81 FR 49878 - Revised Critical Infrastructure Protection Reliability Standards
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission Federal Register Volume 81, Issue 146 (July 29, 2016)
Federal Energy Regulatory Commission
Federal Register Volume 81, Issue 146 (July 29, 2016)
| Page Range | 49878-49894 | |
| FR Document | 2016-17842 |
[Federal Register Volume 81, Number 146 (Friday, July 29, 2016)] [Rules and Regulations] [Pages 49878-49894] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2016-17842] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM15-14-002; Order No. 829] Revised Critical Infrastructure Protection Reliability Standards AGENCY: Federal Energy Regulatory Commission. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Federal Energy Regulatory Commission (Commission) directs the North American Electric Reliability Corporation to develop a new or modified Reliability Standard that addresses supply chain risk management for industrial control system hardware, software, and computing and networking services [[Page 49879]] associated with bulk electric system operations. The new or modified Reliability Standard is intended to mitigate the risk of a cybersecurity incident affecting the reliable operation of the Bulk- Power System. DATES: This rule is effective September 27, 2016. FOR FURTHER INFORMATION CONTACT: Daniel Phillips (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6387, [email protected]. Simon Slobodnik (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6707, [email protected]. Kevin Ryan (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6840, [email protected]. SUPPLEMENTARY INFORMATION: Order No. 829 Final Rule 1. Pursuant to section 215(d)(5) of the Federal Power Act (FPA),\1\ the Commission directs the North American Electric Reliability Corporation (NERC) to develop a new or modified Reliability Standard that addresses supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations. The new or modified Reliability Standard is intended to mitigate the risk of a cybersecurity incident affecting the reliable operation of the Bulk- Power System. --------------------------------------------------------------------------- \1\ 16 U.S.C. 824o(d)(5). --------------------------------------------------------------------------- 2. The record developed in this proceeding supports our determination under FPA section 215(d)(5) that it is appropriate to direct the creation of mandatory requirements that protect aspects of the supply chain that are within the control of responsible entities and that fall within the scope of our authority under FPA section 215. Specifically, we direct NERC to develop a forward-looking, objective- based Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.\2\ The new or modified Reliability Standard should address the following security objectives, discussed in detail below: (1) Software integrity and authenticity; (2) vendor remote access; (3) information system planning; and (4) vendor risk management and procurement controls. In making this directive, the Commission does not require NERC to impose any specific controls, nor does the Commission require NERC to propose ``one-size-fits-all'' requirements. The new or modified Reliability Standard should instead require responsible entities to develop a plan to meet the four objectives, or some equally efficient and effective means to meet these objectives, while providing flexibility to responsible entities as to how to meet those objectives. --------------------------------------------------------------------------- \2\ Revised Critical Infrastructure Protection Reliability Standards, Notice of Proposed Rulemaking, 80 FR 43,354 (Jul. 22, 2015), 152 FERC ] 61,054, at P 66 (2015) (NOPR). --------------------------------------------------------------------------- I. Background A. Section 215 and Mandatory Reliability Standards 3. Section 215 of the FPA requires a Commission-certified Electric Reliability Organization (ERO) to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently.\3\ Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,\4\ and subsequently certified NERC.\5\ --------------------------------------------------------------------------- \3\ 16 U.S.C. 824o(e). \4\ Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC Stats. & Regs. ] 31,212 (2006). \5\ North American Electric Reliability Corp., 116 FERC ] 61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009). --------------------------------------------------------------------------- B. Notice of Proposed Rulemaking 4. The NOPR, inter alia, identified as a reliability concern the potential risks to bulk electric system reliability posed by the ``supply chain'' (i.e., the sequence of processes involved in the production and distribution of, inter alia, industrial control system hardware, software, and services). The NOPR explained that changes in the bulk electric system cyber threat landscape, exemplified by recent malware campaigns targeting supply chain vendors, have highlighted a gap in the Critical Infrastructure Protection (CIP) Reliability Standards.\6\ To address this gap, the NOPR proposed to direct that NERC develop a forward-looking, objective-driven Reliability Standard that provides security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.\7\ --------------------------------------------------------------------------- \6\ NOPR, 152 FERC ] 61,054 at P 63. \7\ Id. P 66. --------------------------------------------------------------------------- 5. Recognizing that developing supply chain management requirements would likely be a significant undertaking and require extensive engagement with stakeholders to define the scope, content, and timing of the Reliability Standard, the Commission sought comment on: (1) the general proposal to direct that NERC develop a Reliability Standard to address supply chain management; (2) the anticipated features of, and requirements that should be included in, such a standard; and (3) a reasonable timeframe for development of a Reliability Standard.\8\ --------------------------------------------------------------------------- \8\ Id. --------------------------------------------------------------------------- 6. In response to the NOPR, thirty-four entities submitted comments on the NOPR proposal regarding supply chain risk management. A list of these commenters appears in Appendix A. C. January 28, 2016 Technical Conference 7. On January 28, 2016, Commission staff led a Technical Conference to facilitate a dialogue on supply chain risk management issues that were identified by the Commission in the NOPR. The January 28 Technical Conference addressed: (1) The need for a new or modified Reliability Standard; (2) the scope and implementation of a new or modified Reliability Standard; and (3) current supply chain risk management practices and collaborative efforts. 8. Twenty-four entities representing industry, government, vendors, and academia participated in the January 28 Technical Conference through written comments and/or presentations.\9\ --------------------------------------------------------------------------- \9\ Written presentations at the January 28, 2016 Technical Conference and the Technical Conference transcript referenced in this Final Rule are accessible through the Commission's eLibrary document retrieval system in Docket No. RM15-14-000. --------------------------------------------------------------------------- 9. We address below the comments submitted in response to the NOPR and comments made as part of the January 28 Technical Conference. II. Discussion 10. Pursuant to section 215(d)(5) of the FPA, the Commission determines that it is appropriate to direct NERC to develop a new or modified Reliability Standard(s) that address supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system [[Page 49880]] operations.\10\ Based on the comments received in response to the NOPR and at the technical conference, we determine that the record in this proceeding supports the development of mandatory requirements for the protection of aspects of the supply chain that are within the control of responsible entities and that fall within the scope of our authority under FPA section 215. --------------------------------------------------------------------------- \10\ 16 U.S.C. 824o(d)(5) (``The Commission . . . may order the [ERO] to submit to the Commission a proposed reliability standard or a modification to a reliability standard that addresses as specific matter if the Commission considers such a new or modified reliability standard appropriate to carry out this section.''). --------------------------------------------------------------------------- 11. In its NOPR comments, NERC acknowledges that ``supply chains for information and communications technology and industrial control systems present significant risks to [Bulk-Power System] security, providing various opportunities for adversaries to initiate cyberattacks.'' \11\ Several other commenters also recognized the risks posed to the bulk electric system by supply chain security issues and generally support, or at least do not oppose, Commission action to address the reliability gap.\12\ For example, in prepared remarks submitted for the January 28 Technical Conference, one panelist noted that attacks targeting the supply chain are on the rise, particularly attacks involving third party service providers.\13\ In addition, it was noted that, while many responsible entities are already independently assessing supply chain risks and asking vendors to address the risks, these individual efforts are likely to be less effective than a mandatory Reliability Standard.\14\ --------------------------------------------------------------------------- \11\ NERC NOPR Comments at 8. \12\ See Peak NOPR Comments at 3-6; ITC NOPR Comments at 13-15; CyberArk NOPR Comments at 4; Ericsson NOPR Comments at 2; Isologic and Resilient Societies Joint NOPR Comments at 9-12; ACS NOPR Comments at 4; ISO NE NOPR Comments at 2-3; NEMA NOPR Comments at 1- 2. \13\ Olcott Technical Conference Comments at 1-2. \14\ Galloway Technical Conference Comments at 1 (``. . . ISO-NE supports the Commission's proposal to direct NERC to develop requirements relating to supply chain risk management. We believe that the risks to the reliability of the Bulk Electric System that result from compromised third-party software are real, significant and largely unaddressed by existing reliability standards. While many public utilities are already assessing these risks and asking vendors to address them, these one-off efforts are far less likely to be effective than an industry-wide reliability standard.''). --------------------------------------------------------------------------- 12. We recognize, however, that most commenters oppose development of Reliability Standards addressing supply chain management for various reasons. These commenters contend that Commission action on supply chain risk management would, among other things, address or influence activities beyond the scope of the Commission's FPA section 215 jurisdiction.\15\ Commenters also assert that the existing CIP Reliability Standards adequately address potential risks to the bulk electric system from supply chain issues.\16\ In addition, commenters claim that responsible entities have minimal control over their suppliers and are not able to identify all potential vulnerabilities associated with each of their products or parts; therefore, even if a responsible entity identifies a vulnerability created by a supplier, the responsible entity does not necessarily have any authority, influence or means to require the supplier to apply mitigation.\17\ Other commenters argue that the Commission's proposal may unintentionally inhibit innovation.\18\ A number of commenters assert that voluntary guidelines would be more effective at addressing the Commission's concerns.\19\ Finally, commenters are concerned that the contractual flexibility necessary to effectively address supply chain concerns does not fit well with a mandatory Reliability Standard.\20\ --------------------------------------------------------------------------- \15\ See Trade Associations NOPR Comments at 24; Southern NOPR Comments at 14-16; CEA NOPR Comments at 4-5; NIPSCO NOPR Comments at 7. \16\ See Trade Associations NOPR Comments at 20-25; Gridwise NOPR Comments at 3; Arkansas NOPR Comments at 6; G&T Cooperatives NOPR Comments at 8-9; NEI NOPR Comments at 3-5; NIPSCO NOPR Comments at 5-6; Luminant NOPR Comments at 4-5; SCE NOPR Comments at 4. \17\ See Arkansas NOPR Comments at 5-6; G&T Cooperatives NOPR Comments at 9; Trade Associations NOPR Comments at 25. \18\ See Arkansas NOPR Comments at 6; G&T Cooperatives NOPR Comments at 9; NERC NOPR Comments at 13. \19\ See Trade Associations NOPR Comments at 23; Southern NOPR Comments at 13; AEP NOPR Comments at 5; NextEra NOPR Comments at 4- 5; Luminant NOPR Comments at 5. \20\ See Arkansas NOPR Comments at 6; Southern NOPR Comments at 13. --------------------------------------------------------------------------- 13. As discussed below, we conclude that our directive falls within the Commission's authority under FPA section 215. We also determine that, notwithstanding the concerns raised by commenters opposed to the NOPR proposal, it is appropriate to direct the development of mandatory requirements to protect industrial control system hardware, software, and computing and networking services associated with bulk electric system operations. Many of the commenters' concerns are addressed by the flexibility inherent in our directive to develop a forward-looking, objective-based Reliability Standard that includes specific security objectives that a responsible entity must achieve, but affords flexibility in how to meet these objectives. The Commission does not require NERC to impose any specific controls nor does the Commission require NERC to propose ``one-size-fits-all'' requirements. The new or modified Reliability Standard should instead require responsible entities to develop a plan to meet the four objectives, or some equally efficient and effective means to meet these objectives, while providing flexibility to responsible entities as to how to meet those objectives. Moreover, our directive comports well with the NOPR comments submitted by NERC, in which NERC explained what it believes would be the features of a workable supply chain management Reliability Standard.\21\ --------------------------------------------------------------------------- \21\ NERC NOPR Comments at 8-9. The record evidence on which the directive in this Final Rule is based is either comparable or superior to past instances in which the Commission has directed, pursuant to FPA section 215(d)(5), that NERC propose a Reliability Standard to address a gap in existing Reliability Standards. See, e.g., Reliability Standards for Physical Security Measures, 146 FERC ] 61,166 (2014) (directing, without seeking comment, that NERC develop proposed Reliability Standards to protect against physical security risks related to the Bulk-Power System). --------------------------------------------------------------------------- 14. We address below the following issues raised in the NOPR, NOPR comments, and January 28 Technical Conference comments: (1) the Commission's authority to direct the ERO to develop supply chain management Reliability Standards under FPA section 215(d)(5); and (2) the need for supply chain management Reliability Standards, including the risks posed by the supply chain, objectives of a supply chain management Reliability Standard, existing CIP Reliability Standards, and responsible entities' ability to affect the supply chain. A. Commission Authority To Direct the ERO To Develop Supply Chain Management Reliability Standards Under FPA Section 215(d)(5) NOPR 15. In the NOPR, the Commission stated that it anticipates that a Reliability Standard addressing supply chain management security would, inter alia, respect FPA Section 215 jurisdiction by only addressing the obligations of responsible entities and not directly imposing obligations on suppliers, vendors, or other entities that provide products or services to responsible entities.\22\ --------------------------------------------------------------------------- \22\ NOPR, 152 FERC ] 61,054 at P 66. --------------------------------------------------------------------------- Comments 16. Commenters contend that the Commission's proposal to direct NERC to develop mandatory Reliability Standards to address supply chain risks could exceed the Commission's [[Page 49881]] jurisdiction under FPA section 215. The Trade Associations state that the NOPR discussion ``appears to suggest a new mandate, over and above Section 215 for energy security, integrity, quality, and supply chain resilience, and the future acquisition of products and services.'' \23\ The Trade Associations assert that the Commission's NOPR proposal does not provide any reasoning that connects energy security and integrity with reliable operations for Bulk-Power System reliability. The Trade Associations seek clarification that the Commission does not intend to define energy security as a new policy mandate.\24\ --------------------------------------------------------------------------- \23\ Trade Associations NOPR Comments at 24. \24\ Id. --------------------------------------------------------------------------- 17. Southern states that it agrees with the Trade Associations that expanding the focus of the NERC Reliability Standards ``to include concepts such as security, integrity, and supply chain resilience is beyond the statutory authority granted in Section 215.'' \25\ Southern contends that while these areas ``have an impact on the reliable operation of the bulk power system, [. . .] they are areas that are beyond the scope of [the Commission's] jurisdiction under Section 215.'' \26\ NIPSCO raises a similar argument, stating that the existing CIP Reliability Standards should address the Commission's concerns ``without involving processes and industries outside of the Commission's jurisdiction under section 215 of the Federal Power Act.'' \27\ --------------------------------------------------------------------------- \25\ Southern NOPR Comments at 16. \26\ Southern NOPR Comments at 16; see also Trade Association NOPR Comments at 24. \27\ NIPSCO NOPR Comments at 7. --------------------------------------------------------------------------- 18. Southern questions how a mandatory Reliability Standard that achieves all of the objectives specified in the NOPR ``could effectively address [the Commission's] concerns and still stay within the bounds of [the Commission's] scope and mission under Section 215.'' \28\ Southern asserts that ``a reading of Section 215 indicates that [the Commission's] mission and authority under Section 215 is focused on the operation of the bulk power system elements, not on the acquisition of those elements and associated procurement practices.'' \29\ In support of its assertion, Southern points to the definition in FPA section 215 of ``reliability standard,'' noting the use and meaning of the terms ``reliable operation'' and ``operation.'' Southern contends that ``Section 215 standards should ensure that a given BES Cyber System asset is protected from vulnerabilities once connected to the BES, and should not be concerned about how the Responsible Entity works with its vendors and suppliers to ensure such reliability (such as higher financial incentives or greater contractual penalties).'' \30\ --------------------------------------------------------------------------- \28\ Southern NOPR Comments at 14-15. \29\ Id. at 15 (emphasis in original). \30\ Id. at 16. --------------------------------------------------------------------------- 19. The Trade Associations and Southern also observe that, while the NOPR indicates that the Commission has no direct oversight authority over third-party suppliers or vendors and cannot indirectly assert authority over them through jurisdictional entities, the NOPR proposal appears to assert that authority.\31\ The Trade Associations maintain that such an extension of the Commission's authority would be unlawful and, therefore, seek clarification that ``the Commission will avoid seeking to extend its authority since such an extension would set a troubling precedent.'' \32\ CEA raises a concern that the NOPR proposal ``appears to lend itself to the interpretation that authority is indirectly being asserted over non-jurisdictional entities.'' \33\ --------------------------------------------------------------------------- \31\ Trade Associations NOPR Comments at 24-25; Southern NOPR Comments at 17; see also Trade Associations Post-Technical Conference Comments at 20-21. \32\ Trade Associations NOPR Comments at 24-25. \33\ CEA NOPR Comments at 5. --------------------------------------------------------------------------- 20. The Trade Associations also maintain that the Commission's use of the term ``industrial control system'' in the scope of its proposal suggests that the Commission is seeking to address issues beyond CIP and cybersecurity-related issues. The Trade Associations seek clarification that the Commission does not intend for NERC broadly to address industrial control systems, such as fuel procurement and delivery systems or system protection devices, but intends for its proposal to be limited to CIP and cybersecurity-related issues.\34\ --------------------------------------------------------------------------- \34\ Trade Associations NOPR Comments at 25. --------------------------------------------------------------------------- Discussion 21. We are satisfied that FPA section 215 provides the Commission with the authority to direct NERC to address the reliability gap concerning supply chain management risks identified in the NOPR. We reject the contention that our directive could be read to address issues outside of the Commission's FPA section 215 jurisdiction. However, to be clear, we reiterate the statement in the NOPR that any action taken by NERC in response to the Commission's directive to address the supply chain-related reliability gap should respect ``section 215 jurisdiction by only addressing the obligations of responsible entities'' and ``not directly impose obligations on suppliers, vendors or other entities that provide products or services to responsible entities.'' \35\ The Commission expects that NERC will adhere to this instruction as it works with stakeholders to develop a new or modified Reliability Standard to address the Commission's directive. As discussed below, we reject the remaining comments regarding the Commission's authority to direct the development of supply chain management Reliability Standards under FPA section 215(d)(5). --------------------------------------------------------------------------- \35\ NOPR, 152 FERC ] 61,054 at P 66. --------------------------------------------------------------------------- 22. Our directive does not suggest, as the Trade Associations contend, a new mandate above and beyond FPA section 215. The Commission's directive to NERC to address supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations is not intended to ``define `energy security' as a new policy mandate'' under the CIP Reliability Standards.\36\ Instead, our directive is meant to enhance bulk electric system cybersecurity by addressing the gap in the CIP Reliability Standards identified in the NOPR relating to supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations. This directive is squarely within the statutory definition of a ``reliability standard,'' which includes requirements for ``cybersecurity protection.'' \37\ --------------------------------------------------------------------------- \36\ See Trade Associations NOPR Comments at 24. \37\ See 16 U.S.C. 824o(a)(3) (defining ``reliability standard'' to mean ``a requirement, approved by the Commission under [section 215 of the FPA] to provide for the reliable operation of the bulk- power system. The term includes requirements for the operation of existing bulk-power system facilities, including cybersecurity protection, and the design of planned additions or modifications to such facilities to the extent necessary to provide for reliable operation . . .'') (emphasis added). --------------------------------------------------------------------------- 23. We reject Southern's argument that FPA section 215 limits the scope of the NERC Reliability Standards to ``ensur[ing] that a given BES Cyber System asset is protected from vulnerabilities once connected'' to the bulk electric system.