[Federal Register Volume 75, Number 206 (Tuesday, October 26, 2010)]
[Notices]
[Pages 65618-65620]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-26988]
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
[Docket No. IC11-725B-000]
Commission Information Collection Activities (FERC-725B); Comment
Request; Extension
October 19, 2010.
AGENCY: Federal Energy Regulatory Commission, Energy.
ACTION: Notice of proposed information collection and request for
comments.
-----------------------------------------------------------------------
SUMMARY: In compliance with the requirements of section 3506(c)(2)(A)
of the Paperwork Reduction Act of 1995, 44 U.S.C. 3506(c)(2)(A) (2006),
(Pub. L. 104-13), the Federal Energy Regulatory Commission (Commission
or FERC) is soliciting public comment on the proposed information
collection described below.
DATES: Comments in consideration of the collection of information are
due December 27, 2010.
ADDRESSES: Commenters must send an original of their comments to:
Federal Energy Regulatory Commission, Secretary of the Commission, 888
First Street, NE., Washington, DC 20426. Comments may be filed either
on paper or on CD/DVD, and should refer to Docket No. IC11-725B-000.
Documents must be prepared in an acceptable filing format and in
compliance with Commission submission guidelines at http://www.ferc.gov/help/submission-guide.asp. eFiling and eSubscription are
not available for Docket No. IC11-725B-000, due to a system issue.
All comments and FERC issuances may be viewed, printed or
downloaded remotely through FERC's eLibrary at http://www.ferc.gov/docs-filing/elibrary.asp, by searching on Docket No. IC11-725B. For
user assistance, contact FERC Online Support by e-mail at
[email protected], or by phone at: (866) 208-3676 (toll-free),
or (202) 502-8659 for TTY.
FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by e-mail
at [email protected], telephone at (202) 502-8663, and fax at
(202) 273-0873.
SUPPLEMENTARY INFORMATION: The information collected by the FERC-725B,
Reliability Standards for Critical Infrastructure Protection (OMB
Control No. 1902-0248), is required to implement the statutory
provisions of section 215 of the Federal Power Act (FPA) (16 U.S.C.
824o). On August 8, 2005, the Electricity Modernization Act of 2005,
which is Title XII, Subtitle A,
[[Page 65619]]
of the Energy Policy Act of 2005 (EPAct 2005), was enacted into law.\1\
EPAct 2005 added a new section 215 to the FPA, requiring a Commission-
certified Electric Reliability Organization (ERO) to develop mandatory
and enforceable Reliability Standards, which are subject to Commission
review and approval. Once approved, the Reliability Standards may be
enforced in the United States by the ERO subject to Commission
oversight, or the Commission can independently enforce Reliability
Standards.\2\
---------------------------------------------------------------------------
\1\ Energy Policy Act of 2005, Public Law No. 109-58, Title XII,
Subtitle A, 119 Stat. 594, 941 (2005), 16 U.S.C. 824o.
\2\ 16 U.S.C. 824o(e)(3).
---------------------------------------------------------------------------
On February 3, 2006, the Commission issued Order No. 672,
implementing section 215 of the FPA. Pursuant to Order No. 672, the
Commission certified one organization, North American Electric
Reliability Corporation (NERC), as the ERO. The Reliability Standards
developed by the ERO and approved by the Commission apply to users,
owners and operators of the Bulk-Power System, as set forth in each
Reliability Standard.
On January 18, 2008, the Commission issued order 706, approving
eight Critical Infrastructure Protection (CIP) Reliability Standards
submitted by the NERC for Commission approval.\3\ The CIP Reliability
Standards require certain users, owners, and operators of the Bulk-
Power System to comply with specific requirements to safeguard critical
cyber assets.\4\ These standards help protect the nation's Bulk-Power
System against potential disruptions from cyber attacks.\5\
---------------------------------------------------------------------------
\3\ CIP-002-1, CIP-003-1, CIP-004-1, CIP-005-1, CIP-006-1, CIP-
007-1, CIP-008-1, and CIP-009-1.
\4\ In addition, in accordance with section 215(d)(5) of the
FPA, the Commission proposed to direct NERC to develop modifications
to the CIP Reliability Standards to address specific concerns
identified by the Commission.
\5\ For a description of the CIP Reliability Standards, see the
Critical Infrastructure Protection Section at NERC's Web site at
http://www.nerc.com/page.php?cid=2/20.
---------------------------------------------------------------------------
The eight CIP Reliability Standards address the following topics:
Critical Cyber Asset Identification.
Security Management Controls.
Personnel and Training.
Electronic Security Perimeters.
Physical Security of Critical Cyber Assets.
Systems Security Management.
Incident Reporting and Response Planning.
Recovery Plans for Critical Cyber Assets.
The CIP Reliability Standards include one actual reporting
requirement and several recordkeeping requirements. Specifically, CIP-
008-1 requires responsible entities to report cyber security incidents
to the Electricity Sector-Information Sharing and Analysis Center (ES-
ISAC). In addition, the eight CIP Reliability Standards require
responsible entities to develop various policies, plans, programs, and
procedures. For example, each responsible entity must develop and
document a risk-based assessment methodology to identify critical
assets, which is then used to develop a list of critical cyber assets
(CIP-002-1). A responsible entity that identifies any critical cyber
assets must also document: A cyber security policy (CIP-003-1); a
security awareness program (CIP-004-1, Requirement R1); a personnel
risk assessment program (CIP-004-1, Requirement R3); an electronic
security perimeter and processes for control of electronic access to
all electronic access points to the perimeter (CIP-005-1, Requirements
R1 and R2); a physical security plan (CIP-006-1); procedures for
securing certain cyber assets (CIP-007-1); and recovery plans for
critical cyber assets (CIP-008-1). To demonstrate compliance with the
CIP Reliability Standards, responsible entities are required to
maintain various lists and access logs. All responsible entities are
required to be auditably compliant with the CIP Reliability Standards
by the end of 2010, including all required documentation.
