[Federal Register Volume 76, Number 67 (Thursday, April 7, 2011)] [Notices] [Pages 19333-19334] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2011-8248] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF ENERGY Federal Energy Regulatory Commission [Docket No. IC11-725B-001] Commission Information Collection Activities (FERC-725B); Comment Request; Submitted for OMB Review AGENCY: Federal Energy Regulatory Commission, DOE. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: In compliance with the requirements of section 3507 of the Paperwork Reduction Act of 1995, 44 U.S.C. 3507, the Federal Energy Regulatory Commission (Commission or FERC) has submitted the information collection described below to the Office of Management and Budget (OMB) for review of the information collection requirements. Any interested person may file comments directly with OMB and should address a copy of those comments to the Commission as explained below. The Commission issued a Notice in the Federal Register (75 FR 65618, 10/26/2010) requesting public comments. FERC received no comments on the FERC-725B and has made this notation in its submission to OMB. OMB only makes a decision after the 30-day comment period for this notice has expired. DATES: Comments on the collection of information are due by May 9, 2011. ADDRESSES: Address comments on the collection of information to the Office of Management and Budget, Office of Information and Regulatory Affairs, Attention: Federal Energy Regulatory Commission Desk Officer. Comments to OMB should be filed electronically, c/o [email protected] and include OMB Control Number 1902-0248 for reference. The Desk Officer may be reached by telephone at 202-395- 4638. A copy of the comments should also be sent to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street, NE., Washington, DC 20426. Comments may be filed either on paper or on CD/DVD, and should refer to Docket No. IC11-725B-001. Documents must be prepared in an acceptable filing format and in compliance with Commission submission guidelines at http://www.ferc.gov/help/submission-guide.asp. eFiling and eSubscription are not available for Docket No. IC11-725B-001, due to a system issue. All comments may be viewed, printed or downloaded remotely via the Internet through FERC's homepage using the ``eLibrary'' link. For user assistance, contact [email protected] or toll-free at (866) 208-3676, or for TTY, contact (202) 502-8659. FOR FURTHER INFORMATION CONTACT: Ellen Brown may be reached by e-mail at [email protected], by telephone at (202) 502-8663, and by fax at (202) 273-0873. SUPPLEMENTARY INFORMATION: The information collected by the FERC-725B, Reliability Standards for Critical Infrastructure Protection (OMB Control No. 1902-0248), is required to implement the statutory provisions of section 215 of the Federal Power Act (FPA) (16 U.S.C. 824o). On January 18, 2008, the Commission issued order 706, approving eight Critical Infrastructure Protection (CIP) Reliability Standards submitted by the North American Electric Reliability Corporation (NERC) for Commission approval.\1\ --------------------------------------------------------------------------- \1\ CIP-002-1, CIP-003-1, CIP-004-1, CIP-005-1, CIP-006-1, CIP- 007-1, CIP-008-1, and CIP-009-1. --------------------------------------------------------------------------- The CIP Reliability Standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets.\2\ These standards help protect the nation's Bulk-Power System against potential disruptions from cyber attacks.\3\ The CIP Reliability Standards include one actual reporting requirement and several recordkeeping requirements. Specifically, CIP- 008-1 requires responsible entities to report cyber security incidents to the Electricity Sector-Information Sharing and Analysis Center (ES- ISAC). In addition, the eight CIP Reliability Standards require responsible entities to develop various policies, plans, programs, and procedures.\4\ --------------------------------------------------------------------------- \2\ In addition, in accordance with section 215(d)(5) of the FPA, the Commission proposed to direct NERC to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission. \3\ For a description of the CIP Reliability Standards, see the Critical Infrastructure Protection Section on NERC's Web site at http://www.nerc.com/page.php?cid=2[verbarrm]20. \4\ The October notice issued in this docket contains more information on the reporting requirements and can be found at http://elibrary.ferc.gov/idmws/File_list.asp?document_id=13857625. The full text of the standards can be found on NERC's Web site at http:/ /www.nerc.com/page.php?cid=2[verbarrm]20. --------------------------------------------------------------------------- The CIP Reliability Standards do not require a responsible entity to report to the Commission, ERO or Regional Entities, the various policies, plans, programs and procedures. However, a showing of the documented policies, plans, programs and procedures is required to demonstrate compliance with the CIP Reliability Standards. Action: The Commission is requesting a three-year extension of the existing collection with no changes to the requirements. Burden Statement: The extent of the reporting burden is influenced by the number of identified critical assets and related critical cyber assets pursuant to CIP-002. An entity identifying one or more critical cyber assets, including assets located at remote locations, will likely require more resources to demonstrate compliance with the CIP Reliability Standards compared to an entity that identifies no critical assets. The Commission has developed [[Page 19334]] estimates using data from NERC's compliance registry as well as a 2009 survey that was conducted by NERC to asses the number of entities reporting Critical Cyber