\38\ While Southern's comment implies that the Commission should only be concerned with real-time operations based on the definition of the term ``reliable operation,'' the definition of ``reliability standard'' in FPA section 215 also includes requirements for ``the design of planned additions or modifications'' to bulk electric system facilities ``necessary to provide for reliable operation of the bulk-power [[Page 49882]] system.'' \39\ Moreover, as noted, FPA section 215 is clear that maintaining reliable operation also includes protecting the bulk electric system from cybersecurity incidents.\40\ Indeed, our findings and directives in the Final Rule are intended to better protect the Bulk-Power System from potential cybersecurity incidents that could adversely affect reliable operation of the Bulk-Power System. Accordingly, we would not be carrying out our obligations under FPA section 215 if the Commission determined that cybersecurity incidents resulting from gaps in supply chain risk management were outside the scope of FPA section 215. --------------------------------------------------------------------------- \38\ See Southern NOPR Comments at 16. \39\ See 16 U.S.C. 824o(a)(4) (defining ``reliable operation''); see also 16 U.S.C. 824o(a)(3). \40\ See 16 U.S.C. 824o(a)(4). --------------------------------------------------------------------------- 24. With regard to concerns that the NOPR's use of the term ``industrial control system'' signals the Commission's intent to address issues beyond the CIP Reliability Standards or cybersecurity controls, we clarify that our directive is only intended to address the protection of hardware, software, and computing and networking services associated with bulk electric system operations from supply chain- related cybersecurity threats and vulnerabilities. B. Need for a New or Modified Reliability Standard 1. Cyber Risks Posed by the Supply Chain NOPR 25. In the NOPR, the Commission observed that the global supply chain, while providing an opportunity for significant benefits to customers, enables opportunities for adversaries to directly or indirectly affect the operations of companies that may result in risks to the end user. The NOPR identified supply chain risks including the insertion of counterfeits, unauthorized production, tampering, theft, or insertion of malicious software, as well as poor manufacturing and development practices. The NOPR pointed to changes in the bulk electric system cyber threat landscape, evidenced by recent malware campaigns targeting supply chain vendors, which highlighted a gap in the protections under the current CIP Reliability Standards.\41\ --------------------------------------------------------------------------- \41\ NOPR, 152 FERC ] 61,054 at PP 61-62. --------------------------------------------------------------------------- 26. Specifically, the NOPR identified two focused malware campaigns identified by the Department of Homeland Security's Industry Control System--Computer Emergency Readiness Team (ICS-CERT) in 2014.\42\ The NOPR stated that this new type of malware campaign is based on the injection of malware while a product or service remains in the control of the hardware or software vendor, prior to delivery to the customer.\43\ --------------------------------------------------------------------------- \42\ Id. P 63 (citing ICS-CERT, Alert: ICS Focused Malware (Update A), https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A; ICS-CERT, Alert Ongoing Sophisticated Malware Campaign Compromising ICS (Update E), https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B). ICS-CERT is a division of the Department of Homeland Security that works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community. \43\ NOPR, 152 FERC ] 61,054 at P 63. --------------------------------------------------------------------------- Comments 27. NERC acknowledges the NOPR's concerns regarding the threats posed by supply chain management risks to the Bulk-Power System. NERC states that ``the supply chains for information and communications technology and industrial control systems present significant risks to [Bulk-Power System] security, providing various opportunities for adversaries to initiate cyberattacks.'' \44\ NERC further explains that ``supply chains risks are . . . complex, multidimensional, and constantly evolving, and may include, as the Commission states, insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices.'' \45\ NERC states, however, that as to these supply chains, there are ``significant challenges to developing a mandatory Reliability Standard consistent with [FPA] Section 215 . . . .'' \46\ --------------------------------------------------------------------------- \44\ NERC NOPR Comments at 8. \45\ Id. at 10. \46\ Id. at 2. --------------------------------------------------------------------------- 28. IRC, Peak, Idaho Power, CyberArk, NEMA, Resilient Societies and other commenters share the NOPR's concern that supply chain risks pose a threat to bulk electric system reliability. IRC states that it supports the Commission's efforts to address the risks associated with supply chain management.\47\ Peak explains that ``the security risk of supply chain management is a real threat, and . . . a CIP standard for supply chain management may be necessary.'' \48\ Peak notes, for example, that it is possible for a malware campaign to infect industrial control software with malicious code while the product or service is in the control of the hardware and software vendor, and states that, ``[w]ithout proper controls, the vendor may deliver this infected product or service, unknowingly passing the risk onto the utility industry customer.'' \49\ Isologic and Resilient Societies comments that supply chain vulnerabilities are one of the most difficult areas of cybersecurity because, among other concerns, entities ``are seldom aware of the risks [supply chain vulnerabilities] pose.'' \50\ --------------------------------------------------------------------------- \47\ IRC NOPR Comments at 1-2. \48\ Peak NOPR Comments at 3. \49\ Id. at 3. \50\ Isologic and Resilient Societies Joint NOPR Comments at 9. --------------------------------------------------------------------------- 29. Idaho Power agrees ``that the supply chain could pose an attack vector for certain risks to the bulk electric system.'' \51\ CyberArk states that ``infection of vendor Web sites is just one of the potential ways a supply chain management attack could be executed'' and notes that network communications links between a vendor and its customer could be used as well.\52\ NEMA agrees with the NOPR that ``keeping the electric sector supply chain free from malware and other cybersecurity risks is essential.'' \53\ NEMA highlights a number of principles it represents as vendor best practices, and encourages the Commission and NERC to reference those principles as the effort to address supply chain risks progresses.\54\ --------------------------------------------------------------------------- \51\ Idaho Power NOPR Comments at 3. \52\ CyberArk NOPR Comments at 4. \53\ NEMA NOPR Comments at 1. \54\ Id. at 2. --------------------------------------------------------------------------- 30. Other commenters do not agree that the risks identified in the NOPR support the Commission's NOPR proposal. The Trade Associations, Southern, and NIPSCO contend that the two malware campaigns identified by ICS-CERT and cited in the NOPR do not actually represent a changed threat landscape that defines a reliability gap. Specifically, the Trade Associations state that the two identified malware campaigns ``seek to inject malware, while a product is in the control of and in use by the customer and not, as the NOPR suggests, the vendor.'' \55\ In support of this position, the Trade Associations note that the ICS- CERT mitigation measures for the two alerts ``focused on the customer and do not address security controls, while the products are under control of the vendors.'' \56\ --------------------------------------------------------------------------- \55\ Trade Associations NOPR Comments at 20-21. \56\ Trade Associations NOPR Comments at 21; see also NIPSCO NOPR Comments at 6. --------------------------------------------------------------------------- 31. The Trade Associations and Southern also contend that there is no information from various NERC programs and activities that leads to a reasonable conclusion that supply chain management issues have caused events or disturbances on the bulk electric [[Page 49883]] system.\57\ Luminant states that it ``does not perceive the same reliability gap that is expressed in the NOPR concerning risks associated with supply chain management'' and contends that it is important to understand the potential risks and cost impacts related to any potential mitigation efforts before developing any additional security controls.\58\ KCP&L states that it does not share the Commission's view of the supply chain-related reliability gap described in the NOPR and, therefore, does not support the Commission's proposal.\59\ --------------------------------------------------------------------------- \57\ Trade Associations NOPR Comments at 21; Southern Comments at 11. \58\ Luminant NOPR Comments at 4. \59\ KCP&L NOPR Comments at 7. --------------------------------------------------------------------------- Discussion 32. We find ample support in the record to conclude that supply chain management risks pose a threat to bulk electric system reliability. As NERC commented, ``the supply chains for information and communications technology and industrial control systems present significant risks to [Bulk-Power System] security, providing various opportunities for adversaries to initiate cyberattacks.'' \60\ The malware campaigns analyzed by ICS-CERT and identified in the NOPR are only examples of such risks (i.e., supply chain attacks targeting supply chain vendors). Commenters identified additional supply chain- related threats,\61\ including events targeting electric utility vendors.\62\ --------------------------------------------------------------------------- \60\ NERC NOPR Comments at 8. \61\ Commenters reference tools and information security frameworks, such as ES-C2M2, NIST-SP-800-161 and NIST-SP-800-53, which describe the scope of supply chain risk that could impact bulk electric system operations. See Department of Energy, Electricity Subsector Cybersecurity Capability Maturity Model (February 2014), http://energy.gov/sites/prod/files/2014/02/f7/ES-C2M2-v1-1-Feb2014.pdf; NIST Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations at 51, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf; NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. These risks include the insertion of counterfeits, unauthorized production and modification of products, tampering, theft, intentional insertion of tracking software, as well as poor manufacturing and development practices. One technical conference participant noted that supply chain attacks can target either (1) the hardware/software components of a system (thereby creating vulnerabilities that can be exploited by a remote attacker) or (2) a third party service provider who has access to sensitive IT infrastructure or holds/maintains sensitive data. See Olcott Technical Conference Comments at 1. \62\ Olcott discusses two events targeting electric utility vendors and service providers. Olcott Technical Conference Comments at 2. Specific recent examples of attacks on third party vendors include: (1) unauthorized code found in Juniper Firewalls in 2015; (2) the 2013 Target incident involving stolen vendor credentials; (3) the 2015 Office of Personnel Management incident also involving stolen vendor credentials; and (4) two events targeting electric utility vendors. See id. at 1-4. --------------------------------------------------------------------------- 33. Even among the comments opposed to the NOPR, there is acknowledgment that supply chain reliability risks exist. The Trade Associations state that their ``respective members have identified security issues associated with potential supply chain disruption or compromise as being a significant threat.'' \63\ Recognizing that such risks exist, we reject the assertion by the Trade Associations and Southern that there is an inadequate basis for the Commission to take action because ``[t]he Trade Associations can find nothing within various NERC programs and activities that lead to a reasonable conclusion that supply chain management issues have caused events or disturbances on the bulk power system.'' \64\ --------------------------------------------------------------------------- \63\ Trade Associations NOPR Comments at 17. \64\ See Trade Associations NOPR Comments at 21. --------------------------------------------------------------------------- 34. We disagree with the Trade Associations' arguments suggesting that the two malware campaigns identified in the NOPR do not represent a change in the threat landscape to the bulk electric system. First, while the Trade Associations are correct that the ICS-CERT alerts referenced in the NOPR describe remediation steps for customers to take in the event of a breach, the vulnerabilities exploited by those campaigns were the direct result of vendor decisions about: (1) How to deliver software patches to their customers and (2) the necessary degree of remote access functionality for their information and communications technology products.\65\ Second, the malware campaigns also demonstrate that attackers have expanded their efforts to include the execution of broad access campaigns targeting vendors and software applications, rather than just individual entities. The targeting of vendors and software applications with potentially broad access to BES Cyber Systems \66\ marks a turning point in that it is no longer sufficient to focus protection strategies exclusively on post- acquisition activities at individual entities. Instead, we believe that attention should also be focused on minimizing the attack surfaces of information and communications technology products procured to support bulk electric system operations. --------------------------------------------------------------------------- \65\ The ICS-CERT alert regarding ICS Focused Malware indicated that ``the software installers for . . . vendors were infected with malware known as the Havex Trojan.'' \66\ Cyber systems are referred to as ``BES Cyber Systems'' in the CIP Reliability Standards. The NERC Glossary defines BES Cyber Systems as ``One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.'' NERC Glossary of Terms Used in Reliability Standards (May 17, 2016) at 15 (NERC Glossary). The NERC Glossary defines ``BES Cyber Asset'' as ``A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems.'' Id. --------------------------------------------------------------------------- 2. Objectives of a Supply Chain Management Reliability Standard NOPR 35. The NOPR stated that the reliability goal of a supply chain risk management Reliability Standard should be a forward-looking, objective-driven Reliability Standard that encompasses activities in the system development life cycle: from research and development, design and manufacturing stages (where applicable), to acquisition, delivery, integration, operations, retirement, and eventual disposal of the responsible entity's information and communications technology and industrial control system supply chain equipment and services. The NOPR explained that the Reliability Standard should support and ensure security, integrity, quality, and resilience of the supply chain and the future acquisition of products and services.\67\ --------------------------------------------------------------------------- \67\ NOPR, 152 FERC ] 61,054 at P 64. --------------------------------------------------------------------------- 36. The NOPR recognized that, due to the breadth of the topic and the individualized nature of many aspects of supply chain management, a Reliability Standard pertaining to supply chain management security should:Respect FPA section 215 jurisdiction by only addressing the obligations of responsible entities. A Reliability Standard should not directly impose obligations on suppliers, vendors or other entities that provide products or services to responsible entities. Be forward-looking in the sense that the Reliability Standard should not dictate the abrogation or re-negotiation of currently-effective contracts with vendors, suppliers or other entities. Recognize the individualized nature of many aspects of supply chain management by setting goals (the ``what''), while allowing flexibility in how a responsible entity subject to the [[Page 49884]] Reliability Standard achieves that goal (the ``how''). Given the types of specialty products involved and the diversity of acquisition processes, the Reliability Standard may need to allow exceptions (e.g., to meet safety requirements and fill operational gaps if no secure products are available). Provide enough specificity so that compliance obligations are clear and enforceable. In particular, the Commission anticipated that a Reliability Standard that simply requires a responsible entity to ``have a plan'' addressing supply chain management would not suffice. Rather, to adequately address the concerns identified in the NOPR, the Commission stated a Reliability Standard should identify specific controls.\68\ --------------------------------------------------------------------------- \68\ Id. P 66. --------------------------------------------------------------------------- 37. The NOPR recognized that, because security controls for supply chain management likely vary greatly with each responsible entity due to variations in individual business practices, the right set of supply chain management security controls should accommodate, inter alia, an entity's: (1) Procurement process; (2) vendor relations; (3) system requirements; (4) information technology implementation; and (5) privileged commercial or financial information. As examples of controls that may be instructional in the development of any new Reliability Standard, the NOPR identified the following Supply Chain Risk Management controls from NIST SP 800-161: (1) Access Control Policy and Procedures; (2) Security Assessment Authorization; (3) Configuration Management; (4) Identification and Authentication; (5) System Maintenance Policy and Procedures; (6) Personnel Security Policy and Procedures; (7) System and Services Acquisition; (8) Supply Chain Protection; and (9) Component Authenticity.\69\ --------------------------------------------------------------------------- \69\ NOPR, 152 FERC ] 61,054 at P 65 (citing NIST Special Publication 800-161 at 51). --------------------------------------------------------------------------- Comments 38. NERC states that a Commission directive requiring the development of a supply chain risk management Reliability Standard: (1) Should provide a minimum of two years for Reliability Standard development activities; (2) should clarify that any such Reliability Standard build on existing protections in the CIP Reliability Standards and the practices of responsible entities, and focus primarily on those procedural controls that responsible entities can reasonably be expected to implement during the procurement of products and services associated with bulk electric system operations to manage supply chain risks; and (3) must be flexible to account for differences in the needs and characteristics of responsible entities, the diversity of bulk electric system environments, technologies, risks, and issues related to the limited applicability of mandatory NERC Reliability Standards.\70\ --------------------------------------------------------------------------- \70\ NERC NOPR Comments at 8-9. --------------------------------------------------------------------------- 39. While sharing the Commission's concern that supply chain risks pose a threat to bulk electric system reliability, some commenters suggest that the Commission address certain threshold issues before moving forward with the NOPR proposal. IRC notes its concern that the NOPR proposal is overly broad, which IRC states could hamper industry's ability to address the Commission's concerns.\71\ Idaho Power expresses a concern ``that tightening purchasing controls too tightly could also pose a risk because there are limited vendors'' available to industry.\72\ Idaho Power states that any supply chain Reliability Standard ``should be laid out in terms of requirements built around controls that are developed by the regulated entity rather than prescriptive requirements like many other CIP standards.'' \73\ ISO-NE supports the development of procedural controls ``such as requirements that Registered Entities must transact with organizations that meet certain criteria, use specified procurement language in contracts, and review and validate vendors' security practices.'' \74\ Peak notes that ``the number of vendors for certain hardware, software and services may be limited'' and, therefore, a supply chain-related Reliability Standard should grant responsible entities the flexibility ``to show preference for, but not the obligation to use, vendors who demonstrate sound supply chain security practices.'' \75\ --------------------------------------------------------------------------- \71\ IRC NOPR Comments at 2. \72\ Idaho Power NOPR Comments at 3. \73\ Id. at 3-4. \74\ ISO-NE NOPR Comments at 2 (citing NERC NOPR Comments at 17- 18). \75\ Peak NOPR Comments at 4. --------------------------------------------------------------------------- 40. NERC, the Trade Associations, Southern, Gridwise, and other commenters request that, should the Commission find it reasonable to direct NERC to develop a new or modified Reliability Standard for supply chain management, the Commission adopt certain principles for NERC to follow in the standards development process. As an initial matter, NERC and other commenters state that the Commission should identify the risks that it intends NERC to address.\76\ In addition, NERC, SPP RE, and AEP state that the Commission should ensure that any new or modified supply chain-related Reliability Standard carefully considers the risk being addressed against the cost of mitigating that risk.\77\ --------------------------------------------------------------------------- \76\ NERC NOPR Comments at 9-11; Trade Associations NOPR Comments at 26; Gridwise NOPR Comments at 5; AEP NOPR Comments at 8; SPP RE NOPR Comments at 11; EnergySec NOPR Comments at 4. \77\ NERC NOPR Comments at 11-12; SPP RE NOPR Comments at 11; AEP NOPR Comments at 9. --------------------------------------------------------------------------- 41. NERC states that the focus of any supply chain risk management Reliability Standard ``should be a set of requirements outlining those procedural controls that entities should take, as purchasers of products and services, to design more secure products and modify the security practices of suppliers, vendors, and other parties throughout the supply chain.'' \78\ Similarly, SPP RE notes that, while one responsible entity alone may not have adequate leverage to make a vendor or supplier adopt adequate security practices, ``the collective application of the procurement language across a broad collection of Responsible Entities may achieve the intended improvement in security safeguards.'' \79\ Isologic and Resilient Societies recommends limiting the Reliability Standard requirements to a few that are immediately necessary, such as: (1) Preventing the installation of cyber related system or grid components which have been reported by ICS-CERT to be provably vulnerable to a supply chain attack, unless the vulnerability has been corrected; (2) removing from operation any system or component reported by ICS-CERT as containing an exploitable vulnerability; and (3) subjecting hardware and software to penetration testing prior to installation on the grid.\80\ --------------------------------------------------------------------------- \78\ NERC NOPR Comments at 17. \79\ SPP RE NOPR Comments at 12. \80\ Isologic and Resilient Societies Joint NOPR Comments at 11. --------------------------------------------------------------------------- 42. In post-technical conference comments, while still opposing the NOPR proposal, APPA suggests certain parameters that should govern the development of any supply chain-related Reliability Standard.