commission clarify that the North American Electric Reliability
Corporation (NERC) must seek stakeholder input in developing and
implementing an ``exception process'' as discussed in Order No. 706-B.
---------------------------------------------------------------------------
\1\ Mandatory Reliability Standards for Critical Infrastructure
Protection, Order No. 706, 122 FERC ] 61,040 (2008) (Order No. 706);
order on reh'g, Order No. 706-A, 123 FERC ] 61,174 (2008) (Order No.
706-A); order on clarification, Order No. 706-B, 126 FERC ] 61,229
(2009) (Order No. 706-B).
---------------------------------------------------------------------------
I. Background
2. In Order No. 706, the Commission approved the Critical
Infrastructure Protection (CIP) Reliability Standards that require
certain users, owners and operators of the Bulk-Power System, including
generator owners and operators, to comply with specific requirements to
safeguard critical cyber assets. In addition, pursuant to section
215(d)(5) of the Federal Power Act (FPA),\2\ the Commission directed
the ERO to develop modifications to the CIP Reliability Standards to
address specific concerns identified by the Commission.
---------------------------------------------------------------------------
\2\ 16 U.S.C. 824o(d)(5)(2006).
---------------------------------------------------------------------------
3. In Order No. 706-B, the Commission clarified the scope of the
CIP Reliability Standards approved in Order No. 706 to assure that no
``gap'' occurs in the applicability of these Standards. In particular,
each of the CIP Reliability Standards provides that facilities
regulated by the NRC are exempt from the Standard. The Commission
explained that NRC staff had raised a concern at a joint public meeting
of the NRC and the Commission that NRC regulations do not extend to all
equipment within a nuclear power plant. Thus, to assure that there is
no ``gap'' in the regulatory process, the Commission clarified that the
``balance of plant'' equipment within a nuclear power plant in the
United States that is not subject to NRC cyber security regulations,\3\
is subject to compliance with the CIP Reliability Standards approved in
Order No. 706. The Commission explained that:
---------------------------------------------------------------------------
\3\ U.S. Nuclear Regulatory Commission, Power Reactor Security
Requirements; Final Rule, 74 FR 13926 (Mar. 27, 2009).
a nuclear power plant licensee may seek an exception from the
ERO to the extent that the licensee believes that specific equipment
within the balance of plant is subject to NRC cyber security
regulations. If the ERO grants the exception, that equipment within
the balance of plant would not be subject to compliance with the CIP
Reliability Standards. We would expect that the ERO would make such
determinations with the consultation of NRC and oversight of
Commission staff. Thus, to further the development of this ERO
process, the ERO should consider the appropriateness of developing a
memorandum of understanding with the NRC, or revising existing
agreements, to address such matters as NRC staff consultation in the
exception application process and sharing of Safeguard[s]
Information.\4\
---------------------------------------------------------------------------
\4\ Id. P 50. Safeguards information is a special category of
sensitive unclassified information to be protected pursuant to
Section 147 of the Atomic Energy Act, 42 U.S.C. 2167 (2006).
Safeguards information concerns the physical protection of operating
power reactors, spent fuel shipments, strategic special nuclear
material, or other radioactive material. See 10 CFR 73.21 (2009)
(setting forth requirements for the protection of safeguards
information, including access to such information).
4. In response to comments suggesting that the NRC and the
Commission develop a memorandum of understanding, the Commission agreed
that it is advisable for the two commissions to coordinate their
respective cyber security-related activities with regard to nuclear
power plants.\5\ However, the Commission declined to resolve for
purposes of the proceeding the need for a new memorandum of
understanding between the two commissions.
---------------------------------------------------------------------------
\5\ Id. P 55.
---------------------------------------------------------------------------
II. EEI Request for Clarification
5. EEI requests that the Commission clarify its views with respect
to the need and the time frame for the Commission's developing a
memorandum of understanding or other means of coordinating cyber
security-related activities with the NRC. EEI suggests that, given the
volume of work on cyber security matters and recent regulatory changes
such as the NRC's issuance of its cyber security regulations, it is
vital that the Commission and the NRC commit to develop a memorandum of
understanding on an expeditious schedule. EEI expresses concern that
the Commission's deferral of a decision on the need for a memorandum of
understanding may lead to confusion and regulatory uncertainty.
6. EEI also requests that the Commission clarify that NERC should
seek stakeholder input in developing and implementing both the
``exception process'' and any process for sharing Safeguards
Information. EEI posits that stakeholder input and industry technical
expertise will be critical to implementing both processes.
III. Discussion
7. The Commission denies EEI's request for clarification. The
Commission and the NRC entered into a memorandum of agreement in
September 2004.\6\ The Commission views the decision of whether to
develop a new or revised memorandum of agreement with the NRC, and the
timing of that decision, as an intra-governmental matter between the
two commissions. Accordingly, the Commission will not make commitments
to EEI or others in this proceeding regarding the scope or timing of
any coordinated activities between the Commission and the NRC.
---------------------------------------------------------------------------
\6\ The memorandum of agreement is available on the Commission's
Web site, at http://www.ferc.gov/legal/maj-ord-reg/mou.asp.
---------------------------------------------------------------------------
8. As for EEI's request that the Commission clarify that NERC
should seek stakeholder input in developing and implementing an
exception process and process for sharing Safeguard Information, we
note that NERC sought stakeholder input in a ``Town Hall Meeting'' on
``Auditing of U.S. Nuclear Plants for CIP Standards Compliance'' held
on June 11, 2009. We expect that NERC will allow for further
stakeholder input regarding these processes. Thus, we see no need to
address EEI's request.
The Commission orders:
Edison Electric Institute's request for clarification is hereby
denied, as discussed in the body of this order.
By the Commission.
Kimberly D. Bose,
Secretary.
[FR Doc. E9-14795 Filed 6-23-09; 8:45 am]
BILLING CODE 6717-01-P