Assets. ---------------------------------------------------------------------------------------------------------------- Average Number of Average number of Data collection respondents number of burden hours Total annual \5\ responses per per response hours respondent \6\ ---------------------------------------------------------------------------------------------------------------- (1) (2) (3) (1) x (2) x (3) ---------------------------------------------------------------------------------------------------------------- FERC-725B: Estimate of U.S. Entities that have 345 1 320 110,400 identified Critical Cyber Assets........... Estimate of U.S. Entities that have not 1,156 1 8 9,248 identified Critical Cyber Assets........... New U.S. Entities that have to come into *6 1 1,176 7,056 compliance with the CIP Standards \7\...... --------------------------------------------------------------- Totals.................................. 1,501 .............. .............. 126,704 ---------------------------------------------------------------------------------------------------------------- * not included in the 1,501 total because it is assumed that on average, six entities per year will no longer have to comply with the CIP standards. The total estimated annual cost burden to respondents is: --------------------------------------------------------------------------- \5\ The NERC Compliance Registry as of 9/28/2010 indicated that 2079 entities were registered for NERC's compliance program. Of these, 2057 were identified as being U.S. entities. Staff concluded that of the 2057 U.S. entities, only 1501 were registered for at least one CIP related function. According to an April 7, 2009 memo to industry, NERC's VP and Chief Security officer noted that only 31% of entities responded to an earlier survey and reported that they had at least one Critical Asset, and only 23% reported having a Critical Cyber Asset. Staff applied the 23% reporting to the 1501 figure to obtain an estimate. The 6 new entities listed here are assumed to match a similar set of 6 entities that would drop out in an existing year. Thus, the net estimate of respondents remains at 1501 per year. \6\ This figure relates to NERC's audit schedule which requires NERC to engage in a compliance Audit once every 3 to 5 years. For simplicity, staff has divided the total number of hours by 3 to reflect the amount of time annually spent preparing documents. Staff assumed that each CIP audit or spot check would require four individuals 6 weeks to prepare and demonstrate compliance with CIP standards for entities that have identified Critical Cyber Assets. Staff estimated that entities that do not have Critical Cyber Assets would still be required to demonstrate compliance with CIP-002, which would require one individual approximately three days to execute. \7\ This category of respondents (with the corresponding burden) was not included in the 60-day public notice due to an oversight by Commission staff. ---------------------------------------------------------------------------Entities that have identified Critical Assets = 110,400 hours@$96 = $10,598,400. Entities that have not identified Critical Assets = 9,248 hours@$96 = $887,808. Storage Costs for Entities that have identified Critical Assets \8\ = 315 Entities@$15.25 = $4,804. --------------------------------------------------------------------------- \8\ This cost category was not included in the 60-day public notice due to an oversight by Commission staff. The hourly rate of $96 is the average cost of legal services ($230 per hour), technical employees ($40 per hour) and administrative support ($18 per hour), based on hourly rates from the Bureau of Labor Statistics (BLS) and the 2009 Billing Rates and Practices Survey Report.\9\ The $15.25 rate for storage costs for each entity is an estimate based on the average costs to service and store 1 GB of data to demonstrate compliance with the CIP standards.\10\ --------------------------------------------------------------------------- \9\ Bureau of Labor Statistics figures were obtained from http://www.bls.gov/oes/current/naics2_22.htm, and 2009 Billing Rates figure were obtained from http://www.marylandlawyerblog.com/2009/07/average_hourly_rate_for_lawyer.html. Legal services were based on the national average billing rate (contracting out) from the above report and BLS hourly earnings (in-house personnel). It is assumed that 25% of respondents have in-house legal personnel. \10\ Based on the aggregate cost of an IBM advanced data protection server. --------------------------------------------------------------------------- The reporting burden includes the total time, effort, or financial resources expended to generate, maintain, retain, disclose, or provide the information including: (1) Reviewing instructions; (2) developing, acquiring, installing, and utilizing technology and systems for the purposes of collecting, validating, verifying, processing, maintaining, disclosing and providing information; (3) adjusting the existing ways to comply with any previously applicable instructions and requirements; (4) training personnel to respond to a collection of information; (5) searching data sources; (6) completing and reviewing the collection of information; and (7) transmitting, or otherwise disclosing the information. Comments are invited on: (1) Whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency's estimates of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information to be collected; and (4) ways to minimize the burden of the collections of information on those who are to respond, including the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g. permitting electronic submission of responses. Dated: March 31, 2011. Kimberly D. Bose, Secretary. [FR Doc. 2011-8248 Filed 4-6-11; 8:45 am] BILLING CODE 6717-01-P