\81\ Specifically, APPA states that a supply chain-related Reliability Standard should be risk-based and ``must embody an approach that enables utilities to perform a risk assessment of the hardware and systems that create potential vulnerabilities,'' similar to the approach taken in Reliability Standard CIP-014-2, Requirement R1 (Physical [[Page 49885]] Security).\82\ In addition, APPA states that a supply chain-related Reliability Standard should not require responsible entities to actively manage third-party vendors or their processes since that would risk involving utilities in areas that are outside of their core expertise. APPA also argues that ``it would be unreasonable for any standard that FERC directs to hold utilities liable for the actions of third-party vendors or suppliers.'' \83\ Finally, APPA states that responsible entities should be able to rely on a credible attestation by a vendor or supplier that it complied with identified supply chain security process. APPA contends that this would be the most efficient way to ``establish a standard of care on the suppliers' part.'' \84\ --------------------------------------------------------------------------- \81\ APPA's post-technical conference comments were submitted jointly with LPPC and TAPS. \82\ APPA Post-Technical Conference Comments at 3-4. \83\ Id. at 4-5. \84\ Id. at 5. --------------------------------------------------------------------------- Discussion 43. We direct that NERC, pursuant to section 215(d)(5) of the FPA, develop a forward-looking, objective-driven new or modified Reliability Standard to require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations. Our directive is consistent with the NOPR comments advocating flexibility as to what form the Commission's directive should take. 44. We agree with NERC and other commenters that a supply chain risk management Reliability Standard should be flexible and fall within the scope of what is possible using Reliability Standards under FPA section 215. The directive discussed below, we believe, is consistent with both points. In particular, the flexibility inherent in our directive should account for, among other things, differences in the needs and characteristics of responsible entities and the diversity of BES Cyber System environments, technologies and risks. For example, the new or modified Reliability Standard may allow a responsible entity to meet the security objectives discussed below by having a plan to apply different controls based on the criticality of different assets. And by directing NERC to develop a new or modified Reliability Standard, the Commission affords NERC the option of modifying existing Reliability Standards to satisfy our directive. Finally, we direct NERC to submit the new or modified Reliability Standard within one year of the effective date of this Final Rule.\85\ --------------------------------------------------------------------------- \85\ We note that the Trade Associations request that the Commission allow ``at least one year for discussion, development, and approval by the NERC Board of Trustees.'' See Trade Associations Post-Technical Conference Comments at 22. NERC should submit an informational filing within ninety days of the effective date of this Final Rule with a plan to address the Commission's directive. --------------------------------------------------------------------------- 45. The plan required by the new or modified Reliability Standard developed by NERC should address, at a minimum, the following four specific security objectives in the context of addressing supply chain management risks: (1) Software integrity and authenticity; (2) vendor remote access; (3) information system planning; and (4) vendor risk management and procurement controls. Responsible entities should be required to achieve these four objectives but have the flexibility as to how to reach the objective (i.e., the Reliability Standard should set goals (the ``what''), while allowing flexibility in how a responsible entity subject to the Reliability Standard achieves that goal (the ``how'')).\86\ Alternatively, NERC can propose an equally effective and efficient approach to address the issues raised in the objectives identified below. In addition, while in the discussion below we identify four objectives, NERC may address additional supply chain management objectives in the standards development process, as it deems appropriate. --------------------------------------------------------------------------- \86\ See Order No. 672, FERC Stats. & Regs. ] 31,204 at P 260. --------------------------------------------------------------------------- 46. The new or modified Reliability Standard should also require a periodic reassessment of the utility's selected controls. Consistent with or similar to the requirement in Reliability Standard CIP-003-6, Requirement R1, the Reliability Standard should require the responsible entity's CIP Senior Manager to review and approve the controls adopted to meet the specific security objectives identified in the Reliability Standard at least every 15 months. This periodic assessment should better ensure that the required plan remains up-to-date, addressing current and emerging supply chain-related concerns and vulnerabilities. 47. Also, consistent with this reliance on an objectives-based approach, and as part of this periodic review and approval, the responsible entity's CIP Senior Manager should consider any guidance issued by NERC, the U.S. Department of Homeland Security (DHS) or other relevant authorities for the planning, procurement, and operation of industrial control systems and supporting information systems equipment since the prior approval, and identify any changes made to address the recent guidance. This periodic reconsideration will help ensure an ongoing, affirmative process for reviewing and, when appropriate, incorporating such guidance. First Objective: Software Integrity and Authenticity 48. The new or modified Reliability Standard must address verification of: (1) The identity of the software publisher for all software and patches that are intended for use on BES Cyber Systems; and (2) the integrity of the software and patches before they are installed in the BES Cyber System environment. 49. This objective is intended to reduce the likelihood that an attacker could exploit legitimate vendor patch management processes to deliver compromised software updates or patches to a BES Cyber System. One of the two focused malware campaigns identified by ICS-CERT in 2014 utilized similar tactics, executing what is commonly referred to as a ``Watering Hole'' attack \87\ to exploit affected information systems. Similar tactics appear to have been used in a recently disclosed attack targeting electric sector infrastructure in Japan.\88\ These types of attacks might have been prevented had the affected entities applied adequate integrity and authenticity controls to their patch management processes. --------------------------------------------------------------------------- \87\ ``Watering Hole'' attacks exploit poor vendor/client patching and updating processes. Attackers generally compromise a vendor of the intended victim and then use the vendor's information system as a jumping off point for their attack. Attackers will often inject malware or replace legitimate files with corrupted files (usually a patch or update) on the vendor's Web site as part of the attack. The victim then downloads the files without verifying each file's legitimacy believing that it is included in a legitimate patch or update. \88\ See Cylance, Operation DustStorm, https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf. --------------------------------------------------------------------------- 50. As NERC recognizes in its NOPR comments, NIST SP-800-161 ``establish[es] instructional reference points for NERC and its stakeholders to leverage in evaluating the appropriate framework for and security controls to include in any mandatory supply chain management Reliability Standard.'' \89\ NIST SP-800-161 includes a number of security controls which, when taken together, reduce the probability of a successful Watering Hole or similar cyberattack in the industrial control system environment and thus could assist in addressing this objective. For example, in the System and Information [[Page 49886]] Integrity (SI) control family, control SI-7 suggests that the integrity of information systems and components should be tested and verified using controls such as digital signatures and obtaining software directly from the developer. In the Configuration Management (CM) control family, control CM-5(3) requires that the information system prevent the installation of firmware or software without verification that the component has been digitally signed to ensure that hardware and software components are genuine and valid. NIST SP-800-161, while not meant to be definitive, provides examples of controls for addressing the Commission's directive regarding this first objective. Other security controls also could meet this objective. --------------------------------------------------------------------------- \89\ NERC NOPR Comments at 16-17; see also Resilient Societies NOPR Comments at 11. --------------------------------------------------------------------------- Second Objective: Vendor Remote Access to BES Cyber Systems 51. The new or modified Reliability Standard must address responsible entities' logging and controlling all third-party (i.e., vendor) initiated remote access sessions. This objective covers both user-initiated and machine-to-machine vendor remote access. 52. This objective addresses the threat that vendor credentials could be stolen and used to access a BES Cyber System without the responsible entity's knowledge, as well as the threat that a compromise at a trusted vendor could traverse over an unmonitored connection into a responsible entity's BES Cyber System. The theft of legitimate user credentials appears to have been a critical aspect to the successful execution of the 2015 cyberattack on Ukraine's power grid.\90\ In addition, controls adopted under this objective should give responsible entities the ability to rapidly disable remote access sessions in the event of a system breach. --------------------------------------------------------------------------- \90\ See E-ISAC, Analysis of the Cyber Attack on the Ukrainian Power Grid at 3 (Mar. 18, 2016), http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf. --------------------------------------------------------------------------- 53. DHS noted the importance of controlling vendor remote access in its alert on the Ukrainian cyberattack: ``Remote persistent vendor connections should not be allowed into the control network. Remote access should be operator controlled, time limited, and procedurally similar to ``lock out, tag out.'' The same remote access paths for vendor and employee connections can be used; however, double standards should not be allowed.'' \91\ --------------------------------------------------------------------------- \91\ See ICS-CERT Alert, Cyber-Attack Against Ukrainian Critical Infrastructure, https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01. --------------------------------------------------------------------------- 54. NIST SP-800-53 and NIST SP-800-161 provide several security controls which, when taken together, reduce the probability that an attacker could use legitimate third-party access to compromise responsible entity information systems. In the Systems and Communications (SC) control family, for example, control SC-7 addressing boundary protection requires that an entity implement appropriate monitoring and control mechanisms and processes at the boundary between the entity and its suppliers, and that provisions for boundary protections should be incorporated into agreements with suppliers. These protections are applied regardless of whether the remote access session is user-initiated or interactive in nature. 55. In the Access Control (AC) control family, control AC-17 requires usage restrictions, configuration/connection requirements, and monitoring and control for remote access sessions, including the entity's ability to expeditiously disconnect or disable remote access. In the Identification and Authentication (IA) control family, control IA-5 requires changing default ``authenticators'' (e.g., passwords) prior to information system installation. In the System and Information Integrity (SI) control family, control SI-4 addresses monitoring of vulnerabilities resulting from past information and communication technology supply chain compromises, such as malicious code implanted during software development and set to activate after deployment. These sources, while not meant to be definitive, provide examples of controls for addressing the Commission's directive regarding objective two. Other security controls also could meet this objective. Third Objective: Information System Planning and Procurement 56. The new or modified Reliability Standard must address how a responsible entity will include security considerations as part of its information system planning and system development lifecycle processes. As part of this objective, the new or modified Reliability Standard must address a responsible entity's CIP Senior Manager's (or delegate's) identification and documentation of the risks of proposed information system planning and system development actions. This objective is intended to ensure adequate consideration of these risks, as well as the available options for hardening the responsible entity's information system and minimizing the attack surface. 57. This third objective addresses the risk that responsible entities could unintentionally plan to procure and install unsecure equipment or software within their information systems, or could unintentionally fail to anticipate security issues that may arise due to their network architecture or during technology and vendor transitions. For example, the BlackEnergy malware campaign identified by ICS-CERT and referenced in the NOPR resulted from the remote exploitation of previously unidentified vulnerabilities, which allowed attackers to remotely execute malicious code on remotely accessible devices.\92\ According to ICS-CERT, this attack might have been mitigated if affected entities had taken steps during system development and planning to: (1) Minimize network exposure for all control system devices/subsystems; (2) ensure that devices were not accessible from the internet; (3) place devices behind firewalls; and (4) utilize secure remote access techniques.\93\ The third objective also supports, where appropriate, the need for strategic technology refreshes as recommended by ICS-CERT in response to the 2015 Ukraine cybersecurity incident.\94\ --------------------------------------------------------------------------- \92\ See ICS-CERT Alert, Ongoing Sophisticated Malware Campaign Compromising ICS (Update E). \93\ See ICS-CERT Advisory, GE Proficy Vulnerabilities, https://ics-cert.us-cert.gov/advisories/ICSA-14-023-01. \94\ See ICS-CERT Alert, Cyber-Attack Against Ukrainian Critical Infrastructure. --------------------------------------------------------------------------- 58. NIST SP 800-53 and SP 800-161 provide several controls which, when taken together, reduce the likelihood that an information system will be deployed and/or remain in service with potential vulnerabilities that have not been identified or adequately considered. For example, in the NIST SP 800-53 Systems Acquisition (SA) control family, control SA-3 provides that organizations should: (1) Manage information systems using an organizationally-defined system development life cycle that incorporates information security considerations; and (2) integrate the organizational information security risk management process into system development life cycle activities.\95\ Similarly, control SA-8 recommends using secure engineering principles during the planning and acquisition phases of future projects such as: (1) Developing layered protections; (2) establishing sound security policy, architecture, and controls as the foundation for design; (3) incorporating security requirements into the system development life cycle; and (4) reducing risk to acceptable levels, thus enabling informed risk [[Page 49887]] management decisions.\96\ Finally, control SA-22 provides controls to address unsupported system components, recommending the replacement of information and communication technology components when support is no longer available, or the justification and approval of an unsupported system component to meet specific business needs. These sources, while not meant to be definitive, provide examples of controls for addressing the Commission's directive regarding objective three. Other security controls also could meet this objective. --------------------------------------------------------------------------- \95\ NIST Special Publication 800-53, Appendix F (Security Control Catalog) at 157. \96\ Id. at 162. --------------------------------------------------------------------------- Fourth Objective: Vendor Risk Management and Procurement Controls 59. The new or modified Reliability Standard must address the provision and verification of relevant security concepts in future contracts for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations. Specifically, NERC must address controls for the following topics: (1) Vendor security event notification processes; (2) vendor personnel termination notification for employees with access to remote and onsite systems; (3) product/services vulnerability disclosures, such as accounts that are able to bypass authentication or the presence of hardcoded passwords; (4) coordinated incident response activities; and (5) other related aspects of procurement. NERC should also consider provisions to help responsible entities obtain necessary information from their vendors to minimize potential disruptions from vendor- related security events. 60. This fourth objective addresses the risk that responsible entities could enter into contracts with vendors who pose significant risks to their information systems, as well as the risk that products procured by a responsible entity fail to meet minimum security criteria. In addition, this objective addresses the risk that a compromised vendor would not provide adequate notice and related incident response to responsible entities with whom that vendor is connected. 61. The Department of Energy (DOE) Cybersecurity Procurement Language for Energy Delivery Systems document outlines security principles and controls for entities to consider when designing and procuring control system products and services (e.g., software, systems, maintenance, and networks), and provides example language that could be incorporated into procurement specifications. The procurement language encourages buyers to incorporate baseline procurement language that ensures the supplier establishes, documents and implements risk management practices for supply chain delivery of hardware, software, and firmware.\97\ In addition, NIST SP 800-161 encourages buyers to use the Information and Communications Technology supply chain risk management (ICT SCRM) plans for their respective systems and missions throughout their acquisition activities.\98\ The controls in the ICT SCRM plans can be applied in different life cycle processes. --------------------------------------------------------------------------- \97\ See Energy Sector Control Systems Working Group, Cybersecurity Procurement Language--Energy Delivery Systems at 27, http://www.energy.gov/sites/prod/files/2014/04/f15/CybersecProcurementLanguage-EnergyDeliverySystems_040714_fin.pdf. \98\ See NIST Special Publication 800-161 at 51. --------------------------------------------------------------------------- 62. NIST SP 800-161 also provides specific recommendations in control SA-4 pertaining to systems acquisition processes, which are relevant for consideration during the standards development process, including but not limited to: (1) Defining requirements that cover regulatory requirements (i.e., telecommunications or IT), technical requirements, chain of custody, transparency and visibility, sharing information on supply chain security incidents throughout the supply chain, rules for disposal or retention of elements such as components, data, or intellectual property, and other relevant requirements; (2) defining requirements for critical elements in the supply chain to demonstrate a capability to remediate emerging vulnerabilities based on open source information and other sources; and (3) defining requirements for the expected life span of the system and ensuring that suppliers can provide insights into their plans for the end-of-life of components. Other relevant provisions can be found in the System and Communications Protection (SC) control family under control SC-18 addressing SCRM guidance for mobile code, which recommends that organizations employ rigorous supply chain protection techniques in the acquisition, development, and use of mobile code to be deployed in information systems.\99\ These sources, while not meant to be definitive, provide examples of controls for addressing the Commission's directive regarding objective four. Other security controls also could meet this objective. --------------------------------------------------------------------------- \99\ Mobile code is a software program or parts of a program obtained from remote information systems, transmitted across a network, and executed on a local information system without explicit installation or execution by the recipient. NIST Special Publication 800-53, Appendix B (Glossary) at 14. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Id. --------------------------------------------------------------------------- 3. Existing CIP Reliability Standards Comments 63. NERC comments that although the CIP Reliability Standards do not explicitly address supply chain procurement practices, existing requirements mitigate the supply chain risks identified in the NOPR. In particular, NERC states that requirements in Reliability Standards CIP- 004-6, CIP-005-5, CIP-006-6, CIP-007-6, CIP-008-5, CIP-009-6, CIP-010- 2, and CIP-011-2 ``include controls that correspond to controls in NIST SP 800-161.'' \100\ --------------------------------------------------------------------------- \100\ NERC NOPR Comments at 15-16. --------------------------------------------------------------------------- 64. For example, NERC explains that responsible entity compliance with Reliability Standard CIP-004-6, addressing the implementation of cybersecurity awareness programs, may include reinforcement of cybersecurity practices to mitigate supply chain risks. NERC also states that requirements in Reliability Standard CIP-004-6 (addressing personnel risk assessment) and requirements in Reliability Standards CIP-004-6, CIP-005-5, CIP-006-6, CIP-007-6, and CIP-010-2 (addressing electronic and physical access) apply to any outside vendors or contractors. 65. The Trade Associations, Arkansas, G&T Cooperatives, NIPSCO, Luminant, Southern, NextEra, and SCE contend that the existing CIP Reliability Standards, at least partly, address supply chain risks that are within a responsible entity's control. 66. The Trade Associations state that, while the existing CIP Reliability Standards do not contain explicit provisions addressing supply chain management, ``transmission owners and operators already have significant responsibilities to perform under various Commission- approved CIP standards that already address supply chain issues.'' \101\ Specifically, the Trade Associations, NIPSCO, and others state that Reliability Standard CIP-010-2 establishes requirements for cyber asset change management that mandate extensive baseline configuration testing and change monitoring, as well as vulnerability assessments, prior to connecting a new cyber asset to a High Impact BES Cyber Asset.