The CIP Reliability Standards do not require a responsible entity
to report to the Commission, ERO or Regional Entities, the various
policies, plans, programs and procedures. However, a showing of the
documented policies, plans, programs and procedures is required to
demonstrate compliance with the CIP Reliability Standards.
Action: The Commission is requesting a three-year extension of the
FERC-725B reporting requirements, with no changes.
Burden Statement: The extent of the reporting burden is influenced
by the number of identified critical assets and related critical cyber
assets pursuant to CIP-002. An entity identifying one or more critical
cyber assets, including assets located at remote locations, will likely
require more resources to demonstrate compliance with the CIP
Reliability Standards compared to an entity that identifies no critical
assets. The Commission has developed estimates using data from NERC's
compliance registry as well as a 2009 survey that was conducted by NERC
to asses the number of entities reporting Critical Cyber Assets.
----------------------------------------------------------------------------------------------------------------
Average No. of
No. of Average No. of Burden hours Total annual
Data collection respondents \6\ responses per per response hours
respondent \7\
(1) (2) (3) (1) x (2) x (3)
----------------------------------------------------------------------------------------------------------------
FERC-725B...................................
Estimate of U.S. Entities that have 345 1 320 110,400
identified Critical Cyber Assets...........
Estimate of U.S. Entities that have not 1,156 1 8 9,248
identified Critical Cyber Assets...........
-------------------------------------------------------------------
Totals.................................. 1,501 ............... ............... 119,648
----------------------------------------------------------------------------------------------------------------
\6\ The NERC Compliance Registry as of 9/28/2010 indicated that 2,079 entities were registered for NERC's
compliance program. Of these, 2,057 were identified as being U.S. entities. Staff concluded that of the 2,057
U.S. entities, only 1,501 were registered for at least one CIP related function. According to an April 7, 2009
memo to industry, NERC's VP and Chief Security officer noted that only 31% of entities responded to an earlier
survey and reported that they had at least one Critical Asset, and only 23% reported having a Critical Cyber
Asset. Staff applied the 23% reporting to the 1,501 figure to obtain an estimate.
\7\ This figure relates to NERC's audit schedule which requires NERC to engage in a compliance Audit once every
3 to 5 years. For simplicity, staff has divided the total number of hours by 3 to reflect the amount of time
annually spent preparing documents. Staff assumed that each CIP audit or spot check would require four
individuals 6 weeks to prepare and demonstrate compliance with CIP standards for entities that have identified
Critical Cyber Assets. Staff estimated that entities that do not have Critical Cyber Assets would still be
required to demonstrate compliance with CIP-002, which would require one individual approximately three days
to execute.
[[Page 65620]]
The total estimated annual cost burden to respondents is:
Entities that have identified Critical Assets = 110,400
hours@$96 = $10,598,400.
Entities that have not identified Critical Assets = 9,248
hours@$96 = $887,808.
The hourly rate of $96 is the average cost of legal services ($230
per hour), technical employees ($40 per hour) and administrative
support ($18 per hour), based on hourly rates from the Bureau of Labor
Statistics (BLS) and the 2009 Billing Rates and Practices Survey
Report.\8\
---------------------------------------------------------------------------
\8\ Bureau of Labor Statistics figures were obtained from http://www.bls.gov/oes/current/naics2_22.htm, and 2009 Billing Rates
figure were obtained from http://www.marylandlawyerblog.com/2009/07/average_hourly_rate_for_lawyer.html. Legal services were based
on the national average billing rate (contracting out) from the
above report and BLS hourly earnings (in-house personnel). It is
assumed that 25% of respondents have in-house legal personnel.
---------------------------------------------------------------------------
The reporting burden includes the total time, effort, or financial
resources expended to generate, maintain, retain, disclose, or provide
the information including: (1) Reviewing instructions; (2) developing,
acquiring, installing, and utilizing technology and systems for the
purposes of collecting, validating, verifying, processing, maintaining,
disclosing and providing information; (3) adjusting the existing ways
to comply with any previously applicable instructions and requirements;
(4) training personnel to respond to a collection of information; (5)
searching data sources; (6) completing and reviewing the collection of
information; and (7) transmitting or otherwise disclosing the
information.
The estimate of cost for respondents is based upon salaries for
professional and clerical support, as well as direct and indirect
overhead costs. Direct costs include all costs directly attributable to
providing this information, such as administrative costs and the cost
for information technology. Indirect or overhead costs are costs
incurred by an organization in support of its mission. These costs
apply to activities which benefit the whole organization rather than
any one particular function or activity.
Comments are invited on: (1) Whether the proposed collection of
information is necessary for the proper performance of the functions of
the Commission, including whether the information will have practical
utility; (2) the accuracy of the agency's estimate of the burden of the
proposed collection of information, including the validity of the
methodology and assumptions used; (3) ways to enhance the quality,
utility and clarity of the information to be collected; and (4) ways to
minimize the burden of the collection of information on those who are
to respond, including the use of appropriate automated, electronic,
mechanical, or other technological collection techniques or other forms
of information technology e.g. permitting electronic submission of
responses.
Kimberly D. Bose,
Secretary.
[FR Doc. 2010-26988 Filed 10-25-10; 8:45 am]
BILLING CODE 6717-01-P