\102\ --------------------------------------------------------------------------- \101\ Trade Associations NOPR Comments at 19-20. \102\ Trade Associations NOPR Comments at 20; NIPSCO NOPR Comments at 5; Southern NOPR Comments at 12; Luminant NOPR Comments at 4-5; SCE NOPR Comments at 6. --------------------------------------------------------------------------- [[Page 49888]] 67. The Trade Associations also contend that the CIP Reliability Standards provide adequate vendor remote access protections by mandating: (1) Controls that restrict personnel access (physical and electronic) to protected information systems; (2) controls that prevent direct access to applicable systems for interactive remote access sessions using routable protocols; (3) the use of encryption for connections extending outside of an electronic security perimeter; (4) the use of two factor authentication when accessing medium and high impact systems; and (5) integration controls which require changing known default accounts and passwords.\103\ --------------------------------------------------------------------------- \103\ Trade Associations Post-Technical Conference Comments at 6. --------------------------------------------------------------------------- 68. NIPSCO, Luminant, and G&T Cooperatives point to Reliability Standard CIP-007-6 as an existing Reliability Standard that addresses supply chain risks. Reliability Standard CIP-007-6 requires responsible entities to have processes under which only necessary ports and services should be enabled; security patches should be tracked, evaluated, and installed on applicable BES Cyber Systems; and anti- virus software or other prevention tools should be used to prevent the introduction and propagation of malicious software on all Cyber Assets within an Electronic Security Perimeter.\104\ --------------------------------------------------------------------------- \104\ NIPSCO NOPR Comments at 5; Luminant NOPR Comments at 4; G&T Cooperatives NOPR Comments at 8-9. --------------------------------------------------------------------------- 69. Commenters also identify existing voluntary guidelines that, they contend, augment the existing CIP Reliability Standards to further address any potential risks posed by the supply chain. Southern points to voluntary cybersecurity procurement guidance materials developed by the DHS and the DOE as examples of procurement language that could be used in the course of vendor negotiations. Southern states that the DHS and DOE guidelines recognize the need for flexibility and allow for multiple contractual approaches.\105\ --------------------------------------------------------------------------- \105\ Southern NOPR Comments at 13. --------------------------------------------------------------------------- 70. Commenters suggest that the Commission direct NERC to develop cybersecurity procurement guidance documents as opposed to a mandatory Reliability Standard. AEP, NextEra, and Southern state that the Commission could direct NERC to develop guidance documents addressing supply chain risk management based, in part, on the DHS and DOE voluntary cybersecurity procurement guidance materials.\106\ Luminant asserts that NERC-developed guidance ``would effectively communicate key issues while permitting industry the flexibility to effectively protect their BES Cyber Systems in a way most effective for that entity and at the lowest cost.'' \107\ --------------------------------------------------------------------------- \106\ AEP NOPR Comments at 7-8; NextEra NOPR Comments at 4-5; Southern NOPR Comments at 12-13. \107\ Luminant NOPR Comments at 5. --------------------------------------------------------------------------- Discussion 71. While we recognize that existing CIP Reliability Standards include requirements that address aspects of supply chain management, we determine that existing Reliability Standards do not adequately protect against supply chain risks that are within a responsible entity's control. Specifically, we find that existing CIP Reliability Standards do not provide adequate protection for the four aspects of supply chain risk management that underlie the four objectives for a new or modified Reliability Standard discussed above.\108\ Moreover, a fundamental premise of cyber security is ``defense in depth,'' and addressing issues in the supply chain (to the extent a utility reasonably can) is an important component of a strong, multi-layered defense. --------------------------------------------------------------------------- \108\ Since the directive to NERC to develop a new or modified Reliability Standard is limited to the four objectives discussed above, we limit our analysis of the existing CIP Reliability Standards to requirements that relate to those objectives. --------------------------------------------------------------------------- Software Integrity and Authenticity 72. With regard to software integrity and authenticity, we agree with commenters who state that the existing CIP Reliability Standards contain requirements for responsible entities to implement a patch management process for tracking, evaluating, and installing cybersecurity patches and to implement processes to detect, prevent, and mitigate the threat of malicious code. These provisions, however, do not require responsible entities to verify the identity of the software publisher for all software and patches that are intended for use on their BES Cyber Systems or to verify the integrity of the software and patches before they are installed in the BES Cyber System environment.\109\ As discussed above, the CIP Reliability Standards should address compromised software or patches that a responsible entity receives from a vendor, in order to protect the bulk electric system from Watering-Hole or similar cyberattacks. These concerns are not addressed by existing CIP Reliability Standards. --------------------------------------------------------------------------- \109\ See Trade Associations NOPR Comments at 38 (indicating that integrity checking mechanisms used to verify software, firmware, and information integrity found in the NIST SP-800-161 System and Information Integrity (SI) control family are not addressed in the CIP version 5 Reliability Standards). --------------------------------------------------------------------------- 73. Mandatory controls in the existing CIP Reliability Standards referenced by commenters do not provide sufficient protection against attacks that compromise software and software patch integrity and authenticity. For example, while Reliability Standard CIP-007-6, Requirement R2 requires responsible entities to enforce a patch management process for tracking, evaluating, and installing cyber security patches for applicable systems, including evaluating security patches for applicability, the requirement does not address mechanisms to acquire the patch file from a vendor in a secure manner and methods to validate the integrity of a patch file before installation. 74. With respect to mandatory configuration controls, Reliability Standard CIP-010-2, Requirement R1 requires responsible entities to authorize and document all changes to baseline configurations and, where technically feasible, test patches in a test environment before installing. However, NERC's technical guidance document for CIP-010-2, Requirement R1, Part 1.2 does not require the authorizer to first verify the authenticity of a patch. Similarly, the testing of patches in a test environment under Requirement R1.5 would likely provide insufficient protection as many malware variants are programmed to execute only after the system is rebooted several times. Regarding patch source monitoring, the guidelines and technical basis section for Reliability Standard CIP-007-6 suggests that responsible entities should obtain security patches from original sources, where possible, and indicates that patches should be approved or certified by another source before being assessed and applied.\110\ The Reliability Standard, however, does not require the use of these techniques. Implementing controls that verify integrity and authenticity of software and its publishers may help mitigate security gaps listed above. --------------------------------------------------------------------------- \110\ Reliability Standard CIP-007-6 (Cyber Security--Systems Security Management), Guidelines and Technical Basis at 42-43. --------------------------------------------------------------------------- 75. In sum, the current CIP Reliability Standards do contain certain controls addressing the risks posed by malware, as stated by commenters. Verifying software integrity and authenticity, however, is a reasonable and appropriate complement to these controls, is not required by the current Standards, and is supported by the [[Page 49889]] principle of defense-in-depth. In fact, this verification can be viewed as the first line of defense against malware-infected software. Vendor Remote Access to BES Cyber Systems 76. On the subject of vendor remote access, which includes vendor user-initiated Interactive Remote Access and vendor machine-to-machine remote access, existing CIP Reliability Standards contain system access requirements, including a requirement for security event monitoring. However, the CIP Reliability Standards do not require remote access session logging for machine-to-machine remote access, nor do they address the ability to monitor or close unsafe remote connections for both vendor Interactive Remote Access and vendor machine-to-machine remote access.\111\ The CIP Reliability Standards should address enhanced session logging requirements for vendor remote access in order to improve visibility of activity on BES Cyber Systems and give responsible entities the ability to rapidly disable remote access sessions in the event of a system breach. --------------------------------------------------------------------------- \111\ See Trade Association NOPR Comments at 43 (indicating that mechanisms for monitoring for unauthorized personnel, connections, devices, and software found in the NIST SP-800-161 System and Information Integrity (SI) control family are not addressed in the CIP version 5 Reliability Standards). --------------------------------------------------------------------------- 77. The existing requirements referenced by NERC, the Trade Associations, and other commenters do not adequately address access restrictions for vendors. For example, while Reliability Standard CIP- 004-6, Requirements R4 and R5 provide controls that must be applied to vendors such as restricting access to individuals ``based on need,'' these Requirements do not include post-authorization logging or control of remote access. The existing CIP Reliability Standards do not require a responsible entity to monitor data traffic that traverses remote communication to their BES Cyber Systems. The absence of post- authorization monitoring and logging presents an opportunity for unmonitored malicious or otherwise inappropriate remote communication to or from a BES Cyber System. The inability of a responsible entity to rapidly terminate a connection may allow malicious or otherwise inappropriate communication to propagate, contributing to a degradation of a BES Cyber Asset's function. Enhanced visibility into remote communications and the ability to rapidly terminate a remote communication could mitigate such a vulnerability. 78. Reliability Standard CIP-005-5, Requirement R1 provides controls for vendor machine-to-machine and vendor user-initiated Interactive Remote Access sessions by restricting all inbound and outbound communications through an identified Electronic Access Point for bi-directional routable protocol connections. Reliability Standard CIP-005-5, Requirement R2 provides controls for vendor interactive remote access sessions by requiring the use of encryption and requiring multi-factor authentication. However, the provisions of Reliability Standard CIP-005-5, Requirement R2 addressing interactive remote access management do not apply to vendor machine-to-machine remote access. The Reliability Standard CIP-005-5, Requirement R2 controls addressing interactive remote access management only apply to remote connections that are user-initiated (i.e., initiated by a person). Machine-to- machine connections are not user-initiated and, therefore, are not subject to the requirements of Reliability Standard CIP-005-5, Requirement R2. When the interactive remote access management controls of Reliability Standard CIP-005-5, Requirement R2 do not apply, a machine-to-machine remote communication may access a BES Cyber System without any access credentials, over an unencrypted channel, and without going through an Intermediate System. 79. For both Interactive Remote Access and machine-to-machine remote access, Reliability Standard CIP-007-6, Requirement R3 requires monitoring for malicious code and Requirement R4 requires logging of successful and unsuccessful login attempts, as well as logging detected malicious code. However, Reliability Standard CIP-007-6 does not address the risks posed by inappropriate activity that could occur during a remote communication. The lack of a requirement addressing the detection of inappropriate activity represents a risk because the responsible entity may not be aware if an authorized user is performing inappropriate activity on a BES Cyber Asset via a remote connection. This risk is higher for machine-to-machine communication due to the lack of authentication and encryption requirements in the existing CIP Reliability Standards, lowering the threshold for a malicious actor to execute a man-in-the-middle attack to gain access to a BES Cyber System and conduct inappropriate activity such as reconnaissance or code modification. 80. Therefore, we recognize that the current CIP Reliability Standards do contain certain controls addressing the risks posed by vendor remote access, as noted by commenters. However, the current CIP Reliability Standards do not require monitoring remote access sessions or closing unsafe remote connections for either vendor Interactive Remote Access and vendor machine-to-machine remote access. Accordingly, we determine that vendor remote access is not adequately addressed in the approved CIP Reliability Standards and, therefore, is an objective that must be addressed in the supply chain management plans directed in this final rule. Information System Planning and Procurement 81. The existing CIP Reliability Standards do not address information system planning. Recent cybersecurity incidents \112\ have made it apparent that overall system planning is as important to overall BES Cyber System security and reliability as any other component of security architecture. In general, the CIP Reliability Standards do not provide a framework for maintaining ongoing awareness of information security, vulnerabilities, and threats to support organization risk management decisions; \113\ nor do they address the concept of integrating continuous improvement of organizational security posture with supply chain risk management as recommended by NIST SP 800-161.\114\ Based on the threats evidenced by recent cybersecurity incidents, the absence of security considerations in system lifecycle processes constitutes a gap in the CIP Reliability Standards that could contribute to pervasive and systemic vulnerabilities that threaten bulk electric system reliability. --------------------------------------------------------------------------- \112\ See E-ISAC, Analysis of the Cyber Attack on the Ukrainian Power Grid at 3 (March 18, 2016); see also Dell, Dell Security Annual Threat Report (2015) at 7, https://software.dell.com/docs/2015-dell-security-annual-threat-report-white-paper-15657.pdf; Olcott Technical Conference Comments at 2. \113\ See NIST Special Publication 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations at vi, http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf. \114\ NIST Special Publication 800-161 at 46. --------------------------------------------------------------------------- 82. The existing CIP Reliability Standards also do not provide for procurement controls for industrial control system hardware, software, and computing and networking services. As discussed above, procurement controls are intended to address the threat that responsible entities could enter into contracts with vendors who pose significant risks to their information systems or procure products that fail to [[Page 49890]] meet minimum security criteria, as well as the risk that a compromised vendor would not provide adequate notice and related incident response to responsible entities with whom that vendor is connected. 83. With regard to commenters' suggestion that the Commission direct NERC to develop cybersecurity procurement guidance documents as opposed to a mandatory Reliability Standard, we agree that the voluntary efforts identified by commenters could provide guidance or otherwise inform NERC's standard development process. We conclude, however, that relying on voluntary guidelines to address the supply chain risks described above is not sufficient to fulfill the Commission's responsibilities under FPA section 215. 4. Vendor Risk Management and Procurement Controls Comments 84. NERC, G&T Cooperatives, Arkansas and others state that responsible entities have limited influence over vendors and contractors, and, therefore, a limited ability to affect the supply chain for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.\115\ NERC contends that any supply chain management Reliability Standard ``must balance the reliability need to implement supply chain management security controls with entities' business need to obtain products and services at a reasonable cost.'' \116\ NERC maintains that responsible entities lack bargaining power to persuade vendors or suppliers to implement cybersecurity controls without significantly increasing the cost of their products or services. NERC points to NIST SP 800-161 to highlight that implementing supply chain security management controls ``will require financial and human resources, not just from the [acquirer] directly but also potentially from their system integrators, suppliers, and external service providers that would also result in increased cost to the acquirer.'' \117\ --------------------------------------------------------------------------- \115\ NERC NOPR Comments at 11-12; G&T Cooperatives NOPR Comments at 9; Arkansas NOPR Comments at 5. \116\ NERC NOPR Comments at 11-12. \117\ Id. (citing NIST Special Publication 800-161 at 3). --------------------------------------------------------------------------- 85. G&T Cooperatives contend that they ``have minimal control over their suppliers and are not able to identify all potential vulnerabilities associated with each and every supplier and their products/parts.'' \118\ G&T Cooperatives and Arkansas maintain that responsible entities do not have the ability to force a vendor to address all potential vulnerabilities. G&T Cooperatives assert that even if a contract between a responsible entity and a supplier ``could include'' language requiring the supplier to implement security controls, ``it is not feasible for contractual terms . . . to address all potential vulnerabilities related to supply chain management.'' \119\ --------------------------------------------------------------------------- \118\ G&T Cooperatives NOPR Comments at 9. \119\ Id. at 9. --------------------------------------------------------------------------- 86. NERC, Trade Associations, G&T Cooperatives and Arkansas also raise a concern that the Commission's proposal could place compliance risk on responsible entities for actions beyond their control and, ultimately, incent responsible entities to avoid upgrades that could trigger such compliance risk.\120\ NERC states that any supply chain management Reliability Standard should be drafted so that it ``creates affirmative obligations to implement supply chain management security controls without holding entities strictly liable for any failure of those controls to eliminate all supply chain threats and vulnerabilities.'' \121\ NERC explains that if a supply chain management Reliability Standard is not reasonably scoped to avoid unreasonable compliance risk, it could create a disincentive for responsible entities to purchase and install new technologies and equipment. --------------------------------------------------------------------------- \120\ NERC NOPR Comments at 13; Trade Associations NOPR Comments at 24-25; G&T Cooperatives NOPR Comments at 9-10; Arkansas NOPR Comments at 6. \121\ NERC NOPR Comments at 13. --------------------------------------------------------------------------- 87. G&T Cooperatives state that ``placing the compliance risk of vendor and supplier security vulnerability on Responsible Entities could incent Responsible Entities to avoid upgrades to their industrial control system hardware, software, and other services.'' G&T Cooperatives explain that there are three primary incentives for a responsible entity to avoid upgrades if faced with compliance risks: (1) New regulations would result in additional costs for vendors and suppliers that would be passed on to the end-user; (2) since security patches are not issued by vendors for unsupported hardware and software, there is less security patch management responsibility for the responsible entity; and (3) avoiding new hardware and software reduces the risk of introducing undetected security threats.\122\ --------------------------------------------------------------------------- \122\ G&T Cooperatives NOPR Comments at 9. --------------------------------------------------------------------------- Discussion 88. Our directive to NERC to develop a new or modified Reliability Standard that addresses the objectives outlined above balances the supply chain risks facing the bulk electric system against any potential challenges raised by vendor relationships. We believe that the concerns raised in comments with respect to responsible entities' relationships with vendors in relation to supply chain risks are valid. Our directive is informed by this concern and reflects a reasonable balance between the risks facing bulk electric system reliability from the supply chain and concerns over vendor relationships. The directive strikes this balance by addressing supply chain risks that are within responsible entities' control, and we do not expect a new or modified supply chain Reliability Standard to impose obligations directly on vendors. Moreover, entities will not be responsible for vendor errors beyond the scope of the controls implemented to comply with the Reliability Standards. 89. With respect to concerns that the Commission's proposal could place compliance risk on responsible entities for actions beyond their control, which some commenters argue would prompt responsible entities to avoid upgrades that could trigger such compliance risk, we reiterate that the intent of the directive is to address supply chain risks that are within the responsible entities' control. As part of NERC's standard development process, we expect NERC to establish provisions addressing compliance obligations in a manner that avoids shifting liability from a vendor for its mistakes to a responsible entity. Finally, we view the argument that a new or modified Reliability Standard will result in a substantial increase in costs to be speculative because, beyond requiring NERC to address the four objectives discussed above, or some equally effective and efficient alternatives, our directive does not require NERC to develop a Reliability Standard that mandates any particular controls or actions. III. Information Collection Statement 90. The Paperwork Reduction Act (PRA) \123\ requires each federal agency to seek and obtain Office of Management and Budget (OMB) approval before undertaking a collection of information directed to ten or more persons or contained in a rule of general applicability. OMB regulations \124\ require approval of certain information collection requirements imposed by agency rules. Upon approval of a collection of information, OMB will [[Page 49891]] assign an OMB control number and an expiration date. Respondents subject to the filing requirements of an agency rule will not be penalized for failing to respond to the collection of information unless the collection of information displays a valid OMB control number. --------------------------------------------------------------------------- \123\ 44 U.S.C. 3507(d). \124\ 5 CFR 1320. --------------------------------------------------------------------------- 91. The Commission will submit the information collection requirements to OMB for its review and approval. The Commission solicits public comments on its need for this information, whether the information will have practical utility, the accuracy of burden and cost estimates, ways to enhance the quality, utility, and clarity of the information to be collected or retained, and any suggested methods for minimizing respondents' burden, including the use of automated information techniques. 92. The information collection requirements in this Final Rule in Docket No. RM15-14-002 for NERC to develop a new or to modify a Reliability Standard for supply chain risk management, should be part of FERC-725 (Certification of Electric Reliability Organization; Procedures for Electric Reliability Standards (OMB Control No. 1902- 0225)). However, there is an unrelated item which is currently pending OMB review under FERC-725, and only one item per OMB Control No. can be pending OMB review at a time. Therefore, the requirements in this Final Rule in RM15-14-002 are being submitted under a new temporary or interim collection number FERC-725(1A) to ensure timely submittal to OMB. In the long-term, Commission staff plans to administratively move the requirements and associated burden of FERC-725(1A) to FERC-725. 93. Burden Estimate and Information Collection Costs: The requirements for the ERO to develop Reliability Standards and to provide data to the Commission are included in the existing FERC-725. FERC-725 includes information used by the Commission to implement the statutory provisions of section 215 of the FPA. FERC-725 includes the burden, reporting and recordkeeping requirements associated with: (a) Self-Assessment and ERO Application, (b) Reliability Assessments, (c) Reliability Standards Development, (d) Reliability Compliance, (e) Stakeholder Survey, and (f) Other Reporting. In addition, the Final Rule will not result in a substantive increase in burden because this requirement to develop standards is covered under FERC-725. However because FERC is using the temporary information collection number, FERC-725(1A), FERC will use ``placeholder'' estimates of 1 response and 1 burden hour for the burden calculation. IV. Regulatory Flexibility Act Analysis 94. The Regulatory Flexibility Act of 1980 (RFA) \125\ generally requires a description and analysis of final rules that will have significant economic impact on a substantial number of small entities. The Small Business Administration (SBA) revised its size standard (effective January 22, 2014) for electric utilities from a standard based on megawatt hours to a standard based on the number of employees, including affiliates.\126\ The entities subject to the Reliability Standards developed by the North American Electric Reliability Corporation (NERC) include users, owners, and operators of the Bulk- Power System, which serves more than 334 million people. In addition, NERC's current responsibilities include the development of Reliability Standards. Accordingly, the Commission certifies that the requirements in this Final Rule will not have a significant economic impact on a substantial number of small entities, and no regulatory flexibility analysis is required. --------------------------------------------------------------------------- \125\ 5 U.S.C. 601-612. \126\ SBA Final Rule on ``Small Business Size Standards: Utilities,'' 78 FR 77,343 (Dec. 23, 2013). --------------------------------------------------------------------------- V. Environmental Analysis 95. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.\127\ The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.\128\ The actions proposed herein fall within this categorical exclusion in the Commission's regulations. --------------------------------------------------------------------------- \127\ Regulations Implementing the National Environmental Policy Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987). \128\ 18 CFR 380.4(a)(2)(ii). --------------------------------------------------------------------------- VI. Effective Date and Congressional Notification 96. This Final Rule is effective September 27, 2016. The Commission has determined, with the concurrence of the Administrator of the Office of Information and Regulatory Affairs of OMB, that this rule is not a ``major rule'' as defined in section 351 of the Small Business Regulatory Enforcement Fairness Act of 1996. This Final Rule is being submitted to the Senate, House, and Government Accountability Office. VII. Document Availability 97. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the Internet through the Commission's Home Page (http://www.ferc.gov) and in the Commission's Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A, Washington, DC 20426. 98. From the Commission's Home Page on the Internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number of this document, excluding the last three digits, in the docket number field. User assistance is available for eLibrary and the Commission's Web site during normal business hours from the Commission's Online Support at (202) 502-6652 (toll free at 1-866-208-3676) or email at [email protected], or the Public Reference Room at (202) 502- 8371, TTY (202) 502-8659. Email the Public Reference Room at [email protected]. By the Commission. Issued: July 21, 2016. Nathaniel J. Davis, Sr., Deputy Secretary. Note: The following Appendix will not appear in the Code of Federal Regulations. Appendix--Commenters ------------------------------------------------------------------------ Abbreviation Commenter ------------------------------------------------------------------------ AEP............................... American Electric Power Service Corporation. ACS............................... Applied Control Solutions, LLC. APS............................... Arizona Public Service Company. [[Page 49892]] Arkansas.......................... Arkansas Electric Cooperative. BPA............................... Bonneville Power Administration. CEA............................... Canadian Electricity Association. Consumers Energy.................. Consumers Energy Company. CyberArk.......................... CyberArk. EnergySec......................... Energy Sector Security Consortium, Inc. Ericsson.......................... Ericsson. Resilient Societies............... Foundation for Resilient Societies. G&T Cooperatives.................. Associated Electric Cooperative, Inc., Basin Electric Power Cooperative, and Tri-State Generation and Transmission Association, Inc. Gridwise.......................... Gridwise Alliance. Idaho Power....................... Idaho Power Company. Indegy............................ Indegy. IESO.............................. Independent Electricity System Operator. IRC............................... ISO/RTO Council. ISO New England................... ISO New England Inc. ITC............................... ITC Companies. Isologic.......................... Isologic, LLC. KCP&L............................. Kansas City Power & Light Company and KCP&L Greater Missouri Operations Company. Luminant.......................... Luminant Generation Company, LLC. NEMA.............................. National Electrical Manufacturers Association. NERC.............................. North American Electric Reliability Corporation. NextEra........................... NextEra Energy, Inc. NIPSCO............................ Northern Indiana Public Service Co. NWPPA............................. Northwest Public Power Association. Peak.............................. Peak Reliability. PNM............................... PNM Resources. Reclamation....................... Department of Interior Bureau of Reclamation. SIA............................... Security Industry Association. SCE............................... Southern California Edison Company. Southern.......................... Southern Company Services. SPP RE............................ Southwest Power Pool Regional Entity. SWP............................... California Department of Water Resources State Water Project. TVA............................... Tennessee Valley Authority. Trade Associations................ Edison Electric Institute, American Public Power Association, National Rural Electric Cooperative Association, Electric Power Supply Association, Transmission Access Policy Study Group, and Large Public Power Council. UTC............................... Utilities Telecom Council. Waterfall......................... Waterfall Security Solutions, Ltd. Wisconsin......................... Wisconsin Electric Power Company. ------------------------------------------------------------------------ UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Revised Critical Infrastructure Protection, Reliability Standards Docket No. RM15-14-002 (Issued July 21, 2016) LaFLEUR, Commissioner dissenting: In today's order, the Commission elects to proceed directly to a Final Rule and require the development of a new reliability standard on supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations. I fully support the Commission's continued attention to the threat of inadequate supply chain risk management procedures, which pose a very real threat to grid reliability. However, in my view, the importance and complexity of this issue should guide the Commission to proceed cautiously and thoughtfully in directing the development of a reliability standard to address these threats. I am concerned that the Commission has not adequately considered or vetted the Final Rule, which could hamper the development and implementation of an effective, auditable, and enforceable standard. I believe that the more prudent course of action would be to issue today's Final Rule as a Supplemental Notice of Proposed Rulemaking (Supplemental NOPR), which would provide NERC, industry, and stakeholders the opportunity to comment on the Commission's proposed directives. Accordingly, and as discussed below, I dissent from today's order.\1\ --------------------------------------------------------------------------- \1\ I do agree with one holding in the order: That the Commission has authority under section 215 of the Federal Power Act to promulgate a standard on this issue. --------------------------------------------------------------------------- I. The Commission's Decision To Proceed Directly to Final Rule Is Flawed and Could Delay Protection of the Grid Against Supply Chain Risks Last July, as part of its NOPR addressing revisions to its cybersecurity critical infrastructure protection (CIP) standards, the Commission raised for the first time the prospect of directing the development of a standard to address risks posed by lack of controls for supply chain management.\2\ The Commission indicated that new threats might warrant directing NERC to develop a standard to address those risks. While the Commission noted a variety of considerations that might shape the standard, including, among others, jurisdictional limits and the individualized nature of companies' supply chain management procedures, the Commission notably did not propose a specific standard for comment. Instead, the Commission sought comment on (1) the general proposal to require a standard, (2) the anticipated features of, and requirements that should be included in, such a standard, and (3) a reasonable timeframe for development of a standard.\3\ --------------------------------------------------------------------------- \2\ Revised Critical Infrastructure Protection Reliability Standards, Notice of Proposed Rulemaking, 80 FR 43,354 (July 22, 2015), 152 FERC ] 61,054 (2015). I will refer to the section of that order addressing supply chain issues as the ``Supply Chain NOPR,'' and the remainder of the order as the ``CIP NOPR.'' \3\ Id. P 66. --------------------------------------------------------------------------- The record developed in comments responding to the Supply Chain NOPR and through the January 28, 2016 technical conference reflects a wide diversity of views [[Page 49893]] regarding the need for, and possible content of, a reliability standard addressing supply chain management. Notwithstanding these diverse views, there was broad consensus on one point: That effectively addressing cybersecurity threats in supply chain management is tremendously complicated, due to a host of jurisdictional, technical, economic, and business relationship issues. Indeed, in the Supply Chain NOPR, the Commission recognized ``that developing a supply chain management standard would likely be a significant undertaking and require extensive engagement with stakeholders to define the scope, content, and timing of the standard.'' \4\ --------------------------------------------------------------------------- \4\ Id. --------------------------------------------------------------------------- Yet, the Commission is proceeding straight to a Final Rule without in my view engaging in sufficient outreach regarding, or adequately vetting, the contents of the Final Rule. As to those contents, it is worth noting that the four objectives that will define the scope and content of the standard were not identified in the Supply Chain NOPR. Therefore, even though the Final Rule reflects feedback received on the Supply Chain NOPR, and is not obviously inconsistent with the Supply Chain NOPR, no party has yet had an opportunity to comment on those objectives or consider how they could be translated into an effective and enforceable standard.\5\ This is a consequence of: (1) The lack of outreach on supply chain threats prior to issuing the Supply Chain NOPR; (2) the lack of detail in the Supply Chain NOPR regarding what a standard might look like; and (3) the decision today to proceed straight to a Final Rule rather than provide additional opportunities for public feedback. --------------------------------------------------------------------------- \5\ To be clear, I am less concerned about whether the Final Rule satisfies minimal notice requirements than whether the Final Rule represents reasoned decision making by the Commission. --------------------------------------------------------------------------- A. The Commission and the Public's Consideration of Supply Chain Risks Would Benefit From Additional Stakeholder Engagement First, I believe that meaningful stakeholder input on the content of any proposed rule is essential to the Commission's deliberative process. This is especially important in our reliability work, as any standard developed by NERC must be approved by stakeholder consensus before it may be filed at the Commission. I do not believe that the record developed to date establishes that the Final Rule will lead to an appropriate solution to address supply chain risks. I note that much of the feedback we received in response to the Supply Chain NOPR was not focused on the merits of particular approaches to address supply chain threats. Yet, in this order, the Commission directs the development of a standard based on objectives not reflected in the Supply Chain NOPR, depriving the public of the ability to comment, and the Commission of the benefit of that public comment. In retrospect, given both the preliminary nature of the consideration of the issue and the lack of a concrete idea regarding what a proposed standard would look like, I believe that the Supply Chain NOPR was, in substance, a de facto Notice of Inquiry and should have been issued as such, rather than as a subsection of the broader CIP NOPR on changes to the CIP standards. For example, it is instructive to compare the Supply Chain NOPR with two other documents: (1) The Notice of Inquiry being issued today on cybersecurity issues arising from the recent incident in Ukraine,\6\ and (2) the NOPR concerning the proposed development of a reliability standard to address geomagnetic disturbances.\7\ The level of detail and consideration of the issues presented in the Supply Chain NOPR are much more consistent with that in a Notice of Inquiry than a traditional NOPR. As a result, I am concerned that the Commission, by styling its prior action as a NOPR, has skipped a critical step in the rulemaking process: The opportunity for public comment on its directive to develop a standard and the objectives that will frame the design and development of that standard. As explained below, I believe this procedural decision actually makes it less likely that an effective, auditable, and enforceable standard will be implemented on a reasonable schedule, particularly given the acknowledged complexity of this issue.\8\ --------------------------------------------------------------------------- \6\ Cyber Systems in Control Centers, Notice of Inquiry, Docket No. RM16-18-000. \7\ Reliability Standards for Geomagnetic Disturbances, Notice of Proposed Rulemaking, 77 FR 64,935 (Oct. 24, 2012), 141 FERC 61,045 (2012). \8\ I believe that Reliability Standards for Physical Security Measures, 146 FERC ] 61,166 (2014) (Physical Security Directive Order), which is cited in the Final Rule as support for today's action, is primarily relevant to demonstrate a different point than the order indicates. The Physical Security Directive Order followed focused outreach with NERC and other stakeholders to discuss how a physical security standard could be designed and implemented within the parameters of section 215 of the Federal Power Act. As a result of that outreach, the directives in the Physical Security Directive Order were clear, targeted, and reflected shared priorities between the Commission and NERC. Physical Security Directive Order, 146 FERC ] 61,166 at PP 6-9. Consequently, NERC was able to develop and file a physical security standard with the Commission in less than three months, and the Commission ultimately approved that standard in November 2014, only roughly eight months after directing its development. Physical Security Reliability Standard, 149 FERC ] 61,140 (2014). In my view, this example demonstrates how essential outreach is to the timely and effective development of NERC standards. --------------------------------------------------------------------------- B. The Lack of Adequate Stakeholder Engagement Will Have Negative Consequences for the Standards Development Process I am also concerned about the consequences for the standards development process of the Commission's decision to proceed straight to a Final Rule. In particular, I am concerned that the combination of insufficient process and discussion to develop the record and inadequate time for standards development (since the Commission substantially truncated NERC's suggested timeline) \9\ will handicap NERC's ability to develop an effective and enforceable proposed standard for the Commission to consider. As noted above, NERC, industry, and other stakeholders will have no meaningful opportunity before initiating their work to provide feedback on the contents of the rule, to seek clarification from the Commission, or to propose revisions to the rule. Yet, this type of feedback is a critical component of the rulemaking process, to ensure that the entities tasked with implementing the Commission's directive have been heard and understand what they are supposed to do. I believe that the Commission is essentially giving the standards development team a homework assignment without adequately explaining what it expects them to hand in. --------------------------------------------------------------------------- \9\ In its comments responding to the Supply Chain NOPR, NERC requested that, if the Commission decides to direct the development of a standard, the Commission provide a minimum of two years for the standards development process. However, the Commission disregards that request and directs NERC to develop a standard in just one year, apparently based solely on the Trade Associations' request that the Commission allow at least one year for the standards development process. I believe this timeline is inconsistent with the Commission's own recognition of the complexity of this issue, and, as discussed herein, likely to delay rather than expedite the implementation of an effective, auditable, and enforceable standard. --------------------------------------------------------------------------- I do not believe that the Final Rule's flexibility is a justification for proceeding straight to a Final Rule. Indeed, given the inadequate process to date, I fear that the flexibility is in fact a lack of guidance and will therefore be a double-edged sword. The Commission is issuing a general directive in the Final Rule, in the hope that the standards team will do what the Commission clearly could not do: translate general supply chain concerns into a clear, auditable, and enforceable standard within the framework of section 215 of the Federal Power Act. While the Commission need not be prescriptive in its standards directives, the Commission's order assumes that the standards development team will be able to take the ``objectives'' of the Final Rule and translate them into a standard that the Commission will ultimately find acceptable. I believe that issuing a Supplemental NOPR would benefit the standards development process by enabling additional discussion and feedback regarding the design of a workable standard. C. By Failing To Engage in Adequate Stakeholder Outreach Before Directing Development of a Standard, the Commission Increases the Likelihood That Implementation of a Standard Will Be Delayed A compressed and possibly compromised standards development process also has real consequences for the Commission's consideration of that proposed standard, whenever it is filed for our review. Unlike our authority under section 206 of the FPA, the Commission lacks authority under section 215 to directly modify a flawed reliability standard. Instead, to correct any flaws, the statute requires that we remand the standard to NERC and the standards development process.\10\ Thus, notwithstanding the majority's desire to quickly proceed to Final Rule, the statutory [[Page 49894]] construct constrains our ability to timely address a flawed standard, which could actually delay implementation of the protections the Commission seeks to put in place. --------------------------------------------------------------------------- \10\ 18 U.S.C. 824o(d)(4). --------------------------------------------------------------------------- Given the realities of the standards development and approval process, we are likely years away from a supply chain standard being implemented, even under the aggressive schedule contemplated in the order. I believe that the Commission should endeavor to provide as much advance guidance as possible before mandating the development of a standard, to increase the likelihood that NERC develops a standard that will be satisfactory to the Commission and reduce the need for a remand. I worry that the limited process that preceded the Final Rule and the expedited timetable will make it extremely difficult for NERC to file a standard that the Commission can cleanly approve. Had the Commission committed itself to conducting adequate outreach, I believe we could have mitigated the likelihood of that outcome, and more effectively and promptly addressed the supply chain threat in the long term. ``Delaying'' action for a few months thus would, in the long run, lead to prompter and stronger protection for the grid. II. Conclusion The choice the Commission faces today on supply chain risk management is not between action and inaction. Rather, given the importance of this issue, I believe that more considered action and a more developed Commission order, even if delayed by a few months, is better than a quick decision to ``do something.'' Ultimately, an effective, auditable, and enforceable standard on supply chain management will require thoughtful consideration of the complex challenges of addressing cybersecurity threats posed through the supply chain within the structure of the FERC/NERC reliability process. In my view, the Commission gains very little and does not meaningfully advance the security of the grid by proceeding straight to a Final Rule, rather than taking the time to build a record to support a workable standard. Accordingly, I respectfully dissent. Cheryl A. LaFleur, Commissioner. [FR Doc. 2016-17842 Filed 7-28-16; 8:45 am] BILLING CODE 6717-01-P
![49878 Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
(a) Effective Date certificate of airworthiness as of the effective (2) Service information identified in this
This AD is effective September 2, 2016. date of this AD: At the earlier of the times AD that is not incorporated by reference is
specified in paragraphs (g)(2)(i) and (g)(2)(ii) available at the addresses specified in
(b) Affected ADs of this AD. paragraphs (k)(3) and (k)(4) of this AD.
None. (i) Within 6,000 flight hours or 30 months,
(k) Material Incorporated by Reference
whichever occurs first, after the effective date
(c) Applicability of this AD. (1) The Director of the Federal Register
This AD applies to the airplanes, (ii) Before the accumulation of 38,000 total approved the incorporation by reference
certificated in any category, identified in flight hours, or within 186 months since the (IBR) of the service information listed in this
paragraphs (c)(1), (c)(2), (c)(3), and (c)(4) of date of issuance of the original Canadian paragraph under 5 U.S.C. 552(a) and 1 CFR
this AD. certificate of airworthiness or date of part 51.
(1) Bombardier, Inc. Model CL–600–2C10 issuance of the original Canadian export (2) You must use this service information
(Regional Jet Series 700, 701, & 702) certificate of airworthiness, whichever occurs as applicable to do the actions required by
airplanes, serial numbers 10002 through first. this AD, unless this AD specifies otherwise.
10342 inclusive. (3) For airplanes that have accumulated (i) Bombardier Service Bulletin 670BA–27–
(2) Bombardier, Inc. Model CL–600–2D15 more than 36,000 total flight hours as of the 067, Revision A, dated February 23, 2015.
(Regional Jet Series 705) airplanes, serial effective date of this AD, or more than 176 (ii) Reserved.
numbers 15001 through 15361 inclusive. months since the date of issuance of the (3) For service information identified in
(3) Bombardier, Inc. Model CL–600–2D24 original Canadian certificate of airworthiness this AD, contact Bombardier, Inc., 400 Côte-
(Regional Jet Series 900) airplanes, serial or date of issuance of the original Canadian Vertu Road West, Dorval, Québec H4S 1Y9,
numbers 15001 through 15361 inclusive. export certificate of airworthiness as of the Canada; Widebody Customer Response
(4) Bombardier, Inc. Model CL–600–2E25 effective date of this AD: Within 2,000 flight Center North America toll-free telephone: 1–
(Regional Jet Series 1000) airplanes, serial hours or 10 months, whichever occurs first, 866–538–1247 or direct-dial telephone: 1–
numbers 19001 through 19041 inclusive. after the effective date of this AD. 514–855–2999; fax: 514–855–7401; email:
ac.yul@aero.bombardier.com; Internet http://
(d) Subject (h) Credit for Previous Actions www.bombardier.com.
Air Transport Association (ATA) of This paragraph provides credit for actions (4) You may view this service information
America Code 27, Flight controls. required by paragraph (g) of this AD, if those at the FAA, Transport Airplane Directorate,
(e) Reason actions were performed before the effective 1601 Lind Avenue SW., Renton, WA. For
date of this AD using Bombardier Service information on the availability of this
This AD was prompted by reports of material at the FAA, call 425–227–1221.
Bulletin 670BA–27–067, dated January 15,
corrosion found on the slat and flap torque (5) You may view this service information
2015.
tubes in the slat and flap control system. We that is incorporated by reference at the
are issuing this AD to prevent rupture of a (i) Other FAA AD Provisions National Archives and Records
corroded slat or flap torque tube. This The following provisions also apply to this Administration (NARA). For information on
condition could result in an inoperative slat the availability of this material at NARA, call
AD:
or flap system and consequent reduced 202–741–6030, or go to: http://
(1) Alternative Methods of Compliance
controllability of the airplane. www.archives.gov/federal-register/cfr/ibr-
(AMOCs): The Manager, New York Aircraft
(f) Compliance Certification Office (ACO), ANE–170, FAA, locations.html.
Comply with this AD within the has the authority to approve AMOCs for this
AD, if requested using the procedures found Issued in Renton, Washington, on July 21,
compliance times specified, unless already 2016.
done. in 14 CFR 39.19. In accordance with 14 CFR
39.19, send your request to your principal Michael Kaszycki,
(g) Replace Slat and Flap Torque Tubes in inspector or local Flight Standards District Acting Manager, Transport Airplane
the Slat and Flap Control System Office, as appropriate. If sending information Directorate, Aircraft Certification Service.
Within the compliance times specified in directly to the ACO, send it to ATTN:
[FR Doc. 2016–17863 Filed 7–28–16; 8:45 am]
paragraph (g)(1), (g)(2), or (g)(3) of this AD, Program Manager, Continuing Operational
Safety, FAA, New York ACO, 1600 Stewart BILLING CODE 4910–13–P
as applicable: Replace the slat and flap
torque tubes in the slat and flap control Avenue, Suite 410, Westbury, NY 11590;
system with new or modified slat and flap telephone: 516–228–7300; fax: 516–794–
torque tubes, in accordance with the 5531. Before using any approved AMOC, DEPARTMENT OF ENERGY
Accomplishment Instructions of Bombardier notify your appropriate principal inspector,
Service Bulletin 670BA–27–067, Revision A, or lacking a principal inspector, the manager Federal Energy Regulatory
dated February 23, 2015. of the local flight standards district office/ Commission
(1) For airplanes that have accumulated certificate holding district office. The AMOC
28,000 total flight hours or less as of the approval letter must specifically reference 18 CFR Part 40
effective date of this AD, or 137 months or this AD.
less since the date of issuance of the original (2) Contacting the Manufacturer: For any [Docket No. RM15–14–002; Order No. 829]
Canadian certificate of airworthiness or date requirement in this AD to obtain corrective
of issuance of the original Canadian export actions from a manufacturer, the action must Revised Critical Infrastructure
certificate of airworthiness as of the effective be accomplished using a method approved Protection Reliability Standards
date of this AD: Before the accumulation of by the Manager, New York ACO, ANE–170,
34,000 total flight hours or within 167 FAA; or Transport Canada Civil Aviation AGENCY: Federal Energy Regulatory
months since the date of issuance of the (TCCA); or Bombardier, Inc.’s TCCA Design Commission.
original Canadian certificate of airworthiness Approval Organization (DAO). If approved by ACTION: Final rule.
or date of issuance of the original Canadian the DAO, the approval must include the
export certificate of airworthiness, whichever DAO-authorized signature. SUMMARY: The Federal Energy
asabaliauskas on DSK3SPTVN1PROD with RULES
occurs first. Regulatory Commission (Commission)
(2) For airplanes that have accumulated (j) Related Information
directs the North American Electric
more than 28,000 total flight hours but not (1) Refer to Mandatory Continuing
Reliability Corporation to develop a new
more than 36,000 total flight hours as of the Airworthiness Information (MCAI) Canadian
effective date of this AD, and more than 137 AD CF–2016–03R1, dated February 18, 2016, or modified Reliability Standard that
months but not more than 176 months since for related information. This MCAI may be addresses supply chain risk
the date of issuance of the original Canadian found in the AD docket on the Internet at management for industrial control
certificate of airworthiness or date of http://www.regulations.gov by searching for system hardware, software, and
issuance of the original Canadian export and locating Docket No. FAA–2016–5463. computing and networking services
VerDate Sep<11>2014 17:04 Jul 28, 2016 Jkt 238001 PO 00000 Frm 00024 Fmt 4700 Sfmt 4700 E:\FR\FM\29JYR1.SGM 29JYR1](https://thefederalregister.org/doc/81_FR_50024/page/1.svg)
![49880 Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
operations.10 Based on the comments beyond the scope of the Commission’s require NERC to impose any specific
received in response to the NOPR and FPA section 215 jurisdiction.15 controls nor does the Commission
at the technical conference, we Commenters also assert that the existing require NERC to propose ‘‘one-size-fits-
determine that the record in this CIP Reliability Standards adequately all’’ requirements. The new or modified
proceeding supports the development of address potential risks to the bulk Reliability Standard should instead
mandatory requirements for the electric system from supply chain require responsible entities to develop a
protection of aspects of the supply chain issues.16 In addition, commenters claim plan to meet the four objectives, or some
that are within the control of that responsible entities have minimal equally efficient and effective means to
responsible entities and that fall within control over their suppliers and are not meet these objectives, while providing
the scope of our authority under FPA able to identify all potential flexibility to responsible entities as to
section 215. vulnerabilities associated with each of how to meet those objectives. Moreover,
11. In its NOPR comments, NERC their products or parts; therefore, even our directive comports well with the
acknowledges that ‘‘supply chains for if a responsible entity identifies a NOPR comments submitted by NERC, in
information and communications vulnerability created by a supplier, the which NERC explained what it believes
technology and industrial control responsible entity does not necessarily would be the features of a workable
systems present significant risks to have any authority, influence or means supply chain management Reliability
[Bulk-Power System] security, providing to require the supplier to apply Standard.21
various opportunities for adversaries to mitigation.17 Other commenters argue 14. We address below the following
initiate cyberattacks.’’ 11 Several other that the Commission’s proposal may issues raised in the NOPR, NOPR
commenters also recognized the risks unintentionally inhibit innovation.18 A comments, and January 28 Technical
posed to the bulk electric system by number of commenters assert that Conference comments: (1) the
supply chain security issues and voluntary guidelines would be more Commission’s authority to direct the
generally support, or at least do not effective at addressing the Commission’s ERO to develop supply chain
oppose, Commission action to address concerns.19 Finally, commenters are management Reliability Standards
the reliability gap.12 For example, in concerned that the contractual under FPA section 215(d)(5); and (2) the
prepared remarks submitted for the flexibility necessary to effectively need for supply chain management
January 28 Technical Conference, one address supply chain concerns does not Reliability Standards, including the
panelist noted that attacks targeting the fit well with a mandatory Reliability risks posed by the supply chain,
supply chain are on the rise, Standard.20 objectives of a supply chain
particularly attacks involving third 13. As discussed below, we conclude management Reliability Standard,
party service providers.13 In addition, it that our directive falls within the existing CIP Reliability Standards, and
was noted that, while many responsible Commission’s authority under FPA responsible entities’ ability to affect the
entities are already independently section 215. We also determine that, supply chain.
assessing supply chain risks and asking notwithstanding the concerns raised by A. Commission Authority To Direct the
vendors to address the risks, these commenters opposed to the NOPR ERO To Develop Supply Chain
individual efforts are likely to be less proposal, it is appropriate to direct the Management Reliability Standards
effective than a mandatory Reliability development of mandatory Under FPA Section 215(d)(5)
Standard.14 requirements to protect industrial
12. We recognize, however, that most control system hardware, software, and NOPR
commenters oppose development of computing and networking services 15. In the NOPR, the Commission
Reliability Standards addressing supply associated with bulk electric system stated that it anticipates that a
chain management for various reasons. operations. Many of the commenters’ Reliability Standard addressing supply
These commenters contend that concerns are addressed by the flexibility chain management security would, inter
Commission action on supply chain risk inherent in our directive to develop a alia, respect FPA Section 215
management would, among other forward-looking, objective-based jurisdiction by only addressing the
things, address or influence activities Reliability Standard that includes obligations of responsible entities and
10 16 U.S.C. 824o(d)(5) (‘‘The Commission . . .
specific security objectives that a not directly imposing obligations on
may order the [ERO] to submit to the Commission
responsible entity must achieve, but suppliers, vendors, or other entities that
a proposed reliability standard or a modification to affords flexibility in how to meet these provide products or services to
a reliability standard that addresses as specific objectives. The Commission does not responsible entities.22
matter if the Commission considers such a new or
modified reliability standard appropriate to carry 15 See Trade Associations NOPR Comments at 24;
Comments
out this section.’’).
11 NERC NOPR Comments at 8.
Southern NOPR Comments at 14–16; CEA NOPR 16. Commenters contend that the
12 See Peak NOPR Comments at 3–6; ITC NOPR
Comments at 4–5; NIPSCO NOPR Comments at 7. Commission’s proposal to direct NERC
16 See Trade Associations NOPR Comments at
Comments at 13–15; CyberArk NOPR Comments at
20–25; Gridwise NOPR Comments at 3; Arkansas
to develop mandatory Reliability
4; Ericsson NOPR Comments at 2; Isologic and Standards to address supply chain risks
Resilient Societies Joint NOPR Comments at 9–12; NOPR Comments at 6; G&T Cooperatives NOPR
ACS NOPR Comments at 4; ISO NE NOPR Comments at 8–9; NEI NOPR Comments at 3–5; could exceed the Commission’s
Comments at 2–3; NEMA NOPR Comments at 1–2. NIPSCO NOPR Comments at 5–6; Luminant NOPR
13 Olcott Technical Conference Comments at 1–2.
Comments at 4–5; SCE NOPR Comments at 4. 21 NERC NOPR Comments at 8–9. The record
17 See Arkansas NOPR Comments at 5–6; G&T
14 Galloway Technical Conference Comments at 1 evidence on which the directive in this Final Rule
Cooperatives NOPR Comments at 9; Trade is based is either comparable or superior to past
(‘‘. . . ISO–NE supports the Commission’s proposal
asabaliauskas on DSK3SPTVN1PROD with RULES
Associations NOPR Comments at 25. instances in which the Commission has directed,
to direct NERC to develop requirements relating to 18 See Arkansas NOPR Comments at 6; G&T
supply chain risk management. We believe that the pursuant to FPA section 215(d)(5), that NERC
risks to the reliability of the Bulk Electric System Cooperatives NOPR Comments at 9; NERC NOPR propose a Reliability Standard to address a gap in
that result from compromised third-party software Comments at 13. existing Reliability Standards. See, e.g., Reliability
19 See Trade Associations NOPR Comments at 23; Standards for Physical Security Measures, 146
are real, significant and largely unaddressed by
existing reliability standards. While many public Southern NOPR Comments at 13; AEP NOPR FERC ¶ 61,166 (2014) (directing, without seeking
utilities are already assessing these risks and asking Comments at 5; NextEra NOPR Comments at 4–5; comment, that NERC develop proposed Reliability
vendors to address them, these one-off efforts are Luminant NOPR Comments at 5. Standards to protect against physical security risks
far less likely to be effective than an industry-wide 20 See Arkansas NOPR Comments at 6; Southern related to the Bulk-Power System).
reliability standard.’’). NOPR Comments at 13. 22 NOPR, 152 FERC ¶ 61,054 at P 66.
VerDate Sep<11>2014 17:04 Jul 28, 2016 Jkt 238001 PO 00000 Frm 00026 Fmt 4700 Sfmt 4700 E:\FR\FM\29JYR1.SGM 29JYR1](https://thefederalregister.org/doc/81_FR_50024/page/3.svg)
![Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations 49881
jurisdiction under FPA section 215. The BES, and should not be concerned about suppliers, vendors or other entities that
Trade Associations state that the NOPR how the Responsible Entity works with provide products or services to
discussion ‘‘appears to suggest a new its vendors and suppliers to ensure such responsible entities.’’ 35 The
mandate, over and above Section 215 for reliability (such as higher financial Commission expects that NERC will
energy security, integrity, quality, and incentives or greater contractual adhere to this instruction as it works
supply chain resilience, and the future penalties).’’ 30 with stakeholders to develop a new or
acquisition of products and services.’’ 23 19. The Trade Associations and modified Reliability Standard to address
The Trade Associations assert that the Southern also observe that, while the the Commission’s directive. As
Commission’s NOPR proposal does not NOPR indicates that the Commission discussed below, we reject the
provide any reasoning that connects has no direct oversight authority over remaining comments regarding the
energy security and integrity with third-party suppliers or vendors and Commission’s authority to direct the
reliable operations for Bulk-Power cannot indirectly assert authority over development of supply chain
System reliability. The Trade them through jurisdictional entities, the management Reliability Standards
Associations seek clarification that the NOPR proposal appears to assert that under FPA section 215(d)(5).
Commission does not intend to define authority.31 The Trade Associations 22. Our directive does not suggest, as
energy security as a new policy maintain that such an extension of the the Trade Associations contend, a new
mandate.24 Commission’s authority would be mandate above and beyond FPA section
17. Southern states that it agrees with unlawful and, therefore, seek 215. The Commission’s directive to
the Trade Associations that expanding clarification that ‘‘the Commission will NERC to address supply chain risk
the focus of the NERC Reliability avoid seeking to extend its authority management for industrial control
Standards ‘‘to include concepts such as since such an extension would set a system hardware, software, and
security, integrity, and supply chain troubling precedent.’’ 32 CEA raises a computing and networking services
resilience is beyond the statutory concern that the NOPR proposal associated with bulk electric system
authority granted in Section 215.’’ 25 ‘‘appears to lend itself to the operations is not intended to ‘‘define
Southern contends that while these interpretation that authority is ‘energy security’ as a new policy
areas ‘‘have an impact on the reliable indirectly being asserted over non- mandate’’ under the CIP Reliability
operation of the bulk power system, jurisdictional entities.’’ 33 Standards.36 Instead, our directive is
[. . .] they are areas that are beyond the 20. The Trade Associations also meant to enhance bulk electric system
scope of [the Commission’s] jurisdiction maintain that the Commission’s use of cybersecurity by addressing the gap in
under Section 215.’’ 26 NIPSCO raises a the term ‘‘industrial control system’’ in the CIP Reliability Standards identified
similar argument, stating that the the scope of its proposal suggests that in the NOPR relating to supply chain
existing CIP Reliability Standards the Commission is seeking to address risk management for industrial control
should address the Commission’s issues beyond CIP and cybersecurity- system hardware, software, and
concerns ‘‘without involving processes related issues. The Trade Associations computing and networking services
and industries outside of the seek clarification that the Commission associated with bulk electric system
Commission’s jurisdiction under section does not intend for NERC broadly to operations. This directive is squarely
215 of the Federal Power Act.’’ 27 address industrial control systems, such within the statutory definition of a
18. Southern questions how a as fuel procurement and delivery ‘‘reliability standard,’’ which includes
mandatory Reliability Standard that systems or system protection devices, requirements for ‘‘cybersecurity
achieves all of the objectives specified but intends for its proposal to be limited protection.’’ 37
in the NOPR ‘‘could effectively address to CIP and cybersecurity-related 23. We reject Southern’s argument
[the Commission’s] concerns and still issues.34 that FPA section 215 limits the scope of
stay within the bounds of [the the NERC Reliability Standards to
Discussion
Commission’s] scope and mission under ‘‘ensur[ing] that a given BES Cyber
Section 215.’’ 28 Southern asserts that ‘‘a 21. We are satisfied that FPA section System asset is protected from
reading of Section 215 indicates that 215 provides the Commission with the vulnerabilities once connected’’ to the
[the Commission’s] mission and authority to direct NERC to address the bulk electric system.38 While Southern’s
authority under Section 215 is focused reliability gap concerning supply chain comment implies that the Commission
on the operation of the bulk power management risks identified in the should only be concerned with real-time
system elements, not on the acquisition NOPR. We reject the contention that our operations based on the definition of the
of those elements and associated directive could be read to address issues term ‘‘reliable operation,’’ the definition
procurement practices.’’ 29 In support of outside of the Commission’s FPA of ‘‘reliability standard’’ in FPA section
its assertion, Southern points to the section 215 jurisdiction. However, to be 215 also includes requirements for ‘‘the
definition in FPA section 215 of clear, we reiterate the statement in the design of planned additions or
‘‘reliability standard,’’ noting the use NOPR that any action taken by NERC in modifications’’ to bulk electric system
and meaning of the terms ‘‘reliable response to the Commission’s directive facilities ‘‘necessary to provide for
operation’’ and ‘‘operation.’’ Southern to address the supply chain-related reliable operation of the bulk-power
contends that ‘‘Section 215 standards reliability gap should respect ‘‘section
should ensure that a given BES Cyber 215 jurisdiction by only addressing the 35 NOPR, 152 FERC ¶ 61,054 at P 66.
System asset is protected from obligations of responsible entities’’ and 36 See Trade Associations NOPR Comments at 24.
37 See 16 U.S.C. 824o(a)(3) (defining ‘‘reliability
vulnerabilities once connected to the ‘‘not directly impose obligations on
asabaliauskas on DSK3SPTVN1PROD with RULES
standard’’ to mean ‘‘a requirement, approved by the
23 Trade
Commission under [section 215 of the FPA] to
Associations NOPR Comments at 24. 30 Id.
at 16.
24 Id.
provide for the reliable operation of the bulk-power
31 TradeAssociations NOPR Comments at 24–25; system. The term includes requirements for the
25 Southern NOPR Comments at 16. Southern NOPR Comments at 17; see also Trade operation of existing bulk-power system facilities,
26 Southern NOPR Comments at 16; see also Associations Post-Technical Conference Comments including cybersecurity protection, and the design
Trade Association NOPR Comments at 24. at 20–21. of planned additions or modifications to such
27 NIPSCO NOPR Comments at 7. 32 Trade Associations NOPR Comments at 24–25.
facilities to the extent necessary to provide for
28 Southern NOPR Comments at 14–15. 33 CEA NOPR Comments at 5. reliable operation . . .’’) (emphasis added).
29 Id. at 15 (emphasis in original). 34 Trade Associations NOPR Comments at 25. 38 See Southern NOPR Comments at 16.
VerDate Sep<11>2014 17:04 Jul 28, 2016 Jkt 238001 PO 00000 Frm 00027 Fmt 4700 Sfmt 4700 E:\FR\FM\29JYR1.SGM 29JYR1](https://thefederalregister.org/doc/81_FR_50024/page/4.svg)
![49882 Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
system.’’ 39 Moreover, as noted, FPA Readiness Team (ICS–CERT) in 2014.42 the vendor may deliver this infected
section 215 is clear that maintaining The NOPR stated that this new type of product or service, unknowingly
reliable operation also includes malware campaign is based on the passing the risk onto the utility industry
protecting the bulk electric system from injection of malware while a product or customer.’’ 49 Isologic and Resilient
cybersecurity incidents.40 Indeed, our service remains in the control of the Societies comments that supply chain
findings and directives in the Final Rule hardware or software vendor, prior to vulnerabilities are one of the most
are intended to better protect the Bulk- delivery to the customer.43 difficult areas of cybersecurity because,
Power System from potential among other concerns, entities ‘‘are
Comments
cybersecurity incidents that could seldom aware of the risks [supply chain
adversely affect reliable operation of the 27. NERC acknowledges the NOPR’s vulnerabilities] pose.’’ 50
Bulk-Power System. Accordingly, we concerns regarding the threats posed by 29. Idaho Power agrees ‘‘that the
would not be carrying out our supply chain management risks to the supply chain could pose an attack
obligations under FPA section 215 if the Bulk-Power System. NERC states that vector for certain risks to the bulk
Commission determined that ‘‘the supply chains for information and electric system.’’ 51 CyberArk states that
cybersecurity incidents resulting from communications technology and ‘‘infection of vendor Web sites is just
gaps in supply chain risk management industrial control systems present one of the potential ways a supply chain
were outside the scope of FPA section significant risks to [Bulk-Power System] management attack could be executed’’
215. security, providing various and notes that network communications
24. With regard to concerns that the opportunities for adversaries to initiate links between a vendor and its customer
NOPR’s use of the term ‘‘industrial cyberattacks.’’ 44 NERC further explains could be used as well.52 NEMA agrees
control system’’ signals the that ‘‘supply chains risks are . . . with the NOPR that ‘‘keeping the
Commission’s intent to address issues complex, multidimensional, and electric sector supply chain free from
beyond the CIP Reliability Standards or constantly evolving, and may include, malware and other cybersecurity risks is
cybersecurity controls, we clarify that as the Commission states, insertion of essential.’’ 53 NEMA highlights a
our directive is only intended to address counterfeits, unauthorized production, number of principles it represents as
the protection of hardware, software, tampering, theft, insertion of malicious vendor best practices, and encourages
and computing and networking services software and hardware, as well as poor the Commission and NERC to reference
associated with bulk electric system manufacturing and development those principles as the effort to address
operations from supply chain-related practices.’’ 45 NERC states, however, that supply chain risks progresses.54
cybersecurity threats and as to these supply chains, there are 30. Other commenters do not agree
vulnerabilities. ‘‘significant challenges to developing a that the risks identified in the NOPR
mandatory Reliability Standard support the Commission’s NOPR
B. Need for a New or Modified
consistent with [FPA] Section 215 proposal. The Trade Associations,
Reliability Standard
. . . .’’ 46 Southern, and NIPSCO contend that the
1. Cyber Risks Posed by the Supply 28. IRC, Peak, Idaho Power, CyberArk, two malware campaigns identified by
Chain NEMA, Resilient Societies and other ICS–CERT and cited in the NOPR do not
NOPR commenters share the NOPR’s concern actually represent a changed threat
that supply chain risks pose a threat to landscape that defines a reliability gap.
25. In the NOPR, the Commission bulk electric system reliability. IRC Specifically, the Trade Associations
observed that the global supply chain, states that it supports the Commission’s state that the two identified malware
while providing an opportunity for efforts to address the risks associated campaigns ‘‘seek to inject malware,
significant benefits to customers, with supply chain management.47 Peak while a product is in the control of and
enables opportunities for adversaries to explains that ‘‘the security risk of in use by the customer and not, as the
directly or indirectly affect the supply chain management is a real NOPR suggests, the vendor.’’ 55 In
operations of companies that may result threat, and . . . a CIP standard for support of this position, the Trade
in risks to the end user. The NOPR supply chain management may be Associations note that the ICS–CERT
identified supply chain risks including necessary.’’ 48 Peak notes, for example, mitigation measures for the two alerts
the insertion of counterfeits, that it is possible for a malware ‘‘focused on the customer and do not
unauthorized production, tampering, campaign to infect industrial control address security controls, while the
theft, or insertion of malicious software, software with malicious code while the products are under control of the
as well as poor manufacturing and product or service is in the control of vendors.’’ 56
development practices. The NOPR the hardware and software vendor, and 31. The Trade Associations and
pointed to changes in the bulk electric states that, ‘‘[w]ithout proper controls, Southern also contend that there is no
system cyber threat landscape,
information from various NERC
evidenced by recent malware campaigns 42 Id. P 63 (citing ICS–CERT, Alert: ICS Focused
programs and activities that leads to a
targeting supply chain vendors, which Malware (Update A), https://ics-cert.us-cert.gov/
alerts/ICS-ALERT-14-176-02A; ICS–CERT, Alert reasonable conclusion that supply chain
highlighted a gap in the protections
Ongoing Sophisticated Malware Campaign management issues have caused events
under the current CIP Reliability Compromising ICS (Update E), https://ics-cert.us- or disturbances on the bulk electric
Standards.41 cert.gov/alerts/ICS-ALERT-14-281-01B). ICS–CERT
26. Specifically, the NOPR identified is a division of the Department of Homeland
49 Id. at 3.
two focused malware campaigns Security that works to reduce risks within and
asabaliauskas on DSK3SPTVN1PROD with RULES
across all critical infrastructure sectors by 50 Isologic and Resilient Societies Joint NOPR
identified by the Department of partnering with law enforcement agencies and the Comments at 9.
Homeland Security’s Industry Control intelligence community. 51 Idaho Power NOPR Comments at 3.
System—Computer Emergency 43 NOPR, 152 FERC ¶ 61,054 at P 63. 52 CyberArk NOPR Comments at 4.
44 NERC NOPR Comments at 8. 53 NEMA NOPR Comments at 1.
39 See 16 U.S.C. 824o(a)(4) (defining ‘‘reliable 45 Id. at 10. 54 Id. at 2.
operation’’); see also 16 U.S.C. 824o(a)(3). 46 Id. at 2. 55 Trade Associations NOPR Comments at 20–21.
40 See 16 U.S.C. 824o(a)(4). 47 IRC NOPR Comments at 1–2. 56 Trade Associations NOPR Comments at 21; see
41 NOPR, 152 FERC ¶ 61,054 at PP 61–62. 48 Peak NOPR Comments at 3. also NIPSCO NOPR Comments at 6.
VerDate Sep<11>2014 17:04 Jul 28, 2016 Jkt 238001 PO 00000 Frm 00028 Fmt 4700 Sfmt 4700 E:\FR\FM\29JYR1.SGM 29JYR1](https://thefederalregister.org/doc/81_FR_50024/page/5.svg)
![Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations 49883
system.57 Luminant states that it ‘‘does 33. Even among the comments it is no longer sufficient to focus
not perceive the same reliability gap opposed to the NOPR, there is protection strategies exclusively on
that is expressed in the NOPR acknowledgment that supply chain post-acquisition activities at individual
concerning risks associated with supply reliability risks exist. The Trade entities. Instead, we believe that
chain management’’ and contends that it Associations state that their ‘‘respective attention should also be focused on
is important to understand the potential members have identified security issues minimizing the attack surfaces of
risks and cost impacts related to any associated with potential supply chain information and communications
potential mitigation efforts before disruption or compromise as being a technology products procured to
developing any additional security significant threat.’’ 63 Recognizing that support bulk electric system operations.
controls.58 KCP&L states that it does not such risks exist, we reject the assertion
share the Commission’s view of the by the Trade Associations and Southern 2. Objectives of a Supply Chain
supply chain-related reliability gap that there is an inadequate basis for the Management Reliability Standard
described in the NOPR and, therefore, Commission to take action because NOPR
does not support the Commission’s ‘‘[t]he Trade Associations can find
35. The NOPR stated that the
proposal.59 nothing within various NERC programs
reliability goal of a supply chain risk
and activities that lead to a reasonable
Discussion management Reliability Standard
conclusion that supply chain
32. We find ample support in the should be a forward-looking, objective-
management issues have caused events
record to conclude that supply chain driven Reliability Standard that
or disturbances on the bulk power
management risks pose a threat to bulk encompasses activities in the system
system.’’ 64
electric system reliability. As NERC 34. We disagree with the Trade development life cycle: from research
commented, ‘‘the supply chains for Associations’ arguments suggesting that and development, design and
information and communications the two malware campaigns identified manufacturing stages (where
technology and industrial control in the NOPR do not represent a change applicable), to acquisition, delivery,
systems present significant risks to in the threat landscape to the bulk integration, operations, retirement, and
[Bulk-Power System] security, providing electric system. First, while the Trade eventual disposal of the responsible
various opportunities for adversaries to Associations are correct that the ICS– entity’s information and
initiate cyberattacks.’’ 60 The malware CERT alerts referenced in the NOPR communications technology and
campaigns analyzed by ICS–CERT and describe remediation steps for industrial control system supply chain
identified in the NOPR are only customers to take in the event of a equipment and services. The NOPR
examples of such risks (i.e., supply breach, the vulnerabilities exploited by explained that the Reliability Standard
chain attacks targeting supply chain those campaigns were the direct result should support and ensure security,
vendors). Commenters identified of vendor decisions about: (1) How to integrity, quality, and resilience of the
additional supply chain-related deliver software patches to their supply chain and the future acquisition
threats,61 including events targeting customers and (2) the necessary degree of products and services.67
electric utility vendors.62 of remote access functionality for their 36. The NOPR recognized that, due to
information and communications the breadth of the topic and the
57 Trade Associations NOPR Comments at 21;
technology products.65 Second, the individualized nature of many aspects
Southern Comments at 11. of supply chain management, a
58 Luminant NOPR Comments at 4. malware campaigns also demonstrate
59 KCP&L NOPR Comments at 7. that attackers have expanded their Reliability Standard pertaining to
60 NERC NOPR Comments at 8. efforts to include the execution of broad supply chain management security
61 Commenters reference tools and information access campaigns targeting vendors and should:
security frameworks, such as ES–C2M2, NIST–SP– software applications, rather than just • Respect FPA section 215
800–161 and NIST–SP–800–53, which describe the individual entities. The targeting of jurisdiction by only addressing the
scope of supply chain risk that could impact bulk obligations of responsible entities. A
electric system operations. See Department of vendors and software applications with
Energy, Electricity Subsector Cybersecurity potentially broad access to BES Cyber Reliability Standard should not directly
Capability Maturity Model (February 2014), http:// Systems 66 marks a turning point in that impose obligations on suppliers,
energy.gov/sites/prod/files/2014/02/f7/ES-C2M2-v1- vendors or other entities that provide
1-Feb2014.pdf; NIST Special Publication 800–161,
Supply Chain Risk Management Practices for include: (1) unauthorized code found in Juniper products or services to responsible
Federal Information Systems and Organizations at Firewalls in 2015; (2) the 2013 Target incident entities.
51, http://nvlpubs.nist.gov/nistpubs/ involving stolen vendor credentials; (3) the 2015 • Be forward-looking in the sense that
SpecialPublications/NIST.SP.800-161.pdf; NIST Office of Personnel Management incident also
involving stolen vendor credentials; and (4) two the Reliability Standard should not
Special Publication 800–53, Security and Privacy
Controls for Federal Information Systems and events targeting electric utility vendors. See id. at dictate the abrogation or re-negotiation
Organizations, http://nvlpubs.nist.gov/nistpubs/ 1–4. of currently-effective contracts with
63 Trade Associations NOPR Comments at 17.
SpecialPublications/NIST.SP.800-53r4.pdf. These vendors, suppliers or other entities.
64 See Trade Associations NOPR Comments at 21.
risks include the insertion of counterfeits,
65 The ICS–CERT alert regarding ICS Focused
• Recognize the individualized nature
unauthorized production and modification of
products, tampering, theft, intentional insertion of Malware indicated that ‘‘the software installers for of many aspects of supply chain
tracking software, as well as poor manufacturing . . . vendors were infected with malware known as management by setting goals (the
and development practices. One technical the Havex Trojan.’’ ‘‘what’’), while allowing flexibility in
conference participant noted that supply chain 66 Cyber systems are referred to as ‘‘BES Cyber
how a responsible entity subject to the
attacks can target either (1) the hardware/software Systems’’ in the CIP Reliability Standards. The
asabaliauskas on DSK3SPTVN1PROD with RULES
components of a system (thereby creating NERC Glossary defines BES Cyber Systems as ‘‘One
vulnerabilities that can be exploited by a remote or more BES Cyber Assets logically grouped by a one or more Facilities, systems, or equipment,
attacker) or (2) a third party service provider who responsible entity to perform one or more reliability which, if destroyed, degraded, or otherwise
has access to sensitive IT infrastructure or holds/ tasks for a functional entity.’’ NERC Glossary of rendered unavailable when needed, would affect
maintains sensitive data. See Olcott Technical Terms Used in Reliability Standards (May 17, 2016) the reliable operation of the Bulk Electric System.
Conference Comments at 1. at 15 (NERC Glossary). The NERC Glossary defines Redundancy of affected Facilities, systems, and
62 Olcott discusses two events targeting electric ‘‘BES Cyber Asset’’ as ‘‘A Cyber Asset that if equipment shall not be considered when
utility vendors and service providers. Olcott rendered unavailable, degraded, or misused would, determining adverse impact. Each BES Cyber Asset
Technical Conference Comments at 2. Specific within 15 minutes of its required operation, is included in one or more BES Cyber Systems.’’ Id.
recent examples of attacks on third party vendors misoperation, or non-operation, adversely impact 67 NOPR, 152 FERC ¶ 61,054 at P 64.
VerDate Sep<11>2014 17:04 Jul 28, 2016 Jkt 238001 PO 00000 Frm 00029 Fmt 4700 Sfmt 4700 E:\FR\FM\29JYR1.SGM 29JYR1](https://thefederalregister.org/doc/81_FR_50024/page/6.svg)
![Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations 49885
Security).82 In addition, APPA states one year of the effective date of this equipment since the prior approval, and
that a supply chain-related Reliability Final Rule.85 identify any changes made to address
Standard should not require responsible 45. The plan required by the new or the recent guidance. This periodic
entities to actively manage third-party modified Reliability Standard reconsideration will help ensure an
vendors or their processes since that developed by NERC should address, at ongoing, affirmative process for
would risk involving utilities in areas a minimum, the following four specific reviewing and, when appropriate,
that are outside of their core expertise. security objectives in the context of incorporating such guidance.
APPA also argues that ‘‘it would be addressing supply chain management First Objective: Software Integrity and
unreasonable for any standard that risks: (1) Software integrity and Authenticity
FERC directs to hold utilities liable for authenticity; (2) vendor remote access;
the actions of third-party vendors or (3) information system planning; and (4) 48. The new or modified Reliability
suppliers.’’ 83 Finally, APPA states that vendor risk management and Standard must address verification of:
responsible entities should be able to procurement controls. Responsible (1) The identity of the software
rely on a credible attestation by a entities should be required to achieve publisher for all software and patches
vendor or supplier that it complied with these four objectives but have the that are intended for use on BES Cyber
identified supply chain security flexibility as to how to reach the Systems; and (2) the integrity of the
process. APPA contends that this would objective (i.e., the Reliability Standard software and patches before they are
be the most efficient way to ‘‘establish should set goals (the ‘‘what’’), while installed in the BES Cyber System
a standard of care on the suppliers’ allowing flexibility in how a responsible environment.
part.’’ 84 entity subject to the Reliability Standard 49. This objective is intended to
achieves that goal (the ‘‘how’’)).86 reduce the likelihood that an attacker
Discussion could exploit legitimate vendor patch
Alternatively, NERC can propose an
management processes to deliver
43. We direct that NERC, pursuant to equally effective and efficient approach
compromised software updates or
section 215(d)(5) of the FPA, develop a to address the issues raised in the
patches to a BES Cyber System. One of
forward-looking, objective-driven new objectives identified below. In addition,
the two focused malware campaigns
or modified Reliability Standard to while in the discussion below we
identified by ICS–CERT in 2014 utilized
require each affected entity to develop identify four objectives, NERC may
similar tactics, executing what is
and implement a plan that includes address additional supply chain
commonly referred to as a ‘‘Watering
security controls for supply chain management objectives in the standards
Hole’’ attack 87 to exploit affected
management for industrial control development process, as it deems
information systems. Similar tactics
system hardware, software, and services appropriate.
appear to have been used in a recently
associated with bulk electric system 46. The new or modified Reliability disclosed attack targeting electric sector
operations. Our directive is consistent Standard should also require a periodic infrastructure in Japan.88 These types of
with the NOPR comments advocating reassessment of the utility’s selected attacks might have been prevented had
flexibility as to what form the controls. Consistent with or similar to the affected entities applied adequate
Commission’s directive should take. the requirement in Reliability Standard integrity and authenticity controls to
CIP–003–6, Requirement R1, the their patch management processes.
44. We agree with NERC and other
Reliability Standard should require the 50. As NERC recognizes in its NOPR
commenters that a supply chain risk
responsible entity’s CIP Senior Manager comments, NIST SP–800–161
management Reliability Standard
to review and approve the controls ‘‘establish[es] instructional reference
should be flexible and fall within the
adopted to meet the specific security points for NERC and its stakeholders to
scope of what is possible using
objectives identified in the Reliability leverage in evaluating the appropriate
Reliability Standards under FPA section
Standard at least every 15 months. This framework for and security controls to
215. The directive discussed below, we
periodic assessment should better include in any mandatory supply chain
believe, is consistent with both points.
ensure that the required plan remains management Reliability Standard.’’ 89
In particular, the flexibility inherent in
up-to-date, addressing current and NIST SP–800–161 includes a number of
our directive should account for, among
emerging supply chain-related concerns security controls which, when taken
other things, differences in the needs
and vulnerabilities. together, reduce the probability of a
and characteristics of responsible
47. Also, consistent with this reliance successful Watering Hole or similar
entities and the diversity of BES Cyber
on an objectives-based approach, and as cyberattack in the industrial control
System environments, technologies and
part of this periodic review and system environment and thus could
risks. For example, the new or modified
approval, the responsible entity’s CIP assist in addressing this objective. For
Reliability Standard may allow a
Senior Manager should consider any example, in the System and Information
responsible entity to meet the security
guidance issued by NERC, the U.S.
objectives discussed below by having a
Department of Homeland Security 87 ‘‘Watering Hole’’ attacks exploit poor vendor/
plan to apply different controls based on
(DHS) or other relevant authorities for client patching and updating processes. Attackers
the criticality of different assets. And by generally compromise a vendor of the intended
the planning, procurement, and
directing NERC to develop a new or victim and then use the vendor’s information
operation of industrial control systems
modified Reliability Standard, the system as a jumping off point for their attack.
and supporting information systems Attackers will often inject malware or replace
Commission affords NERC the option of
legitimate files with corrupted files (usually a patch
modifying existing Reliability Standards
asabaliauskas on DSK3SPTVN1PROD with RULES
85 We note that the Trade Associations request or update) on the vendor’s Web site as part of the
to satisfy our directive. Finally, we that the Commission allow ‘‘at least one year for attack. The victim then downloads the files without
direct NERC to submit the new or discussion, development, and approval by the verifying each file’s legitimacy believing that it is
modified Reliability Standard within NERC Board of Trustees.’’ See Trade Associations included in a legitimate patch or update.
Post-Technical Conference Comments at 22. NERC 88 See Cylance, Operation DustStorm, https://
should submit an informational filing within ninety www.cylance.com/hubfs/2015_cylance_website/
82 APPA Post-Technical Conference Comments at days of the effective date of this Final Rule with a assets/operation-dust-storm/Op_Dust_Storm_
3–4. plan to address the Commission’s directive. Report.pdf.
83 Id. at 4–5. 86 See Order No. 672, FERC Stats. & Regs. ¶ 89 NERC NOPR Comments at 16–17; see also
84 Id. at 5. 31,204 at P 260. Resilient Societies NOPR Comments at 11.
VerDate Sep<11>2014 17:04 Jul 28, 2016 Jkt 238001 PO 00000 Frm 00031 Fmt 4700 Sfmt 4700 E:\FR\FM\29JYR1.SGM 29JYR1](https://thefederalregister.org/doc/81_FR_50024/page/8.svg)
![49890 Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
meet minimum security criteria, as well and Arkansas maintain that responsible that addresses the objectives outlined
as the risk that a compromised vendor entities do not have the ability to force above balances the supply chain risks
would not provide adequate notice and a vendor to address all potential facing the bulk electric system against
related incident response to responsible vulnerabilities. G&T Cooperatives assert any potential challenges raised by
entities with whom that vendor is that even if a contract between a vendor relationships. We believe that
connected. responsible entity and a supplier ‘‘could the concerns raised in comments with
83. With regard to commenters’ include’’ language requiring the respect to responsible entities’
suggestion that the Commission direct supplier to implement security controls, relationships with vendors in relation to
NERC to develop cybersecurity ‘‘it is not feasible for contractual terms supply chain risks are valid. Our
procurement guidance documents as . . . to address all potential directive is informed by this concern
opposed to a mandatory Reliability vulnerabilities related to supply chain and reflects a reasonable balance
Standard, we agree that the voluntary management.’’ 119 between the risks facing bulk electric
efforts identified by commenters could 86. NERC, Trade Associations, G&T system reliability from the supply chain
provide guidance or otherwise inform Cooperatives and Arkansas also raise a and concerns over vendor relationships.
NERC’s standard development process. concern that the Commission’s proposal The directive strikes this balance by
We conclude, however, that relying on could place compliance risk on addressing supply chain risks that are
voluntary guidelines to address the responsible entities for actions beyond within responsible entities’ control, and
supply chain risks described above is their control and, ultimately, incent we do not expect a new or modified
not sufficient to fulfill the Commission’s responsible entities to avoid upgrades supply chain Reliability Standard to
responsibilities under FPA section 215. that could trigger such compliance impose obligations directly on vendors.
risk.120 NERC states that any supply Moreover, entities will not be
4. Vendor Risk Management and chain management Reliability Standard responsible for vendor errors beyond the
Procurement Controls should be drafted so that it ‘‘creates scope of the controls implemented to
Comments affirmative obligations to implement comply with the Reliability Standards.
supply chain management security 89. With respect to concerns that the
84. NERC, G&T Cooperatives,
controls without holding entities strictly Commission’s proposal could place
Arkansas and others state that
liable for any failure of those controls to compliance risk on responsible entities
responsible entities have limited
eliminate all supply chain threats and for actions beyond their control, which
influence over vendors and contractors,
vulnerabilities.’’ 121 NERC explains that some commenters argue would prompt
and, therefore, a limited ability to affect if a supply chain management responsible entities to avoid upgrades
the supply chain for industrial control Reliability Standard is not reasonably that could trigger such compliance risk,
system hardware, software, and scoped to avoid unreasonable we reiterate that the intent of the
computing and networking services compliance risk, it could create a directive is to address supply chain
associated with bulk electric system disincentive for responsible entities to risks that are within the responsible
operations.115 NERC contends that any purchase and install new technologies entities’ control. As part of NERC’s
supply chain management Reliability and equipment. standard development process, we
Standard ‘‘must balance the reliability 87. G&T Cooperatives state that expect NERC to establish provisions
need to implement supply chain ‘‘placing the compliance risk of vendor addressing compliance obligations in a
management security controls with and supplier security vulnerability on manner that avoids shifting liability
entities’ business need to obtain Responsible Entities could incent from a vendor for its mistakes to a
products and services at a reasonable Responsible Entities to avoid upgrades responsible entity. Finally, we view the
cost.’’ 116 NERC maintains that to their industrial control system argument that a new or modified
responsible entities lack bargaining hardware, software, and other services.’’ Reliability Standard will result in a
power to persuade vendors or suppliers G&T Cooperatives explain that there are substantial increase in costs to be
to implement cybersecurity controls three primary incentives for a speculative because, beyond requiring
without significantly increasing the cost responsible entity to avoid upgrades if NERC to address the four objectives
of their products or services. NERC faced with compliance risks: (1) New discussed above, or some equally
points to NIST SP 800–161 to highlight regulations would result in additional effective and efficient alternatives, our
that implementing supply chain costs for vendors and suppliers that directive does not require NERC to
security management controls ‘‘will would be passed on to the end-user; (2) develop a Reliability Standard that
require financial and human resources, since security patches are not issued by mandates any particular controls or
not just from the [acquirer] directly but vendors for unsupported hardware and actions.
also potentially from their system software, there is less security patch
integrators, suppliers, and external management responsibility for the III. Information Collection Statement
service providers that would also result responsible entity; and (3) avoiding new 90. The Paperwork Reduction Act
in increased cost to the acquirer.’’ 117 hardware and software reduces the risk (PRA) 123 requires each federal agency to
85. G&T Cooperatives contend that of introducing undetected security seek and obtain Office of Management
they ‘‘have minimal control over their threats.122 and Budget (OMB) approval before
suppliers and are not able to identify all undertaking a collection of information
potential vulnerabilities associated with Discussion
directed to ten or more persons or
each and every supplier and their 88. Our directive to NERC to develop contained in a rule of general
asabaliauskas on DSK3SPTVN1PROD with RULES
products/parts.’’ 118 G&T Cooperatives a new or modified Reliability Standard applicability. OMB regulations 124
require approval of certain information
115 NERC NOPR Comments at 11–12; G&T 119 Id.
at 9. collection requirements imposed by
Cooperatives NOPR Comments at 9; Arkansas 120 NERC
NOPR Comments at 13; Trade
NOPR Comments at 5. Associations NOPR Comments at 24–25; G&T
agency rules. Upon approval of a
116 NERC NOPR Comments at 11–12. Cooperatives NOPR Comments at 9–10; Arkansas collection of information, OMB will
117 Id. (citing NIST Special Publication 800–161 NOPR Comments at 6.
at 3). 121 NERC NOPR Comments at 13. 123 44 U.S.C. 3507(d).
118 G&T Cooperatives NOPR Comments at 9. 122 G&T Cooperatives NOPR Comments at 9. 124 5 CFR 1320.
VerDate Sep<11>2014 17:04 Jul 28, 2016 Jkt 238001 PO 00000 Frm 00036 Fmt 4700 Sfmt 4700 E:\FR\FM\29JYR1.SGM 29JYR1](https://thefederalregister.org/doc/81_FR_50024/page/13.svg)
![49894 Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
construct constrains our ability to timely Final rule; technical
ACTION: 21 CFR Part 80
address a flawed standard, which could amendment.
actually delay implementation of the Color additives, Cosmetics, Drugs,
protections the Commission seeks to put in SUMMARY: The Food and Drug Reporting and recordkeeping
place. Administration (FDA or we) is requirements.
Given the realities of the standards amending our regulations to reflect a
development and approval process, we are 21 CFR Part 100
change in the address for the Center for
likely years away from a supply chain Administrative practice and
standard being implemented, even under the
Food Safety and Applied Nutrition
(CFSAN). This action is editorial in procedure, Food labeling, Food
aggressive schedule contemplated in the
order. I believe that the Commission should nature and is intended to improve the packaging, Foods, Intergovernmental
endeavor to provide as much advance accuracy of our regulations. relations.
guidance as possible before mandating the DATES: This rule is effective July 29, 21 CFR Part 101
development of a standard, to increase the 2016.
likelihood that NERC develops a standard Food labeling, Nutrition, Reporting
that will be satisfactory to the Commission FOR FURTHER INFORMATION CONTACT: John and recordkeeping requirements.
and reduce the need for a remand. I worry Reilly, Center for Food Safety and
that the limited process that preceded the Applied Nutrition (HFS–024), Food and 21 CFR Part 102
Final Rule and the expedited timetable will Drug Administration, 5001 Campus Dr., Beverages, Food grades and standards,
make it extremely difficult for NERC to file College Park, MD 20740. Food labeling, Frozen foods, Oils and
a standard that the Commission can cleanly
SUPPLEMENTARY INFORMATION: We are fats, Onions, Potatoes, Seafood.
approve. Had the Commission committed
itself to conducting adequate outreach, I amending our regulations in 21 CFR
21 CFR Part 106
believe we could have mitigated the parts 1, 5, 70, 71, 73, 80, 100, 101, 102,
likelihood of that outcome, and more 106, 107, 108, 109, 110, 112, 117, 118, Food grades and standards, Infants
effectively and promptly addressed the 130, 161, 170, 171, 172, 173, 175, 176, and children, Nutrition, Reporting and
supply chain threat in the long term. 177, 178, 180, 181, 184, 189, 190, 211, recordkeeping requirements.
‘‘Delaying’’ action for a few months thus 507, 701, 710, 720, and 1250 to reflect
would, in the long run, lead to prompter and 21 CFR Part 107
a change in the address for CFSAN. The
stronger protection for the grid. street address listed currently in our Food labeling, Infants and children,
II. Conclusion regulations for CFSAN is 5100 Paint Nutrition, Reporting and recordkeeping
The choice the Commission faces today on Branch Pkwy., College Park, MD 20740. requirements, Signs and symbols.
supply chain risk management is not The street has been renamed and the
21 CFR Part 108
between action and inaction. Rather, given street number has been changed; the
the importance of this issue, I believe that new street address is 5001 Campus Dr., Administrative practice and
more considered action and a more College Park, MD 20740. Consequently, procedure, Foods, Reporting and
developed Commission order, even if we are amending our regulations to recordkeeping requirements.
delayed by a few months, is better than a reflect the new street address.
quick decision to ‘‘do something.’’ 21 CFR Part 109
Publication of this document
Ultimately, an effective, auditable, and
enforceable standard on supply chain constitutes final action on these changes Food packaging, Foods,
management will require thoughtful under the Administrative Procedure Act Polychlorinated biphenyls (PCB’s).
consideration of the complex challenges of (5 U.S.C. 553). Notice and public
21 CFR Part 110
addressing cybersecurity threats posed procedure are unnecessary because we
through the supply chain within the are merely updating the street address Food packaging, Foods.
structure of the FERC/NERC reliability for CFSAN.
process. In my view, the Commission gains 21 CFR Part 112
very little and does not meaningfully List of Subjects Foods, Fruits and vegetables,
advance the security of the grid by Incorporation by reference, Packaging
21 CFR Part 1
proceeding straight to a Final Rule, rather
than taking the time to build a record to Cosmetics, Drugs, Exports, Food and containers, Recordkeeping
support a workable standard. labeling, Imports, Labeling, Reporting requirements, Safety.
Accordingly, I respectfully dissent. and recordkeeping requirements. 21 CFR Part 117
Cheryl A. LaFleur, 21 CFR Part 5 Food packaging, Foods.
Commissioner. Authority delegations (Government 21 CFR Part 118
[FR Doc. 2016–17842 Filed 7–28–16; 8:45 am] agencies), Imports, Organization and
functions (Government agencies). Eggs and egg products, Incorporation
BILLING CODE 6717–01–P
by reference, Recordkeeping
21 CFR Part 70 requirements, Safety.
DEPARTMENT OF HEALTH AND Color additives, Cosmetics, Drugs, 21 CFR Part 130
HUMAN SERVICES Labeling, Packaging and containers.
Food additives, Food grades and
21 CFR Part 71 standards.
Food and Drug Administration
Administrative practice and 21 CFR Part 161
asabaliauskas on DSK3SPTVN1PROD with RULES
[Docket No. FDA–2016–N–0011] procedure, Color additives, Confidential
business information, Cosmetics, Drugs, Food grades and standards, Frozen
21 CFR Chapter I foods, Seafood.
Reporting and recordkeeping
Change of Address; Technical requirements. 21 CFR Part 170
Amendment 21 CFR Part 73 Administrative practice and
AGENCY: Food and Drug Administration, Color additives, Cosmetics, Drugs, procedure, Food additives, Reporting
HHS. Medical devices. and recordkeeping requirements.
VerDate Sep<11>2014 17:04 Jul 28, 2016 Jkt 238001 PO 00000 Frm 00040 Fmt 4700 Sfmt 4700 E:\FR\FM\29JYR1.SGM 29JYR1](https://thefederalregister.org/doc/81_FR_50024/page/17.svg)
Document Created: 2018-02-08 07:51:15
Document Modified: 2018-02-08 07:51:15
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Rules and Regulations | |
| Action | Final rule. | |
| Dates | This rule is effective September 27, 2016. | |
| Contact | Daniel Phillips (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6387, [email protected] | |
| FR Citation | 81 FR 49878 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR