83 FR 17913 - Revised Critical Infrastructure Protection Reliability Standard CIP-003-7-Cyber Security-Security Management Controls
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission Federal Register Volume 83, Issue 80 (April 25, 2018)
Federal Energy Regulatory Commission
Federal Register Volume 83, Issue 80 (April 25, 2018)
| Page Range | 17913-17921 | |
| FR Document | 2018-08610 |
[Federal Register Volume 83, Number 80 (Wednesday, April 25, 2018)] [Rules and Regulations] [Pages 17913-17921] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2018-08610] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM17-11-000; Order No. 843] Revised Critical Infrastructure Protection Reliability Standard CIP-003-7--Cyber Security--Security Management Controls AGENCY: Federal Energy Regulatory Commission. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Federal Energy Regulatory Commission (Commission) approves Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security--Security Management Controls), submitted by the North American Electric Reliability Corporation (NERC). Reliability Standard CIP-003-7 clarifies the obligations pertaining to electronic access control for low impact BES Cyber Systems; requires mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems; and requires responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. In addition, the Commission directs NERC to develop modifications to the CIP Reliability Standards to mitigate the risk of malicious code that could result from third-party transient electronic devices. DATES: This rule will become effective June 25, 2018. FOR FURTHER INFORMATION CONTACT: Matthew Dale (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6826, [email protected] Kevin Ryan (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6840 [email protected] SUPPLEMENTARY INFORMATION: Before Commissioners: Kevin J. McIntyre, Chairman; Cheryl A. LaFleur, Neil Chatterjee, Robert F. Powelson, and Richard Glick. 1. Pursuant to section 215 of the Federal Power Act (FPA),\1\ the [[Page 17914]] Commission approves Reliability Standard CIP-003-7 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. Reliability Standard CIP-003-7 addresses the Commission's directives from Order No. 822 and is an improvement over the current Commission- approved CIP Reliability Standards.\2\ Specifically, Reliability Standard CIP-003-7 improves upon the existing Reliability Standards by: (1) Clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; \3\ (2) adopting mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems; and (3) requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. We also approve NERC's proposed implementation plan and violation risk factor and violation severity level assignments. Finally, we approve NERC's proposed revised definitions for inclusion in the NERC Glossary. --------------------------------------------------------------------------- \1\ 16 U.S.C. 824o (2012). \2\ Revised Critical Infrastructure Protection Reliability Standards, Order No. 822, 154 FERC ] 61,037, reh'g denied, Order No. 822-A, 156 FERC ] 61,052 (2016). \3\ BES Cyber System is defined by NERC as ``[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.'' Glossary of Terms Used in NERC Reliability Standards (NERC Glossary). The acronym BES refers to the bulk electric system. Reliability Standard CIP-002-5.1a (Cyber Security System Categorization) provides a ``tiered'' approach to cybersecurity requirements, based on classifications of high, medium and low impact BES Cyber Systems. --------------------------------------------------------------------------- 2. In the NOPR, the Commission proposed to direct that NERC modify Reliability Standard CIP-003-7 to: (1) Provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems; and (2) address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices.\4\ The Commission adopts the NOPR proposal regarding third- party transient electronic devices but does not adopt the proposal regarding criteria for electronic access controls for low impact BES Cyber Systems. --------------------------------------------------------------------------- \4\ Revised Critical Infrastructure Protection Reliability Standard CIP-003-7--Cyber Security--Security Management Controls, Notice of Proposed Rulemaking, 82 FR 49541 (Oct. 26, 2017), 161 FERC ] 61,047 (2017) (NOPR). --------------------------------------------------------------------------- 3. As discussed below, in view of the comments from NERC and others, we are persuaded that Reliability Standard CIP-003-7 provides a clear security objective that establishes compliance expectations. Accordingly, we do not adopt the proposed directive relating to electronic access controls for low impact BES Cyber Systems. Instead, as suggested in the comments, we direct NERC to conduct a study to assess the implementation of Reliability Standard CIP-003-7 to determine whether the electronic access controls adopted by responsible entities provide adequate security. NERC must submit the directed study within eighteen months of the effective date of Reliability Standard CIP-003-7. 4. With regard to the second issue discussed in the NOPR, we remain concerned that the proposed Reliability Standard lacks a clear requirement to mitigate the risk of malicious code that could result from third-party transient electronic devices. Accordingly, we direct NERC to develop a modification to the Reliability Standard to provide the needed clarity. Such modification will better ensure that registered entities clearly understand their mitigation obligations and, thus, improve individual entity mitigation plans and collectively improve the cybersecurity posture of the electric grid. I. Background A. Section 215 and Mandatory Reliability Standards 5. Section 215 of the FPA requires a Commission-certified Electric Reliability Organization (ERO) to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently.\5\ Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,\6\ and subsequently certified NERC.\7\ --------------------------------------------------------------------------- \5\ 16 U.S.C. 824o(e). \6\ Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC Stats. & Regs. ] 31,212 (2006). \7\ North American Electric Reliability Corp., 116 FERC ] 61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (DC Cir. 2009). --------------------------------------------------------------------------- B. Order No. 822 6. The Commission approved the ``Version 1'' CIP Reliability Standards in January 2008, and subsequently acted on revised versions of the CIP Reliability Standards.\8\ On January 21, 2016, in Order No. 822, the Commission approved seven CIP Reliability Standards: CIP-003-6 (Security Management Controls), CIP-004-6 (Personnel and Training), CIP-006-6 (Physical Security of BES Cyber Systems), CIP-007-6 (Systems Security Management), CIP-009-6 (Recovery Plans for BES Cyber Systems), CIP-010-2 (Configuration Change Management and Vulnerability Assessments), and CIP-011-2 (Information Protection). The Commission determined that the Reliability Standards under consideration at that time were an improvement over the prior iteration of the CIP Reliability Standards and addressed the directives in Order No. 791 by, among other things, addressing in an equally effective and efficient manner the need for a NERC Glossary definition for the term ``communication networks'' and providing controls to address the risks posed by transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at high and medium impact BES Cyber Systems.\9\ --------------------------------------------------------------------------- \8\ Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ] 61,040, order on reh'g, Order No. 706-A, 123 FERC ] 61,174 (2008), order on clarification, Order No. 706-B, 126 FERC ] 61,229 (2009), order on clarification, Order No. 706-C, 127 FERC ] 61,273 (2009); Version 5 Critical Infrastructure Protection Reliability Standards, Order No. 791, 145 FERC ] 61,160 (2013), order on clarification and reh'g, Order No. 791-A, 146 FERC ] 61,188 (2014). \9\ Order No. 822, 154 FERC ] 61,037 at P 17. --------------------------------------------------------------------------- 7. In addition, in Order No. 822, pursuant to section 215(d)(5) of the FPA, the Commission directed NERC, inter alia, to: (1) Develop modifications to the Low Impact External Routable Connectivity (LERC) definition to eliminate ambiguity surrounding the term ``direct'' as it is used in the LERC definition; and (2) develop modifications to the CIP Reliability Standards to provide mandatory protection for transient electronic devices used at low impact BES Cyber Systems.\10\ --------------------------------------------------------------------------- \10\ Id. P 18. --------------------------------------------------------------------------- C. NERC Petition 8. On March 3, 2017, NERC submitted a petition seeking approval of Reliability Standard CIP-003-7 and the associated violation risk factors and violation severity levels, implementation plan and effective date. NERC states that Reliability Standard CIP-003-7 satisfies the criteria set forth in Order No. 672 that the Commission applies when reviewing a proposed Reliability Standard.\11\ NERC also sought approval of revisions to NERC Glossary definitions for the terms Removable [[Page 17915]] Media and Transient Cyber Asset, as well as the retirement of the NERC Glossary definitions of LERC and Low Impact BES Cyber System Access Point (LEAP). In addition, NERC proposed the retirement of Commission- approved Reliability Standard CIP-003-6.\12\ --------------------------------------------------------------------------- \11\ See NERC Petition at 2 (citing Order No. 672, FERC Stats. & Regs. ] 31,204 at PP 262, 321-337); id., Exhibit D (Order No. 672 Criteria). \12\ Reliability Standard CIP-003-7 is not attached to this Final Rule. The Reliability Standard is available on the Commission's eLibrary document retrieval system in Docket No. RM17- 11-000 and is posted on the NERC website, http://www.nerc.com. --------------------------------------------------------------------------- 9. NERC states that Reliability Standard CIP-003-7 improves upon the existing protections that apply to low impact BES Cyber Systems. NERC avers that the proposed modifications address the Commission's directives from Order No. 822 by: (1) Clarifying electronic access control requirements applicable to low impact BES Cyber Systems; and (2) adding requirements for the protection of transient electronic devices used for low impact BES Cyber Systems. In addition, while not required by Order No. 822, NERC proposes a CIP Exceptional Circumstances policy for low impact BES Cyber Systems. 10. In response to the Commission's directive to develop modifications to eliminate ambiguity surrounding the term ``direct'' as it is used in the LERC definition, NERC proposes to: (1) Retire the terms LERC and LEAP from the NERC Glossary; and (2) modify Section 3 of Attachment 1 to Reliability Standard CIP-003-7 ``to more clearly delineate the circumstances under which Responsible Entities must establish access controls for low impact BES Cyber Systems.'' \13\ NERC states that the proposed revisions are designed to simplify the electronic access control requirements associated with low impact BES Cyber Systems to avoid ambiguities associated with the term ``direct.'' NERC explains that it recognized the ``added layer of unnecessary complexity'' introduced by distinguishing between ``direct'' and ``indirect'' access within the LERC definition and asserts that the proposed revisions will ``help ensure that Responsible Entities implement the required security controls effectively.'' \14\ --------------------------------------------------------------------------- \13\ NERC Petition at 16. \14\ Id. at 16. --------------------------------------------------------------------------- 11. With regard to the Commission's directive that NERC develop modifications to the CIP Reliability Standards to provide mandatory protection for transient electronic devices used at low impact BES Cyber Systems, NERC proposes to add a new section to Attachment 1 of Reliability Standard CIP-003-7 that requires responsible entities to include controls in their cyber security plans to mitigate the risk of the introduction of malicious code to low impact BES Cyber Systems that could result from the use of ``Transient Cyber Assets or Removable Media.'' Specifically, proposed Section 5 of Attachment 1 lists controls to be applied to Transient Cyber Assets and Removable Media that NERC contends ``will provide enhanced protections against the propagation of malware from transient devices.'' \15\ --------------------------------------------------------------------------- \15\ Id. at 26-27. --------------------------------------------------------------------------- 12. NERC also proposes a modification that was not directed by the Commission in Order No. 822. Namely, NERC proposes revisions in Requirement R1 of Reliability Standard CIP-003-7 to require responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems.\16\ NERC states that a number of requirements in the existing CIP Reliability Standards specify that responsible entities do not have to implement or continue implementing these requirements to avoid hindering the entities' ability to timely and effectively respond to the CIP Exceptional Circumstance. NERC proposes to add a requirement for responsible entities to have a CIP Exceptional Circumstances policy that applies to low impact BES Cyber Systems since the proposed requirements relating to transient electronic devices used at low impact BES Cyber Systems include an exception for CIP Exceptional Circumstances.\17\ --------------------------------------------------------------------------- \16\ A CIP Exceptional Circumstance is defined in the NERC Glossary as a situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or bulk electric system reliability: A risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; A Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability. \17\ NERC Petition at 31-32. --------------------------------------------------------------------------- 13. NERC requests that Reliability Standard CIP-003-7 and the revised definitions of Transient Cyber Asset and Removable Media become effective the first day of the first calendar quarter that is eighteen months after the effective date of the Commission's order approving the Reliability Standard. D. Notice of Proposed Rulemaking 14. On October 19, 2017, the Commission issued a NOPR that proposed to approve Reliability Standard CIP-003-7. The NOPR proposed to determine that Reliability Standard CIP-003-7 is just, reasonable, not unduly discriminatory or preferential, and in the public interest and addresses the directives in Order No. 822 by: (1) Clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; and (2) adopting mandatory security controls for transient electronic devices used at low impact BES Cyber Systems. In addition, the NOPR observed that, by requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances for low impact BES Cyber Systems, Reliability Standard CIP-003-7 would align the treatment of low impact BES Cyber Systems with that of high and medium impact BES Cyber Systems, which currently include a requirement for declaring and responding to CIP Exceptional Circumstances. Therefore, the Commission proposed to approve Reliability Standard CIP-003-7 because the proposed modifications improve the base-line cybersecurity posture of responsible entities compared to the current Commission-approved CIP Reliability Standards. 15. In addition, the Commission proposed to direct that NERC develop modifications to Reliability Standard CIP-003-7 to addressed two issues: (1) Provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems; and (2) address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices. The Commission explained that modifications directed at these two concerns will address potential gaps and improve the cyber security posture of responsible entities that must comply with the CIP Reliability Standards. 16. The Commission received comments in response to the NOPR from Jonathan Appelbaum (Appelbaum), Electric Consumers Resource Council (ELCON), North American Electric Reliability Corporation (NERC), Transmission Access Policy Study Group (TAPS), and Trade Associations.\18\ We address below the issues raised in the NOPR and comments. --------------------------------------------------------------------------- \18\ Trade Associations represent American Public Power Association, Edison Electric Institute, and National Rural Electric Cooperative Association. --------------------------------------------------------------------------- II. Discussion 17. Pursuant to section 215(d)(2) of the FPA, we approve Reliability Standard CIP-003-7 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. Reliability Standard CIP-003-7 addresses the directives in Order No. 822 and is an improvement over the currently-effective, Commission- [[Page 17916]] approved CIP Reliability Standards. Specifically, Reliability Standard CIP-003-7 improves upon the existing CIP Reliability Standards by: (1) Clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; (2) adopting mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems; and (3) requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. We also approve NERC's proposed implementation plan and violation risk factor and violation severity level assignments. Finally, we approve NERC's proposed revised definitions for inclusion in the NERC Glossary. 18. In addition, as discussed below, pursuant to section 215(d)(5) of the FPA, we adopt the NOPR proposal and direct NERC to develop modifications to the CIP Reliability Standards to mitigate the risk of malicious code that could result from third-party transient electronic devices. However, for the reasons discussed below, we determine not to adopt the NOPR proposal to direct NERC to develop criteria for electronic access controls for low impact BES Cyber Systems at this time. 19. Below, we discuss the following matters: (A) Criteria for electronic access controls for low impact BES Cyber Systems; (B) mitigation of the risk of malicious code associated with third-party transient electronic devices; and (C) implementation plan and effective date. A. Criteria for Electronic Access Controls for Low Impact BES Cyber Systems 1. NOPR 20. In the NOPR, the Commission proposed to direct NERC to develop modifications to Section 3 of Attachment 1 to Reliability Standard CIP- 003-7 to provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems.\19\ Specifically, the proposed directive addressed the concern that Reliability Standard CIP- 003-7 may not provide adequate electronic access controls for low impact BES Cyber Systems because Reliability Standard CIP-003-7 does not provide clear, objective criteria or measures to assess compliance by independently confirming that the access control strategy adopted by a responsible entity would reasonably meet the security objective of permitting only ``necessary inbound and outbound electronic access'' to its low impact BES Cyber Systems.\20\ The Commission stated that, in order to ensure an objective and consistently-applied requirement, the electronic access control plan required in Attachment 1 should require the responsible entity to articulate its access control strategy for a particular set of low impact BES Cyber Systems and provide a technical rationale rooted in security principles explaining how that strategy will reasonably restrict electronic access. In addition, the Commission stated that Attachment 1 should outline basic security principles in order to provide clear, objective criteria or measures to assist in assessing compliance.\21\ --------------------------------------------------------------------------- \19\ NOPR, 161 FERC ] 61,047 at P 32. \20\ Id. P 28. \21\ Id. P 29. --------------------------------------------------------------------------- 21. The Commission observed that without clear, objective criteria or measures, auditors will not necessarily have adequate information to assess the reasonableness of the responsible entity's decision with respect to how the responsible entity identified necessary communications or restricted electronic access to specific low impact BES Cyber Systems. The Commission posited that absent such information, it is possible that an auditor could assess a violation where an entity adequately protected its low impact BES Cyber Systems or fail to recognize a situation where additional protections are necessary to meet the security objective of the Reliability Standard.\22\ --------------------------------------------------------------------------- \22\ Id. --------------------------------------------------------------------------- 2. Comments 22. NERC acknowledges the NOPR concerns but comments that a directive ``may not be necessary.'' \23\ Specifically, NERC asserts that ``Responsible Entities must provide auditors sufficient information to allow the auditors to properly assess compliance with section 3.1'' of Reliability Standard CIP-003-7.\24\ NERC contends that Section 3.1 ``articulates a clear security objective: permit only necessary inbound and outbound access to low impact BES Cyber Systems.'' \25\ NERC explains that Section 3.1 is not prescriptive due to the wide array of low impact BES Cyber Systems and their lower risk to bulk electric system reliability, but, while Section 3.1 grants responsible entities flexibility, ``a Responsible Entity must demonstrate that its electronic access permissions and controls are consistent with the security objective.'' \26\ Specifically, NERC maintains that a responsible entity ``must document the necessity of its inbound and outbound electronic access permissions and provide justification of the need for such access.'' \27\ NERC states further that ``[i]f a Responsible Entity fails to articulate a reasonable business or operational need for the electronic access permission, the ERO Enterprise would find that the Responsible Entity did not comply with Section 3.1.'' \28\ NERC continues that ``[c]onsistent with the intent of the Commission's proposed directive, the Responsible Entity would have to articulate its access control strategy for the low impact BES Cyber System and provide a technical rationale rooted in security principles, explaining how that strategy will reasonably restrict electronic access.'' \29\ NERC states that if a responsible entity ``fails to demonstrate that its chosen electronic access controls are properly designed and implemented to meet the security objective, the ERO Enterprise would find that the Responsible Entity did not comply with Section 3.1'' of Reliability Standard CIP-003-7.\30\ --------------------------------------------------------------------------- \23\ NERC Comments at 3. \24\ Id. (citing NERC Petition at 21-24). \25\ Id. \26\ Id. at 3-4. \27\ Id. at 4 (citing NERC Petition at 22). \28\ Id. \29\ Id. \30\ Id. --------------------------------------------------------------------------- 23. NERC concludes that while the Commission's proposed directive may not be necessary and could potentially be an inefficient use of NERC and industry resources, ``[a]rticulating objective criteria for electronic access controls for low impact BES Cyber Systems may improve clarity and auditability, and help ensure that entities implement effective electronic access controls.'' \31\ --------------------------------------------------------------------------- \31\ Id. at 5. --------------------------------------------------------------------------- 24. Trade Associations, TAPS and ELCON do not support the proposed directive, claiming that the proposal would impose additional burdens on registered entities without a corresponding reliability benefit. Trade Associations and TAPS contend that Section 3 of Attachment 1 to Reliability Standard CIP-003-7 gives responsible entities needed flexibility to develop and implement effective electronic access controls for low impact BES Cyber Systems. TAPS adds that Reliability Standard CIP-003-7 reflects what NERC, through the standard development process, ``determined was a technically appropriate tailoring of electronic access controls requirements to low impact BES cyber systems.'' \32\ Trade Associations recommend, as an [[Page 17917]] alternative to the proposed directive, that the Commission approve the proposed Reliability Standard without modification and monitor its concerns, for example, by directing NERC to conduct a study to assess the implementation by responsible entities of Reliability Standard CIP- 003-7 electronic access controls to determine whether there are in fact inadequate controls. According to Trade Associations, a fact-driven assessment would help to inform and demonstrate a reliability and security need for future Commission actions related to the CIP Reliability Standards.\33\ --------------------------------------------------------------------------- \32\ TAPS Comments at 7 (citing 16 U.S.C. 824o(d)). \33\ Trade Associations Comments at 9. --------------------------------------------------------------------------- 25. Further, Trade Associations assert that a risk-based approach is essential to allow responsible entities to focus their resources on assets that have a higher impact on bulk electric system reliability. ELCON adds that while it ``appreciates the value establishing more tangible criteria for adequate Low-Impact BES Cyber System controls, . . . the additional requirements that the Commission proposes would do nothing to harden a Low-Impact facility against the rapid evolution in cyber warfare.'' \34\ --------------------------------------------------------------------------- \34\ ELCON Comments at 4. --------------------------------------------------------------------------- 26. Appelbaum supports the proposed directive regarding Section 3 of Attachment 1 to Reliability Standard CIP-003-7. Appelbaum notes that Reliability Standard CIP-003-7 ``leaves the choice of controls to the [responsible entity] and leaves an Auditor with no requirement basis to perform an audit.'' \35\ Appelbaum states that under ``NERC's proposal that each entity establishes their own security plan and only needs to demonstrate compliance and adherence to its plan then . . . the implementation of security controls will be implemented to various levels of security and differentiated . . . across the NERC Regions.'' \36\ Appelbaum states further that Reliability Standard CIP-003-7 ``will result in different auditor conclusions for similarly situated entities implementing similar protections.'' \37\ Appelbaum concludes that ``[c]lear requirements are needed to establish a common understanding of the necessary security to be achieved.'' \38\ --------------------------------------------------------------------------- \35\ Applebaum Comments at 5. \36\ Id. at 6. \37\ Id. at 7. \38\ Id. --------------------------------------------------------------------------- 3. Commission Determination 27. We do not to adopt the proposed directive, but rather adopt the Trade Associations' recommendation for a study and report to be filed with the Commission. We are satisfied with the explanation of NERC and other commenters that Section 3 of Attachment 1 to Reliability Standard CIP-003-7 provides a clear security objective that establishes compliance expectations. Specifically, we are persuaded by commenters that Section 3 of Attachment 1 requires responsible entities to adopt security controls to permit only necessary inbound and outbound electronic access to Cyber Assets connected using a routable protocol to low impact BES Cyber Systems. 28. The concern raised in the NOPR focused on the lack of clear, objective criteria or measures to assess compliance with Reliability Standard CIP-003-7. As noted above, however, NERC states in its comments that responsible entities will be required to demonstrate that electronic access permissions and controls associated with low impact BES Cyber Systems are consistent with the stated security objective. NERC also clarifies that responsible entities will be required to ``document the [business or operational] necessity of its inbound and outbound electronic access permissions and provide justification of the need for such access.'' \39\ Given NERC's statements, we believe that there will be adequate measures to assess compliance with Reliability Standard CIP-003-7. We expect responsible entities to be able to provide a technically sound explanation as to how their electronic access controls meet the security objective. --------------------------------------------------------------------------- \39\ NERC Comments at 4. --------------------------------------------------------------------------- 29. In response to Appelbaum's comment that auditors will not have a common understanding on which to judge compliance across the ERO enterprise, in view of NERC's comments, we believe that NERC and the Regional Entities will have the ability to assess the effectiveness of a responsible entity's electronic access control plan as well as a responsible entity's adherence to its electronic access control plan. 30. Moreover, to ensure that the security controls are implemented and that Section 3 accomplishes its intended purpose, we adopt Trade Associations' proposal and direct NERC to conduct a study to assess the implementation of Reliability Standard CIP-003-7.\40\ The study should address what electronic access controls entities choose to implement and under what circumstances, and whether the electronic access controls adopted by responsible entities provide adequate security, as well as other relevant information found by NERC as a result of the study. NERC must file the study within eighteen months of the effective date of Reliability Standard CIP-003-7. We may revisit the need for modifications to Section 3 of Attachment 1 to Reliability Standard CIP- 003-7 if warranted by the study determination, or the results of audits or other compliance procedures. --------------------------------------------------------------------------- \40\ Trade Associations Comments at 9. --------------------------------------------------------------------------- B. Mitigation of the Risk of Malicious Code Associated With Third-Party Transient Electronic Devices 1. NOPR 31. In the NOPR, the Commission proposed to direct NERC to develop modifications to proposed Section 5 of Attachment 1 to Reliability Standard CIP-003-7 to mitigate the risk of malicious code that could result from third-party transient electronic devices.\41\ Specifically, the Commission raised a concern that Reliability Standard CIP-003-7 does not explicitly require mitigation of the introduction of malicious code from third-party managed transient electronic devices, even if the responsible entity determines that the third-party's policies and procedures are inadequate. The Commission noted NERC's statement in its petition that a responsible entity's failure to mitigate this risk ``may not constitute compliance.'' \42\ The Commission stated that NERC's explanation suggests that, with regard to low impact BES Cyber Systems, the requirement lacks an obligation for a responsible entity to correct any deficiencies that are discovered during a review of third-party transient electronic device management practices. --------------------------------------------------------------------------- \41\ Id. P 41. \42\ Id. P 39 (citing NERC Petition at 30). --------------------------------------------------------------------------- 32. The Commission expressed concern that Reliability Standard CIP- 003-7 may contain a reliability gap where a responsible entity contracts with a third-party but fails to mitigate potential deficiencies discovered in the third-party's malicious code detection and prevention practices prior to a transient electronic device being connected to a low impact BES Cyber System. The Commission explained that the reliability gap would result from the fact that Reliability Standard CIP-003-7 does not contain: (1) A requirement for the responsible entity to mitigate any malicious code found during the third-party review(s); or (2) a requirement that the responsible entity take reasonable steps to mitigate the risks of third party malicious code on its systems, if an arrangement cannot be made for the [[Page 17918]] third-party to do so. The Commission observed that without such obligations responsible entities could, without compliance consequences, simply accept the risk of deficient third-party transient electronic device management practices.\43\ --------------------------------------------------------------------------- \43\ Id. P 40 (citing Order No. 706, 122 FERC ] 61,040 at P 150 (rejecting the concept of acceptance of risk in the CIP Reliability Standards)). --------------------------------------------------------------------------- 33. Therefore, pursuant to section 215(d)(5) of the FPA, the Commission proposed to direct NERC to modify Reliability Standard CIP- 003-7 to require responsible entities to implement controls to address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices. 2. Comments 34. NERC states that it ``agrees with the Commission that, should a Responsible Entity find that a third party's processes and practices for protecting its transient electronic devices inadequate, the Responsible Entity must be required to take mitigating action prior to connecting third-party transient electronic devices to a low impact BES Cyber System.'' \44\ According to NERC, ``failure to take mitigating action in this circumstance[ ] could result in a finding of noncompliance with Section 5 of Attachment 1.'' \45\ NERC, therefore, asserts that ``the proposed directive may not be necessary and may be an inefficient use of NERC and industry resources.'' \46\ NERC observes, however, that ``[m]odifying proposed Section 5 to explicitly include a mitigation requirement for third-part[y] devices may remove any doubt about compliance expectations.'' \47\ --------------------------------------------------------------------------- \44\ NERC Comments at 6 (citing NERC Petition at 29). \45\ Id. \46\ Id. \47\ Id. --------------------------------------------------------------------------- 35. Trade Associations and ELCON do not support the proposed directive. Trade Associations contend that ``[a]lthough Section 5.2 [of Attachment 1 to CIP-003-7] does not explicitly require the responsible entity to mitigate the introduction of malicious code, risk mitigation is an explicit obligation under Section 5.'' \48\ Trade Associations state that if a responsible entity's plan does not ``achieve the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems through the use of Transient Cyber Assets . . . then the plan will not comply with Section 5.'' \49\ Trade Associations maintains that the ``intent of the requirement is made clear in the Supplemental Material for Section 5 and 5.2, which both require the responsible entities to document how they will mitigate the introduction of malicious code.'' \50\ Trade Associations note in a footnote that: --------------------------------------------------------------------------- \48\ Trade Associations Comments at 10. \49\ Id. at 11. \50\ Id. Although the Supplemental Material does not create binding obligations on responsible entities, the text of the Supplemental Material in the Proposed Standard further clarifies and reinforces that the binding requirements found in CIP-003-7, Attachment 1, Section 5 include the obligation to take additional steps if a --------------------------------------------------------------------------- third-party's practices do not meet the security objective.\51\ \51\ Id. --------------------------------------------------------------------------- Trade Associations conclude that the Commission should approve Reliability Standard CIP-003-7 without modification. 36. ELCON states that ``the requirement for a Low-Impact BES Cyber System owner or operator to actively mitigate deficiencies in third party's anti-virus security programs does exist in [Section 5 of Attachment 1 to Reliability Standard CIP-003-7].'' \52\ ELCON states that the opening paragraph of Section 5, which requires responsible entities to implement one or more plans to ``achieve the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems through the use of Transient Cyber Assets or Removable Media,'' establishes an obligation to mitigate any identified deficiencies. ELCON contends that the objective of mitigating the risk ``cannot be reached if the Responsible Entity allows a third party to connect an insufficiently evaluated [Transient Cyber Asset] to a Low- Impact BES Cyber System.'' \53\ ELCON argues that the ``positioning of the requirement in the opening paragraph of Section 5 assures that mitigating actions must be taken to address deficiencies detected'' with responsible entity-owned Transient Cyber Assets, vendor-owned Transient Cyber Assets, and Removable Media.\54\ --------------------------------------------------------------------------- \52\ ELCON Comments at 4 (emphasis in original). \53\ Id. at 4-5. \54\ Id. at 5. --------------------------------------------------------------------------- 3. Commission Determination 37. We adopt the NOPR proposal and, pursuant to section 215(d)(5) of the FPA, direct that NERC develop modifications to Reliability Standard CIP-003-7 to address our concern and ensure that responsible entities implement controls to mitigate the risk of malicious code that could result from third-party transient electronic devices. NERC could satisfactorily address the identified concern, for example, by modifying Section 5 of Attachment 1 to CIP-003-7 to clarify that responsible entities must implement controls to mitigate the risk of malicious code that could result from the use of third-party transient electronic devices. 38. The directed modification will improve the security posture of responsible entities by clarifying compliance expectations. While commenters claim that the provision is sufficiently clear and ask the Commission not to adopt the proposal, all commenters agree that there is not an explicit requirement to mitigate the threat of malicious code that could result from third-party transient electronic devices. While Trade Associations state that Section 5.2 of Attachment 1 does not explicitly require the mitigation of malicious code, Trade Associations and ELCON suggest that Section 5 generally requires risk mitigation. While commenters agree that, at least implicitly, the mitigation of malicious code is an obligation, the lack of a clear requirement could lead to confusion in both the development of a compliance plan and in the implementation of a compliance plan. In addition, although NERC contends that the proposed directive may not be necessary, NERC agrees that modifying Reliability Standard CIP-003-7 to address the mitigation of malicious code explicitly could clarify compliance obligations. 39. Therefore, pursuant to FPA section 215(d)(5), we direct NERC to develop and submit modifications to Reliability Standard CIP-003-7 to include an explicit requirement that responsible entities implement controls to mitigate the risk of malicious code that could result from third-party transient electronic devices. C. Implementation Plan and Effective Date NERC Petition 40. In its petition, NERC requests an effective date for Reliability Standard CIP-003-7 and the revised definitions of Transient Cyber Asset and Removable Media on the first day of the first calendar quarter that is eighteen months after the effective date of the Commission's order approving the Reliability Standard. NERC explains that the implementation plan does not alter the previously-approved compliance dates for Reliability Standard CIP-003-6 other than the compliance date for Reliability Standard CIP-003-6, Requirement R2, Attachment 1, Sections 2 and 3, which [[Page 17919]] would be replaced with the effective date for Reliability Standard CIP- 003-7. NERC also proposes that the retirement of Reliability Standard CIP-003-6 and the associated definitions become effective on the effective date of Reliability Standard CIP-003-7.\55\ --------------------------------------------------------------------------- \55\ Id., Exhibit C (Implementation Plan). --------------------------------------------------------------------------- 41. The NOPR proposed to approve NERC's implementation plan and effective date for Reliability Standard CIP-003-7. The Commission did not receive any comments regarding this aspect of the NOPR. Accordingly, we approve NERC's proposed implementation plan and effective date. III. Information Collection Statement 42. The FERC-725B information collection requirements contained in this Final Rule are subject to review by the Office of Management and Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 1995.\56\ OMB's regulations require approval of certain information collection requirements imposed by agency rules.\57\ Upon approval of a collection of information, OMB will assign an OMB control number and expiration date. Respondents subject to the filing requirements of this rule will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number. The Commission solicits comments on the Commission's need for this information, whether the information will have practical utility, the accuracy of the burden estimates, ways to enhance the quality, utility, and clarity of the information to be collected or retained, and any suggested methods for minimizing respondents' burden, including the use of automated information techniques. --------------------------------------------------------------------------- \56\ 44 U.S.C. 3507(d) (2012). \57\ 5 CFR 1320.11 (2017). --------------------------------------------------------------------------- 43. The Commission bases its paperwork burden estimates on the changes in paperwork burden presented by the proposed revision to CIP Reliability Standard CIP-003-7 as compared to the current Commission- approved Reliability Standard CIP-003-6. The Commission has already addressed the burden of implementing Reliability Standard CIP-003- 6.\58\ As discussed above, the immediate rulemaking addresses three areas of modification to the CIP Reliability Standards: (1) Clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; (2) adopting mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems; and (3) requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. --------------------------------------------------------------------------- \58\ See Order No. 822, 154 FERC ] 61,037 at PP 84-88. --------------------------------------------------------------------------- 44. The NERC Compliance Registry, as of September 2017, identifies approximately 1,320 U.S. entities that are subject to mandatory compliance with Reliability Standards. Of this total, we estimate that 1,100 entities will face an increased paperwork burden under Reliability Standard CIP-003-7, estimating that a majority of these entities will have one or more low impact BES Cyber Systems. Based on these assumptions, we estimate the following reporting burden: RM17-11-000 Final Rule [Mandatory Reliability Standards for critical infrastructure protection Reliability Standards] ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Annual number Number of of responses Total number Average burden and cost per response Total annual burden hours and total annual Cost per respondents per respondent of responses \59\ cost respondent ($) (1) (2) (1) * (2) = (4).................................. (3) * (4) = (5)............................... (5) / (1) (3) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Create low impact TCA assets plan (one- 1,100 1 1,100 20 hrs.; $1,680...................... 6,875 hrs.; $1,848,000........................ $1,680 time). \60\ Updates and reviews of low impact TCA 1,100 \62\ 300 330,000 \63\ 1.5 hrs.; $126.................. 495,000 hrs.; $41,580,000..................... 37,800 assets (ongoing). \61\ Update/modify documentation to remove 1,100 1 1,100 20 hrs.; $1,680...................... 6,875 hrs.; $1,848,000........................ 1,680 LERC and LEAP (one-time). \60\ Update paperwork for access control 1,100 1 1,100 20 hrs.; $1,680...................... 6,875 hrs.; $1,848,000........................ 1,680 implementation in Section 2 \64\ and Section 3 \65\ (ongoing). \61\ Total (one-time) \60\................ .............. .............. 2,200 ..................................... 13,750 hrs.; $3,696,000....................... .............. ------------------------------------------------------------------------------------------------------------------------------------------------------ Total (ongoing) \61\................. .............. .............. 331,100 ..................................... 501,875 hrs.; $43,428,000..................... .............. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 45. The following shows the annual cost burden for each group, based on the burden hours in the table above: --------------------------------------------------------------------------- \59\ The loaded hourly wage figure (includes benefits) is based on the average of three occupational categories for 2016 found on the Bureau of Labor Statistics website (http://www.bls.gov/oes/current/naics2_22.htm): Legal (Occupation Code: 23-0000): $143.68 Electrical Engineer (Occupation Code: 17-2071): $68.12 Office and Administrative Support (Occupation Code: 43-0000): $40.89 ($143.68 + $68.12 + $40.89) / 3 = $84.23. The figure is rounded to $84.00 for use in calculating wage figures in this NOPR. \60\ This one-time burden applies in Year One only. \61\ This ongoing burden applies in Year 2 and beyond. \62\ We estimate that each entity will perform 25 updates per month. 25 updates *12 months = 300 updates (i.e. responses) per year. \63\ The 1.5 hours of burden per response is comprised of three sub-categories: Updates to managed low TCA assets: 15 minutes (0.25 hours) per response Updates to unmanaged low TCA assets: 60 minutes (1 hour) per response Reviews of low TCA applicable controls: 15 minutes (0.25 hours) per response. \64\ Physical Security Controls. \65\ Electronic Access Controls. ---------------------------------------------------------------------------Year 1: $3,696,000. Years 2 and 3: $43,428,000. The paperwork burden estimate includes costs associated with the initial development of a policy to address requirements relating to: (1) Clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; (2) adopting mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low [[Page 17920]] impact BES Cyber Systems; and (3) requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. Further, the estimate reflects the assumption that costs incurred in year 1 will pertain to policy development, while costs in years 2 and 3 will reflect the burden associated with maintaining logs and other records to demonstrate ongoing compliance. 46. Title: Mandatory Reliability Standards, Revised Critical Infrastructure Protection Reliability Standards. Action: Revision to FERC-725B information collection. OMB Control No.: 1902-0248. Respondents: Businesses or other for-profit institutions; not-for- profit institutions. Frequency of Responses: On Occasion. Necessity of the Information: This Final Rule approves the requested modifications to Reliability Standards pertaining to critical infrastructure protection. As discussed above, the Commission approves NERC's revised CIP Reliability Standard CIP-003-7 pursuant to section 215(d)(2) of the FPA because it improves upon the currently-effective suite of cyber security CIP Reliability Standards. Internal Review: The Commission has reviewed the Reliability Standard and made a determination that its action is necessary to implement section 215 of the FPA. 47. Interested persons may obtain information on the reporting requirements by contacting the following: Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426 [Attention: Ellen Brown, Office of the Executive Director, email: [email protected], phone: (202) 502-8663, fax: (202) 273-0873]. 48. For submitting comments concerning the collection(s) of information and the associated burden estimate(s), please send your comments to the Commission, and to the Office of Information and Regulatory Affairs, Office of Management and Budget, 725 17th Street NW, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission, phone: (202) 395-4638, fax: (202) 395- 7285]. For security reasons, comments to OMB should be submitted by email to: [email protected]. Comments submitted to OMB should include Docket Number RM17-11-000 and OMB Control Number 1902-0248. IV. Regulatory Flexibility Act Analysis 49. The Regulatory Flexibility Act of 1980 (RFA) generally requires a description and analysis of Final Rules that will have significant economic impact on a substantial number of small entities.\66\ The Small Business Administration's (SBA) Office of Size Standards develops the numerical definition of a small business.\67\ The SBA revised its size standard for electric utilities (effective January 22, 2014) to a standard based on the number of employees, including affiliates (from the prior standard based on megawatt hour sales).\68\ Reliability Standard CIP-003-7 is expected to impose an additional burden on 1,100 entities \69\ (reliability coordinators, generator operators, generator owners, interchange coordinators or authorities, transmission operators, balancing authorities, transmission owners, and certain distribution providers). --------------------------------------------------------------------------- \66\ 5 U.S.C. 601-12 (2012). \67\ 13 CFR 121.101 (2017). \68\ SBA Final Rule on ``Small Business Size Standards: Utilities,'' 78 FR 77343 (Dec. 23, 2013). \69\ Public utilities may fall under one of several different categories, each with a size threshold based on the company's number of employees, including affiliates, the parent company, and subsidiaries. For the analysis in this Final Rule, we are using a 500 employee threshold due to each affected entity falling within the role of Electric Bulk Power Transmission and Control (NAISC Code: 221121). --------------------------------------------------------------------------- 50. Of the 1,100 affected entities discussed above, we estimate that approximately 857 or 78 percent \70\ of the affected entities are small. As discussed above, Reliability Standard CIP-003-7 enhances reliability by providing criteria against which NERC and the Commission can evaluate the sufficiency of an entity's electronic access controls for low impact BES Cyber systems, as well as improved security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems). We estimate that each of the 857 small entities to whom the modifications to Reliability Standard CIP-003-7 applies will incur one-time costs of approximately $3,360 per entity to implement this standard, as well as the ongoing paperwork burden reflected in the Information Collection Statement (approximately $39,480 per year per entity). We do not consider the estimated costs for these 857 small entities to be a significant economic impact. --------------------------------------------------------------------------- \70\ 77.95 percent. --------------------------------------------------------------------------- 51. Based on the above analysis, we certify that the approved Reliability Standard will not have a significant economic impact on a substantial number of small entities. V. Environmental Analysis 52. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.\71\ The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.\72\ The actions proposed herein fall within this categorical exclusion in the Commission's regulations. --------------------------------------------------------------------------- \71\ Regulations Implementing the National Environmental Policy Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987). \72\ 18 CFR 380.4(a)(2)(ii) (2017). --------------------------------------------------------------------------- VI. Document Availability 53. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the internet through the Commission's Home Page (http://www.ferc.gov) and in the Commission's Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A, Washington, DC 20426. 54. From the Commission's Home Page on the internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number of this document, excluding the last three digits, in the docket number field. User assistance is available for eLibrary and the Commission's website during normal business hours from the Commission's Online Support at (202) 502-6652 (toll free at 1-866-208- 3676) or email at [email protected], or the Public Reference Room at (202) 502-8371, TTY (202) 502-8659. Email the Public Reference Room at [email protected]. VII. Effective Date and Congressional Notification 55. The Final Rule is effective June 25, 2018. The Commission has determined, with the concurrence of the Administrator of the Office of Information and Regulatory Affairs of OMB, that this rule is not a ``major rule'' as defined in section 351 of the Small [[Page 17921]] Business Regulatory Enforcement Fairness Act of 1996. This Final Rule is being submitted to the Senate, House, and Government Accountability Office. By the Commission. Issued: April 19, 2018. Nathaniel J. Davis, Sr., Deputy Secretary. [FR Doc. 2018-08610 Filed 4-24-18; 8:45 am] BILLING CODE 6717-01-P
![Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations 17913
purposes of the PRA, a paperwork By the National Credit Union DEPARTMENT OF ENERGY
burden may take the form of either a Administration Board on April 19, 2018.
reporting or a recordkeeping Gerard S. Poliquin, Federal Energy Regulatory
requirement, both referred to as Secretary of the Board. Commission
information collections. This rule does
not constitute a ‘‘collection of For the reasons discussed above, the 18 CFR Part 40
information’’ within the meaning of NCUA Board amends 12 CFR part 740 [Docket No. RM17–11–000; Order No. 843]
section 3502(3) and would not increase as follows:
paperwork requirements under the PRA Revised Critical Infrastructure
or regulations of the Office of PART 740—ACCURACY OF Protection Reliability Standard CIP–
Management and Budget (OMB). ADVERTISING AND NOTICE OF 003–7—Cyber Security—Security
INSURED STATUS Management Controls
Executive Order 13132
AGENCY: Federal Energy Regulatory
■ 1. The authority citation for part 740
Executive Order 13132 encourages Commission.
continues to read as follows:
independent regulatory agencies to ACTION: Final rule.
consider the impact of their actions on Authority: 12 U.S.C. 1766, 1781, 1785, and
state and local interests. In adherence to 1789. The Federal Energy
SUMMARY:
fundamental federalism principles, the Regulatory Commission (Commission)
■ 2. Amend § 740.5 by revising
NCUA, an independent regulatory approves Critical Infrastructure
paragraphs (a), (b), (c)(7) and (c)(8) to Protection (CIP) Reliability Standard
agency as defined in 44 U.S.C. 3502(5), read as follows:
voluntarily complies with the executive CIP–003–7 (Cyber Security—Security
order. The rule will not have substantial § 740.5 Requirements for the official Management Controls), submitted by the
advertising statement. North American Electric Reliability
direct effect on the states, on the
Corporation (NERC). Reliability
connection between the national (a) Each insured credit union must Standard CIP–003–7 clarifies the
government and the states, or on the include the official advertising obligations pertaining to electronic
distribution of power and statement, prescribed in paragraph (b) of access control for low impact BES Cyber
responsibilities among the various this section, in all of its advertisements, Systems; requires mandatory security
levels of government. The NCUA has including on its main internet page, controls for transient electronic devices
determined that this rule does not except as provided in paragraph (c) of (e.g., thumb drives, laptop computers,
constitute a policy with federalism this section. and other portable devices frequently
implications for purposes of the connected to and disconnected from
(b)(1) The official advertising
executive order. systems) used at low impact BES Cyber
statement is in substance one of the
Small Business Regulatory Enforcement following: Systems; and requires responsible
entities to have a policy for declaring
Fairness Act (i) This credit union is federally and responding to CIP Exceptional
The Small Business Regulatory insured by the National Credit Union Circumstances related to low impact
Enforcement Fairness Act of 1996 (Pub. Administration; BES Cyber Systems. In addition, the
L. 104–121) (SBREFA) provides (ii) Federally insured by NCUA; Commission directs NERC to develop
generally for congressional review of modifications to the CIP Reliability
(iii) Insured by NCUA; or
agency rules. A reporting requirement is Standards to mitigate the risk of
(iv) A reproduction of the official sign malicious code that could result from
triggered in instances where the NCUA as described in § 740.4(b) may be used
issues a final rule as defined in Section third-party transient electronic devices.
in lieu of the other statements included DATES: This rule will become effective
551 of the Administrative Procedure in this section. If the official sign is used June 25, 2018.
Act. The NCUA does not believe this as the official advertising statement, an
final rule is a ‘‘major rule’’ within the FOR FURTHER INFORMATION CONTACT:
insured credit union may alter the font Matthew Dale (Technical Information),
meaning of the relevant sections of size to ensure its legibility as provided
SBREFA. As required by SBREFA, the Office of Electric Reliability, Federal
in § 740.4(b)(2). Energy Regulatory Commission, 888
NCUA has filed the appropriate
documentation with OMB for review. (2) The official advertising statement First Street NE, Washington, DC
must be in a size and print that is clearly 20426, (202) 502–6826,
The Treasury and General Government legible and may be no smaller than the matthew.dale@ferc.gov
Appropriations Act of 1999— smallest font size used in other portions Kevin Ryan (Legal Information), Office
Assessment of Federal Regulations and of the advertisement intended to convey of the General Counsel, Federal
Policies on Families information to the consumer. Energy Regulatory Commission, 888
First Street NE, Washington, DC
The NCUA has determined that this (c) * * * 20426, (202) 502–6840 kevin.ryan@
rule will not affect family well-being (7) Advertisements by radio which do ferc.gov
within the meaning of Section 654 of not exceed thirty (30) seconds in time; SUPPLEMENTARY INFORMATION:
the Treasury and General Government (8) Advertisements by television, Before Commissioners: Kevin J. McIntyre,
Appropriations Act, 1999.11
sradovich on DSK3GMQ082PROD with RULES
other than display advertisements, Chairman; Cheryl A. LaFleur, Neil
List of Subjects in 12 CFR Part 740 which do not exceed thirty (30) seconds Chatterjee, Robert F. Powelson, and
Richard Glick.
in time;
Advertisements, Credit unions, Share 1. Pursuant to section 215 of the
insurance, Signs and symbols. * * * * * Federal Power Act (FPA),1 the
[FR Doc. 2018–08557 Filed 4–24–18; 8:45 am]
11 Public Law 105–277, 112 Stat. 2681 (1998). BILLING CODE 7535–01–P 1 16 U.S.C. 824o (2012).
VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 PO 00000 Frm 00013 Fmt 4700 Sfmt 4700 E:\FR\FM\25APR1.SGM 25APR1](https://thefederalregister.org/doc/83_FR_17993/page/1.svg)
![17914 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations
Commission approves Reliability expectations. Accordingly, we do not 2016, in Order No. 822, the Commission
Standard CIP–003–7 as just, reasonable, adopt the proposed directive relating to approved seven CIP Reliability
not unduly discriminatory or electronic access controls for low Standards: CIP–003–6 (Security
preferential, and in the public interest. impact BES Cyber Systems. Instead, as Management Controls), CIP–004–6
Reliability Standard CIP–003–7 suggested in the comments, we direct (Personnel and Training), CIP–006–6
addresses the Commission’s directives NERC to conduct a study to assess the (Physical Security of BES Cyber
from Order No. 822 and is an implementation of Reliability Standard Systems), CIP–007–6 (Systems Security
improvement over the current CIP–003–7 to determine whether the Management), CIP–009–6 (Recovery
Commission-approved CIP Reliability electronic access controls adopted by Plans for BES Cyber Systems), CIP–010–
Standards.2 Specifically, Reliability responsible entities provide adequate 2 (Configuration Change Management
Standard CIP–003–7 improves upon the security. NERC must submit the and Vulnerability Assessments), and
existing Reliability Standards by: (1) directed study within eighteen months CIP–011–2 (Information Protection). The
Clarifying the obligations pertaining to of the effective date of Reliability Commission determined that the
electronic access control for low impact Standard CIP–003–7. Reliability Standards under
BES Cyber Systems; 3 (2) adopting 4. With regard to the second issue consideration at that time were an
mandatory security controls for discussed in the NOPR, we remain improvement over the prior iteration of
transient electronic devices (e.g., thumb concerned that the proposed Reliability the CIP Reliability Standards and
drives, laptop computers, and other Standard lacks a clear requirement to addressed the directives in Order No.
portable devices frequently connected to mitigate the risk of malicious code that 791 by, among other things, addressing
and disconnected from systems) used at could result from third-party transient in an equally effective and efficient
low impact BES Cyber Systems; and (3) electronic devices. Accordingly, we manner the need for a NERC Glossary
requiring responsible entities to have a direct NERC to develop a modification definition for the term ‘‘communication
policy for declaring and responding to to the Reliability Standard to provide networks’’ and providing controls to
CIP Exceptional Circumstances related the needed clarity. Such modification address the risks posed by transient
to low impact BES Cyber Systems. We will better ensure that registered entities electronic devices (e.g., thumb drives,
also approve NERC’s proposed clearly understand their mitigation laptop computers, and other portable
implementation plan and violation risk obligations and, thus, improve devices frequently connected to and
factor and violation severity level individual entity mitigation plans and disconnected from systems) used at high
assignments. Finally, we approve collectively improve the cybersecurity and medium impact BES Cyber
NERC’s proposed revised definitions for posture of the electric grid. Systems.9
inclusion in the NERC Glossary. 7. In addition, in Order No. 822,
I. Background
2. In the NOPR, the Commission pursuant to section 215(d)(5) of the
proposed to direct that NERC modify A. Section 215 and Mandatory FPA, the Commission directed NERC,
Reliability Standard CIP–003–7 to: (1) Reliability Standards inter alia, to: (1) Develop modifications
Provide clear, objective criteria for 5. Section 215 of the FPA requires a to the Low Impact External Routable
electronic access controls for low Commission-certified Electric Connectivity (LERC) definition to
impact BES Cyber Systems; and (2) Reliability Organization (ERO) to eliminate ambiguity surrounding the
address the need to mitigate the risk of develop mandatory and enforceable term ‘‘direct’’ as it is used in the LERC
malicious code that could result from Reliability Standards, subject to definition; and (2) develop
third-party transient electronic devices.4 Commission review and approval. modifications to the CIP Reliability
The Commission adopts the NOPR Reliability Standards may be enforced Standards to provide mandatory
proposal regarding third-party transient by the ERO, subject to Commission protection for transient electronic
electronic devices but does not adopt oversight, or by the Commission devices used at low impact BES Cyber
the proposal regarding criteria for independently.5 Pursuant to section 215 Systems.10
electronic access controls for low of the FPA, the Commission established C. NERC Petition
impact BES Cyber Systems. a process to select and certify an ERO,6
3. As discussed below, in view of the and subsequently certified NERC.7 8. On March 3, 2017, NERC submitted
comments from NERC and others, we a petition seeking approval of Reliability
are persuaded that Reliability Standard B. Order No. 822 Standard CIP–003–7 and the associated
CIP–003–7 provides a clear security 6. The Commission approved the violation risk factors and violation
objective that establishes compliance ‘‘Version 1’’ CIP Reliability Standards in severity levels, implementation plan
January 2008, and subsequently acted and effective date. NERC states that
2 Revised Critical Infrastructure Protection
on revised versions of the CIP Reliability Standard CIP–003–7 satisfies
Reliability Standards, Order No. 822, 154 FERC ¶ the criteria set forth in Order No. 672
61,037, reh’g denied, Order No. 822–A, 156 FERC
Reliability Standards.8 On January 21,
¶ 61,052 (2016).
that the Commission applies when
3 BES Cyber System is defined by NERC as ‘‘[o]ne 5 16 U.S.C. 824o(e). reviewing a proposed Reliability
or more BES Cyber Assets logically grouped by a 6 Rules Concerning Certification of the Electric Standard.11 NERC also sought approval
responsible entity to perform one or more reliability Reliability Organization; and Procedures for the of revisions to NERC Glossary
tasks for a functional entity.’’ Glossary of Terms Establishment, Approval, and Enforcement of
Electric Reliability Standards, Order No. 672, FERC
definitions for the terms Removable
Used in NERC Reliability Standards (NERC
Glossary). The acronym BES refers to the bulk Stats. & Regs. ¶ 31,204, order on reh’g, Order No.
electric system. Reliability Standard CIP–002–5.1a 672–A, FERC Stats. & Regs. ¶ 31,212 (2006). clarification, Order No. 706–C, 127 FERC ¶ 61,273
(2009); Version 5 Critical Infrastructure Protection
sradovich on DSK3GMQ082PROD with RULES
(Cyber Security System Categorization) provides a 7 North American Electric Reliability Corp., 116
‘‘tiered’’ approach to cybersecurity requirements, FERC ¶ 61,062, order on reh’g and compliance, 117 Reliability Standards, Order No. 791, 145 FERC
based on classifications of high, medium and low FERC ¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc. ¶ 61,160 (2013), order on clarification and reh’g,
impact BES Cyber Systems. v. FERC, 564 F.3d 1342 (DC Cir. 2009). Order No. 791–A, 146 FERC ¶ 61,188 (2014).
4 Revised Critical Infrastructure Protection 8 Mandatory Reliability Standards for Critical 9 Order No. 822, 154 FERC ¶ 61,037 at P 17.
10 Id. P 18.
Reliability Standard CIP–003–7—Cyber Security— Infrastructure Protection, Order No. 706, 122 FERC
Security Management Controls, Notice of Proposed ¶ 61,040, order on reh’g, Order No. 706–A, 123 11 See NERC Petition at 2 (citing Order No. 672,
Rulemaking, 82 FR 49541 (Oct. 26, 2017), 161 FERC FERC ¶ 61,174 (2008), order on clarification, Order FERC Stats. & Regs. ¶ 31,204 at PP 262, 321–337);
¶ 61,047 (2017) (NOPR). No. 706–B, 126 FERC ¶ 61,229 (2009), order on id., Exhibit D (Order No. 672 Criteria).
VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 PO 00000 Frm 00014 Fmt 4700 Sfmt 4700 E:\FR\FM\25APR1.SGM 25APR1](https://thefederalregister.org/doc/83_FR_17993/page/2.svg)
![17916 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations
approved CIP Reliability Standards. responsible entity would reasonably with the security objective.’’ 26
Specifically, Reliability Standard CIP– meet the security objective of permitting Specifically, NERC maintains that a
003–7 improves upon the existing CIP only ‘‘necessary inbound and outbound responsible entity ‘‘must document the
Reliability Standards by: (1) Clarifying electronic access’’ to its low impact BES necessity of its inbound and outbound
the obligations pertaining to electronic Cyber Systems.20 The Commission electronic access permissions and
access control for low impact BES Cyber stated that, in order to ensure an provide justification of the need for
Systems; (2) adopting mandatory objective and consistently-applied such access.’’ 27 NERC states further that
security controls for transient electronic requirement, the electronic access ‘‘[i]f a Responsible Entity fails to
devices (e.g., thumb drives, laptop control plan required in Attachment 1 articulate a reasonable business or
computers, and other portable devices should require the responsible entity to operational need for the electronic
frequently connected to and articulate its access control strategy for access permission, the ERO Enterprise
disconnected from systems) used at low a particular set of low impact BES Cyber would find that the Responsible Entity
impact BES Cyber Systems; and (3) Systems and provide a technical did not comply with Section 3.1.’’ 28
requiring responsible entities to have a rationale rooted in security principles NERC continues that ‘‘[c]onsistent with
policy for declaring and responding to explaining how that strategy will the intent of the Commission’s proposed
CIP Exceptional Circumstances related reasonably restrict electronic access. In directive, the Responsible Entity would
to low impact BES Cyber Systems. We addition, the Commission stated that have to articulate its access control
also approve NERC’s proposed Attachment 1 should outline basic strategy for the low impact BES Cyber
implementation plan and violation risk security principles in order to provide System and provide a technical
factor and violation severity level clear, objective criteria or measures to rationale rooted in security principles,
assignments. Finally, we approve assist in assessing compliance.21 explaining how that strategy will
NERC’s proposed revised definitions for 21. The Commission observed that reasonably restrict electronic access.’’ 29
inclusion in the NERC Glossary. without clear, objective criteria or NERC states that if a responsible entity
18. In addition, as discussed below, measures, auditors will not necessarily ‘‘fails to demonstrate that its chosen
pursuant to section 215(d)(5) of the have adequate information to assess the electronic access controls are properly
FPA, we adopt the NOPR proposal and reasonableness of the responsible designed and implemented to meet the
direct NERC to develop modifications to entity’s decision with respect to how the security objective, the ERO Enterprise
the CIP Reliability Standards to mitigate responsible entity identified necessary would find that the Responsible Entity
the risk of malicious code that could communications or restricted electronic did not comply with Section 3.1’’ of
result from third-party transient access to specific low impact BES Cyber Reliability Standard CIP–003–7.30
electronic devices. However, for the Systems. The Commission posited that 23. NERC concludes that while the
reasons discussed below, we determine absent such information, it is possible Commission’s proposed directive may
not to adopt the NOPR proposal to that an auditor could assess a violation not be necessary and could potentially
direct NERC to develop criteria for where an entity adequately protected its be an inefficient use of NERC and
electronic access controls for low low impact BES Cyber Systems or fail to industry resources, ‘‘[a]rticulating
impact BES Cyber Systems at this time. recognize a situation where additional objective criteria for electronic access
19. Below, we discuss the following protections are necessary to meet the controls for low impact BES Cyber
matters: (A) Criteria for electronic access security objective of the Reliability Systems may improve clarity and
controls for low impact BES Cyber Standard.22 auditability, and help ensure that
Systems; (B) mitigation of the risk of entities implement effective electronic
2. Comments
malicious code associated with third- access controls.’’ 31
party transient electronic devices; and 22. NERC acknowledges the NOPR 24. Trade Associations, TAPS and
(C) implementation plan and effective concerns but comments that a directive ELCON do not support the proposed
date. ‘‘may not be necessary.’’ 23 Specifically, directive, claiming that the proposal
NERC asserts that ‘‘Responsible Entities would impose additional burdens on
A. Criteria for Electronic Access must provide auditors sufficient registered entities without a
Controls for Low Impact BES Cyber information to allow the auditors to corresponding reliability benefit. Trade
Systems properly assess compliance with section Associations and TAPS contend that
1. NOPR 3.1’’ of Reliability Standard CIP–003– Section 3 of Attachment 1 to Reliability
7.24 NERC contends that Section 3.1 Standard CIP–003–7 gives responsible
20. In the NOPR, the Commission
‘‘articulates a clear security objective: entities needed flexibility to develop
proposed to direct NERC to develop
permit only necessary inbound and and implement effective electronic
modifications to Section 3 of
outbound access to low impact BES access controls for low impact BES
Attachment 1 to Reliability Standard
Cyber Systems.’’ 25 NERC explains that Cyber Systems. TAPS adds that
CIP–003–7 to provide clear, objective
Section 3.1 is not prescriptive due to the Reliability Standard CIP–003–7 reflects
criteria for electronic access controls for
wide array of low impact BES Cyber what NERC, through the standard
low impact BES Cyber Systems.19
Systems and their lower risk to bulk development process, ‘‘determined was
Specifically, the proposed directive
electric system reliability, but, while a technically appropriate tailoring of
addressed the concern that Reliability
Section 3.1 grants responsible entities electronic access controls requirements
Standard CIP–003–7 may not provide
flexibility, ‘‘a Responsible Entity must to low impact BES cyber systems.’’ 32
adequate electronic access controls for
demonstrate that its electronic access Trade Associations recommend, as an
low impact BES Cyber Systems because
permissions and controls are consistent
sradovich on DSK3GMQ082PROD with RULES
Reliability Standard CIP–003–7 does not 26 Id. at 3–4.
provide clear, objective criteria or 20 Id. P 28. 27 Id. at 4 (citing NERC Petition at 22).
measures to assess compliance by 21 Id. P 29. 28 Id.
independently confirming that the 22 Id. 29 Id.
access control strategy adopted by a 23 NERC Comments at 3. 30 Id.
24 Id. (citing NERC Petition at 21–24). 31 Id. at 5.
19 NOPR, 161 FERC ¶ 61,047 at P 32. 25 Id. 32 TAPS Comments at 7 (citing 16 U.S.C. 824o(d)).
VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 PO 00000 Frm 00016 Fmt 4700 Sfmt 4700 E:\FR\FM\25APR1.SGM 25APR1](https://thefederalregister.org/doc/83_FR_17993/page/4.svg)
![Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations 17917
alternative to the proposed directive, explanation of NERC and other information found by NERC as a result
that the Commission approve the commenters that Section 3 of of the study. NERC must file the study
proposed Reliability Standard without Attachment 1 to Reliability Standard within eighteen months of the effective
modification and monitor its concerns, CIP–003–7 provides a clear security date of Reliability Standard CIP–003–7.
for example, by directing NERC to objective that establishes compliance We may revisit the need for
conduct a study to assess the expectations. Specifically, we are modifications to Section 3 of
implementation by responsible entities persuaded by commenters that Section Attachment 1 to Reliability Standard
of Reliability Standard CIP–003–7 3 of Attachment 1 requires responsible CIP–003–7 if warranted by the study
electronic access controls to determine entities to adopt security controls to determination, or the results of audits or
whether there are in fact inadequate permit only necessary inbound and other compliance procedures.
controls. According to Trade outbound electronic access to Cyber
Assets connected using a routable B. Mitigation of the Risk of Malicious
Associations, a fact-driven assessment
protocol to low impact BES Cyber Code Associated With Third-Party
would help to inform and demonstrate
Systems. Transient Electronic Devices
a reliability and security need for future
Commission actions related to the CIP 28. The concern raised in the NOPR 1. NOPR
Reliability Standards.33 focused on the lack of clear, objective
criteria or measures to assess 31. In the NOPR, the Commission
25. Further, Trade Associations assert proposed to direct NERC to develop
that a risk-based approach is essential to compliance with Reliability Standard
CIP–003–7. As noted above, however, modifications to proposed Section 5 of
allow responsible entities to focus their Attachment 1 to Reliability Standard
resources on assets that have a higher NERC states in its comments that
responsible entities will be required to CIP–003–7 to mitigate the risk of
impact on bulk electric system malicious code that could result from
reliability. ELCON adds that while it demonstrate that electronic access
permissions and controls associated third-party transient electronic
‘‘appreciates the value establishing more devices.41 Specifically, the Commission
tangible criteria for adequate Low- with low impact BES Cyber Systems are
consistent with the stated security raised a concern that Reliability
Impact BES Cyber System controls, . . .
objective. NERC also clarifies that Standard CIP–003–7 does not explicitly
the additional requirements that the
responsible entities will be required to require mitigation of the introduction of
Commission proposes would do nothing
‘‘document the [business or operational] malicious code from third-party
to harden a Low-Impact facility against
necessity of its inbound and outbound managed transient electronic devices,
the rapid evolution in cyber warfare.’’ 34
electronic access permissions and even if the responsible entity
26. Appelbaum supports the proposed
provide justification of the need for determines that the third-party’s
directive regarding Section 3 of
such access.’’ 39 Given NERC’s policies and procedures are inadequate.
Attachment 1 to Reliability Standard
statements, we believe that there will be The Commission noted NERC’s
CIP–003–7. Appelbaum notes that
adequate measures to assess compliance statement in its petition that a
Reliability Standard CIP–003–7 ‘‘leaves
with Reliability Standard CIP–003–7. responsible entity’s failure to mitigate
the choice of controls to the [responsible
We expect responsible entities to be able this risk ‘‘may not constitute
entity] and leaves an Auditor with no
to provide a technically sound compliance.’’ 42 The Commission stated
requirement basis to perform an
explanation as to how their electronic that NERC’s explanation suggests that,
audit.’’ 35 Appelbaum states that under
access controls meet the security with regard to low impact BES Cyber
‘‘NERC’s proposal that each entity
objective. Systems, the requirement lacks an
establishes their own security plan and
29. In response to Appelbaum’s obligation for a responsible entity to
only needs to demonstrate compliance
comment that auditors will not have a correct any deficiencies that are
and adherence to its plan then . . . the
common understanding on which to discovered during a review of third-
implementation of security controls will
judge compliance across the ERO party transient electronic device
be implemented to various levels of
enterprise, in view of NERC’s management practices.
security and differentiated . . . across
comments, we believe that NERC and 32. The Commission expressed
the NERC Regions.’’ 36 Appelbaum
the Regional Entities will have the concern that Reliability Standard CIP–
states further that Reliability Standard
ability to assess the effectiveness of a 003–7 may contain a reliability gap
CIP–003–7 ‘‘will result in different
responsible entity’s electronic access where a responsible entity contracts
auditor conclusions for similarly
control plan as well as a responsible with a third-party but fails to mitigate
situated entities implementing similar
entity’s adherence to its electronic potential deficiencies discovered in the
protections.’’ 37 Appelbaum concludes
access control plan. third-party’s malicious code detection
that ‘‘[c]lear requirements are needed to 30. Moreover, to ensure that the and prevention practices prior to a
establish a common understanding of security controls are implemented and transient electronic device being
the necessary security to be that Section 3 accomplishes its intended connected to a low impact BES Cyber
achieved.’’ 38 purpose, we adopt Trade Associations’ System. The Commission explained that
3. Commission Determination proposal and direct NERC to conduct a the reliability gap would result from the
27. We do not to adopt the proposed study to assess the implementation of fact that Reliability Standard CIP–003–
directive, but rather adopt the Trade Reliability Standard CIP–003–7.40 The 7 does not contain: (1) A requirement
Associations’ recommendation for a study should address what electronic for the responsible entity to mitigate any
study and report to be filed with the access controls entities choose to malicious code found during the third-
Commission. We are satisfied with the implement and under what party review(s); or (2) a requirement that
sradovich on DSK3GMQ082PROD with RULES
circumstances, and whether the the responsible entity take reasonable
33 Trade Associations Comments at 9. electronic access controls adopted by steps to mitigate the risks of third party
34 ELCON Comments at 4. responsible entities provide adequate malicious code on its systems, if an
35 Applebaum Comments at 5. security, as well as other relevant arrangement cannot be made for the
36 Id. at 6.
37 Id. at 7. 39 NERC Comments at 4. 41 Id. P 41.
38 Id. 40 Trade Associations Comments at 9. 42 Id. P 39 (citing NERC Petition at 30).
VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 PO 00000 Frm 00017 Fmt 4700 Sfmt 4700 E:\FR\FM\25APR1.SGM 25APR1](https://thefederalregister.org/doc/83_FR_17993/page/5.svg)
![17918 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations
third-party to do so. The Commission of the requirement is made clear in the NERC could satisfactorily address the
observed that without such obligations Supplemental Material for Section 5 and identified concern, for example, by
responsible entities could, without 5.2, which both require the responsible modifying Section 5 of Attachment 1 to
compliance consequences, simply entities to document how they will CIP–003–7 to clarify that responsible
accept the risk of deficient third-party mitigate the introduction of malicious entities must implement controls to
transient electronic device management code.’’ 50 Trade Associations note in a mitigate the risk of malicious code that
practices.43 footnote that: could result from the use of third-party
33. Therefore, pursuant to section Although the Supplemental Material does transient electronic devices.
215(d)(5) of the FPA, the Commission not create binding obligations on responsible 38. The directed modification will
proposed to direct NERC to modify entities, the text of the Supplemental improve the security posture of
Reliability Standard CIP–003–7 to Material in the Proposed Standard further responsible entities by clarifying
require responsible entities to clarifies and reinforces that the binding compliance expectations. While
implement controls to address the need requirements found in CIP–003–7, commenters claim that the provision is
to mitigate the risk of malicious code Attachment 1, Section 5 include the sufficiently clear and ask the
that could result from third-party obligation to take additional steps if a third- Commission not to adopt the proposal,
transient electronic devices. party’s practices do not meet the security
all commenters agree that there is not an
objective.51
2. Comments explicit requirement to mitigate the
Trade Associations conclude that the
threat of malicious code that could
34. NERC states that it ‘‘agrees with Commission should approve Reliability
result from third-party transient
the Commission that, should a Standard CIP–003–7 without
electronic devices. While Trade
Responsible Entity find that a third modification.
Associations state that Section 5.2 of
party’s processes and practices for 36. ELCON states that ‘‘the
Attachment 1 does not explicitly require
protecting its transient electronic requirement for a Low-Impact BES
the mitigation of malicious code, Trade
devices inadequate, the Responsible Cyber System owner or operator to
Associations and ELCON suggest that
Entity must be required to take actively mitigate deficiencies in third
Section 5 generally requires risk
mitigating action prior to connecting party’s anti-virus security programs
mitigation. While commenters agree
third-party transient electronic devices does exist in [Section 5 of Attachment
that, at least implicitly, the mitigation of
to a low impact BES Cyber System.’’ 44 1 to Reliability Standard CIP–003–7].’’ 52
malicious code is an obligation, the lack
According to NERC, ‘‘failure to take ELCON states that the opening
of a clear requirement could lead to
mitigating action in this circumstance[ ] paragraph of Section 5, which requires
confusion in both the development of a
could result in a finding of responsible entities to implement one or
compliance plan and in the
noncompliance with Section 5 of more plans to ‘‘achieve the objective of
implementation of a compliance plan.
Attachment 1.’’ 45 NERC, therefore, mitigating the risk of the introduction of
In addition, although NERC contends
asserts that ‘‘the proposed directive may malicious code to low impact BES Cyber
that the proposed directive may not be
not be necessary and may be an Systems through the use of Transient
necessary, NERC agrees that modifying
inefficient use of NERC and industry Cyber Assets or Removable Media,’’
Reliability Standard CIP–003–7 to
resources.’’ 46 NERC observes, however, establishes an obligation to mitigate any
address the mitigation of malicious code
that ‘‘[m]odifying proposed Section 5 to identified deficiencies. ELCON
explicitly could clarify compliance
explicitly include a mitigation contends that the objective of mitigating
obligations.
requirement for third-part[y] devices the risk ‘‘cannot be reached if the
39. Therefore, pursuant to FPA
may remove any doubt about Responsible Entity allows a third party
section 215(d)(5), we direct NERC to
compliance expectations.’’ 47 to connect an insufficiently evaluated
develop and submit modifications to
35. Trade Associations and ELCON do [Transient Cyber Asset] to a Low-Impact
Reliability Standard CIP–003–7 to
not support the proposed directive. BES Cyber System.’’ 53 ELCON argues
include an explicit requirement that
Trade Associations contend that that the ‘‘positioning of the requirement
responsible entities implement controls
‘‘[a]lthough Section 5.2 [of Attachment in the opening paragraph of Section 5
to mitigate the risk of malicious code
1 to CIP–003–7] does not explicitly assures that mitigating actions must be
that could result from third-party
require the responsible entity to mitigate taken to address deficiencies detected’’
transient electronic devices.
the introduction of malicious code, risk with responsible entity-owned
mitigation is an explicit obligation Transient Cyber Assets, vendor-owned C. Implementation Plan and Effective
under Section 5.’’ 48 Trade Associations Transient Cyber Assets, and Removable Date
state that if a responsible entity’s plan Media.54
NERC Petition
does not ‘‘achieve the objective of
3. Commission Determination 40. In its petition, NERC requests an
mitigating the risk of the introduction of
malicious code to low impact BES Cyber 37. We adopt the NOPR proposal and, effective date for Reliability Standard
Systems through the use of Transient pursuant to section 215(d)(5) of the CIP–003–7 and the revised definitions
Cyber Assets . . . then the plan will not FPA, direct that NERC develop of Transient Cyber Asset and Removable
comply with Section 5.’’ 49 Trade modifications to Reliability Standard Media on the first day of the first
Associations maintains that the ‘‘intent CIP–003–7 to address our concern and calendar quarter that is eighteen months
ensure that responsible entities after the effective date of the
43 Id. P 40 (citing Order No. 706, 122 FERC ¶ implement controls to mitigate the risk Commission’s order approving the
61,040 at P 150 (rejecting the concept of acceptance of malicious code that could result from Reliability Standard. NERC explains
sradovich on DSK3GMQ082PROD with RULES
of risk in the CIP Reliability Standards)). third-party transient electronic devices. that the implementation plan does not
44 NERC Comments at 6 (citing NERC Petition at
alter the previously-approved
29).
45 Id.
50 Id. compliance dates for Reliability
46 Id. 51 Id. Standard CIP–003–6 other than the
47 Id. 52 ELCON Comments at 4 (emphasis in original). compliance date for Reliability Standard
48 Trade Associations Comments at 10. 53 Id. at 4–5. CIP–003–6, Requirement R2,
49 Id. at 11. 54 Id. at 5. Attachment 1, Sections 2 and 3, which
VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 PO 00000 Frm 00018 Fmt 4700 Sfmt 4700 E:\FR\FM\25APR1.SGM 25APR1](https://thefederalregister.org/doc/83_FR_17993/page/6.svg)
![Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations 17919
would be replaced with the effective Respondents subject to the filing modification to the CIP Reliability
date for Reliability Standard CIP–003–7. requirements of this rule will not be Standards: (1) Clarifying the obligations
NERC also proposes that the retirement penalized for failing to respond to these pertaining to electronic access control
of Reliability Standard CIP–003–6 and collections of information unless the for low impact BES Cyber Systems; (2)
the associated definitions become collections of information display a adopting mandatory security controls
effective on the effective date of valid OMB control number. The for transient electronic devices (e.g.,
Reliability Standard CIP–003–7.55 Commission solicits comments on the thumb drives, laptop computers, and
41. The NOPR proposed to approve Commission’s need for this information, other portable devices frequently
NERC’s implementation plan and whether the information will have connected to and disconnected from
effective date for Reliability Standard practical utility, the accuracy of the systems) used at low impact BES Cyber
CIP–003–7. The Commission did not burden estimates, ways to enhance the Systems; and (3) requiring responsible
receive any comments regarding this quality, utility, and clarity of the entities to have a policy for declaring
aspect of the NOPR. Accordingly, we information to be collected or retained, and responding to CIP Exceptional
approve NERC’s proposed and any suggested methods for Circumstances related to low impact
implementation plan and effective date. minimizing respondents’ burden, BES Cyber Systems.
including the use of automated
III. Information Collection Statement 44. The NERC Compliance Registry,
information techniques.
42. The FERC–725B information 43. The Commission bases its as of September 2017, identifies
collection requirements contained in paperwork burden estimates on the approximately 1,320 U.S. entities that
this Final Rule are subject to review by changes in paperwork burden presented are subject to mandatory compliance
the Office of Management and Budget by the proposed revision to CIP with Reliability Standards. Of this total,
(OMB) under section 3507(d) of the Reliability Standard CIP–003–7 as we estimate that 1,100 entities will face
Paperwork Reduction Act of 1995.56 compared to the current Commission- an increased paperwork burden under
OMB’s regulations require approval of approved Reliability Standard CIP–003– Reliability Standard CIP–003–7,
certain information collection 6. The Commission has already estimating that a majority of these
requirements imposed by agency addressed the burden of implementing entities will have one or more low
rules.57 Upon approval of a collection of Reliability Standard CIP–003–6.58 As impact BES Cyber Systems. Based on
information, OMB will assign an OMB discussed above, the immediate these assumptions, we estimate the
control number and expiration date. rulemaking addresses three areas of following reporting burden:
RM17–11–000 FINAL RULE
[Mandatory Reliability Standards for critical infrastructure protection Reliability Standards]
Annual Average burden Total annual burden Cost per
Number of number of Total number and cost per hours and total respondent
respondents responses per of responses response 59 annual cost ($)
respondent
(1) (2) (1) * (2) = (3) (4) (3) * (4) = (5) (5) ÷ (1)
Create low impact TCA assets plan 1,100 1 1,100 20 hrs.; $1,680 ........... 6,875 hrs.; $1,848,000 .............. $1,680
(one-time). 60
Updates and reviews of low impact 1,100 62 300 330,000 63 1.5 hrs.; $126 ......... 495,000 hrs.; $41,580,000 ........ 37,800
TCA assets (ongoing). 61
Update/modify documentation to re- 1,100 1 1,100 20 hrs.; $1,680 ........... 6,875 hrs.; $1,848,000 .............. 1,680
move LERC and LEAP (one-
time). 60
Update paperwork for access control 1,100 1 1,100 20 hrs.; $1,680 ........... 6,875 hrs.; $1,848,000 .............. 1,680
implementation in Section 2 64 and
Section 3 65 (ongoing). 61
Total (one-time) 60 ..................... ........................ ........................ 2,200 ..................................... 13,750 hrs.; $3,696,000 ............ ........................
Total (ongoing) 61 ....................... ........................ ........................ 331,100 ..................................... 501,875 hrs.; $43,428,000 ........ ........................
45. The following shows the annual • The paperwork burden estimate Systems; (2) adopting mandatory
cost burden for each group, based on the includes costs associated with the initial security controls for transient electronic
burden hours in the table above: development of a policy to address devices (e.g., thumb drives, laptop
• Year 1: $3,696,000. requirements relating to: (1) Clarifying computers, and other portable devices
the obligations pertaining to electronic frequently connected to and
• Years 2 and 3: $43,428,000.
access control for low impact BES Cyber disconnected from systems) used at low
55 Id.,Exhibit C (Implementation Plan). Electrical Engineer (Occupation Code: 17–2071): 63 The 1.5 hours of burden per response is
56 44 U.S.C. 3507(d) (2012). $68.12 comprised of three sub-categories:
57 5 CFR 1320.11 (2017). Office and Administrative Support (Occupation Updates to managed low TCA assets: 15 minutes
58 See Order No. 822, 154 FERC ¶ 61,037 at PP
Code: 43–0000): $40.89 (0.25 hours) per response
($143.68 + $68.12 + $40.89) ÷ 3 = $84.23. The
sradovich on DSK3GMQ082PROD with RULES
84–88. Updates to unmanaged low TCA assets: 60
figure is rounded to $84.00 for use in calculating
59 The loaded hourly wage figure (includes
wage figures in this NOPR. minutes (1 hour) per response
benefits) is based on the average of three 60 This one-time burden applies in Year One only. Reviews of low TCA applicable controls: 15
occupational categories for 2016 found on the 61 This ongoing burden applies in Year 2 and minutes (0.25 hours) per response.
Bureau of Labor Statistics website (http:// beyond. 64 Physical Security Controls.
www.bls.gov/oes/current/naics2_22.htm): 62 We estimate that each entity will perform 25 65 Electronic Access Controls.
Legal (Occupation Code: 23–0000): $143.68 updates per month. 25 updates *12 months = 300
updates (i.e. responses) per year.
VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 PO 00000 Frm 00019 Fmt 4700 Sfmt 4700 E:\FR\FM\25APR1.SGM 25APR1](https://thefederalregister.org/doc/83_FR_17993/page/7.svg)
![17920 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations
impact BES Cyber Systems; and (3) IV. Regulatory Flexibility Act Analysis economic impact on a substantial
requiring responsible entities to have a 49. The Regulatory Flexibility Act of number of small entities.
policy for declaring and responding to 1980 (RFA) generally requires a V. Environmental Analysis
CIP Exceptional Circumstances related description and analysis of Final Rules
to low impact BES Cyber Systems. 52. The Commission is required to
that will have significant economic
Further, the estimate reflects the prepare an Environmental Assessment
impact on a substantial number of small
assumption that costs incurred in year or an Environmental Impact Statement
entities.66 The Small Business
1 will pertain to policy development, for any action that may have a
Administration’s (SBA) Office of Size
while costs in years 2 and 3 will reflect significant adverse effect on the human
Standards develops the numerical
the burden associated with maintaining environment.71 The Commission has
definition of a small business.67 The
logs and other records to demonstrate categorically excluded certain actions
SBA revised its size standard for electric
ongoing compliance. from this requirement as not having a
utilities (effective January 22, 2014) to a
significant effect on the human
46. Title: Mandatory Reliability standard based on the number of
environment. Included in the exclusion
Standards, Revised Critical employees, including affiliates (from the
are rules that are clarifying, corrective,
Infrastructure Protection Reliability prior standard based on megawatt hour
or procedural or that do not
Standards. sales).68 Reliability Standard CIP–003–7
substantially change the effect of the
Action: Revision to FERC–725B is expected to impose an additional
regulations being amended.72 The
information collection. burden on 1,100 entities 69 (reliability
actions proposed herein fall within this
coordinators, generator operators,
OMB Control No.: 1902–0248. categorical exclusion in the
generator owners, interchange
Respondents: Businesses or other for- Commission’s regulations.
coordinators or authorities, transmission
profit institutions; not-for-profit operators, balancing authorities, VI. Document Availability
institutions. transmission owners, and certain 53. In addition to publishing the full
Frequency of Responses: On distribution providers). text of this document in the Federal
Occasion. 50. Of the 1,100 affected entities Register, the Commission provides all
discussed above, we estimate that interested persons an opportunity to
Necessity of the Information: This
approximately 857 or 78 percent 70 of view and/or print the contents of this
Final Rule approves the requested
the affected entities are small. As document via the internet through the
modifications to Reliability Standards
discussed above, Reliability Standard Commission’s Home Page (http://
pertaining to critical infrastructure
CIP–003–7 enhances reliability by www.ferc.gov) and in the Commission’s
protection. As discussed above, the
providing criteria against which NERC Public Reference Room during normal
Commission approves NERC’s revised
and the Commission can evaluate the business hours (8:30 a.m. to 5:00 p.m.
CIP Reliability Standard CIP–003–7
sufficiency of an entity’s electronic Eastern time) at 888 First Street NE,
pursuant to section 215(d)(2) of the FPA
access controls for low impact BES Room 2A, Washington, DC 20426.
because it improves upon the currently- Cyber systems, as well as improved
effective suite of cyber security CIP 54. From the Commission’s Home
security controls for transient electronic Page on the internet, this information is
Reliability Standards. devices (e.g., thumb drives, laptop available on eLibrary. The full text of
Internal Review: The Commission has computers, and other portable devices this document is available on eLibrary
reviewed the Reliability Standard and frequently connected to and in PDF and Microsoft Word format for
made a determination that its action is disconnected from systems). We viewing, printing, and/or downloading.
necessary to implement section 215 of estimate that each of the 857 small To access this document in eLibrary,
the FPA. entities to whom the modifications to type the docket number of this
47. Interested persons may obtain Reliability Standard CIP–003–7 applies document, excluding the last three
information on the reporting will incur one-time costs of digits, in the docket number field. User
requirements by contacting the approximately $3,360 per entity to assistance is available for eLibrary and
following: Federal Energy Regulatory implement this standard, as well as the the Commission’s website during
Commission, 888 First Street NE, ongoing paperwork burden reflected in normal business hours from the
Washington, DC 20426 [Attention: Ellen the Information Collection Statement Commission’s Online Support at (202)
Brown, Office of the Executive Director, (approximately $39,480 per year per 502–6652 (toll free at 1–866–208–3676)
email: DataClearance@ferc.gov, phone: entity). We do not consider the or email at ferconlinesupport@ferc.gov,
(202) 502–8663, fax: (202) 273–0873]. estimated costs for these 857 small or the Public Reference Room at (202)
48. For submitting comments entities to be a significant economic 502–8371, TTY (202) 502–8659. Email
impact. the Public Reference Room at
concerning the collection(s) of
51. Based on the above analysis, we public.referenceroom@ferc.gov.
information and the associated burden
certify that the approved Reliability
estimate(s), please send your comments Standard will not have a significant VII. Effective Date and Congressional
to the Commission, and to the Office of Notification
Information and Regulatory Affairs, 66 5 U.S.C. 601–12 (2012).
Office of Management and Budget, 725 67 13
55. The Final Rule is effective June
CFR 121.101 (2017).
17th Street NW, Washington, DC 20503 68 SBA Final Rule on ‘‘Small Business Size
25, 2018. The Commission has
[Attention: Desk Officer for the Federal Standards: Utilities,’’ 78 FR 77343 (Dec. 23, 2013). determined, with the concurrence of the
Energy Regulatory Commission, phone: 69 Public utilities may fall under one of several Administrator of the Office of
sradovich on DSK3GMQ082PROD with RULES
(202) 395–4638, fax: (202) 395–7285]. different categories, each with a size threshold Information and Regulatory Affairs of
based on the company’s number of employees, OMB, that this rule is not a ‘‘major rule’’
For security reasons, comments to OMB including affiliates, the parent company, and
should be submitted by email to: oira_ subsidiaries. For the analysis in this Final Rule, we
as defined in section 351 of the Small
submission@omb.eop.gov. Comments are using a 500 employee threshold due to each
affected entity falling within the role of Electric 71 Regulations Implementing the National
submitted to OMB should include Bulk Power Transmission and Control (NAISC Environmental Policy Act of 1969, Order No. 486,
Docket Number RM17–11–000 and Code: 221121). FERC Stats. & Regs. ¶ 30,783 (1987).
OMB Control Number 1902–0248. 70 77.95 percent. 72 18 CFR 380.4(a)(2)(ii) (2017).
VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 PO 00000 Frm 00020 Fmt 4700 Sfmt 4700 E:\FR\FM\25APR1.SGM 25APR1](https://thefederalregister.org/doc/83_FR_17993/page/8.svg)
![Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Rules and Regulations 17921
Business Regulatory Enforcement With the finalization of the DoD-level Click on Open Docket Folder on the line
Fairness Act of 1996. This Final Rule is FOIA rule at 32 CFR part 286, the associated with this deviation.
being submitted to the Senate, House, Department is eliminating the need for FOR FURTHER INFORMATION CONTACT: If
and Government Accountability Office. this separate DoD-level FOIA rule and you have questions on this temporary
By the Commission. reducing costs to the public as deviation, call or email Mr. Eric A.
Issued: April 19, 2018.
explained in the preamble of the revised Washburn, Bridge Administrator,
DoD-level FOIA rule at 32 CFR part 286 Western Rivers, Coast Guard; telephone
Nathaniel J. Davis, Sr.,
published at 83 FR 5196–5197. 314–269–2378, email Eric.Washburn@
Deputy Secretary. This rule is not significant under uscg.mil.
[FR Doc. 2018–08610 Filed 4–24–18; 8:45 am] Executive Order (E.O.) 12866, SUPPLEMENTARY INFORMATION: The U.S.
BILLING CODE 6717–01–P ‘‘Regulatory Planning and Review,’’ Army Rock Island Arsenal, owner and
therefore, E.O. 13771, ‘‘Reducing operator of the Rock Island Railroad and
Regulation and Controlling Regulatory Highway Drawbridge, across the Upper
DEPARTMENT OF DEFENSE Costs’’ does not apply. Mississippi River, mile 482.9, at Rock
Office of the Secretary List of Subjects in 32 CFR Part 285 Island, Illinois, requested a temporary
deviation from the current operating
Freedom of information. schedule to accommodate the Quad City
32 CFR Part 285
PART 285—[REMOVED] Heart Walk. The bridge has a vertical
[Docket ID: DOD–2017–OS–0028] clearance of 23.8 feet above normal pool
RIN 0790–AI51 ■ Accordingly, by the authority of 5 in the closed-to-navigation position.
U.S.C. 301, 32 CFR part 285 is removed. This bridge is governed by 33 CFR
DoD Freedom of Information Act 117.5.
Dated: April 20, 2018. This deviation allows the bridge to
(FOIA) Program
Aaron T. Siegel, remain in the closed-to-navigation
AGENCY: Office of the Secretary, DoD. Alternate OSD Federal Register Liaison position from 8:30 a.m. through 11 a.m.
ACTION: Final rule. Officer, Department of Defense. on May 19, 2018. Navigation on the
[FR Doc. 2018–08663 Filed 4–24–18; 8:45 am] waterway consists primarily of
SUMMARY: This final rule removes one of BILLING CODE 5001–06–P commercial tows and recreational
the Department’s two DoD-level watercraft. This temporary deviation has
regulations concerning the been coordinated with waterway users.
implementation of and assignment of No objections were received.
responsibilities for the DoD Freedom of DEPARTMENT OF HOMELAND
Vessels able to pass through the
Information Act (FOIA) program. Any SECURITY
bridge in the closed position may do so
content required to be in an agency’s at any time. The bridge will not be able
FOIA rule from this part was Coast Guard
to open for emergencies and there are no
incorporated into the Department’s alternate routes for vessels transiting
other DoD-level regulation concerning 33 CFR Part 117
this section of the Upper Mississippi
the DoD FOIA program, which was [Docket No. USCG–2018–0325] River. The Coast Guard will inform
recently revised and for which a final users of the waterways through our
rule published on February 6, 2018. Drawbridge Operation Regulation; Local and Broadcast Notices to Mariners
Therefore, this part can now be removed Upper Mississippi River, Rock Island, of the change in operating schedule for
from the CFR. IL the bridge so the vessel operators can
Additionally, the revised DoD-level arrange their transits to minimize any
FOIA rule now includes DoD AGENCY: Coast Guard, DHS. impact caused by this temporary
component FOIA program information, ACTION:Notice of deviation from deviation.
which eliminated the requirement for drawbridge regulation. In accordance with 33 CFR 117.35(e),
component supplementary rules. the drawbridge must return to its regular
Accordingly, all of the department’s SUMMARY: The Coast Guard has issued a operating schedule immediately at the
necessary FOIA public guidance has temporary deviation from the operating end of the effective period of this
been incorporated into a single part. schedule that governs the Rock Island temporary deviation. This deviation
Railroad and Highway Drawbridge from the operating regulations is
DATES: This rule is effective on April 25,
across the Upper Mississippi River, mile authorized under 33 CFR 117.35.
2018.
482.9, at Rock Island, Illinois. The
FOR FURTHER INFORMATION CONTACT: deviation is necessary to facilitate the Dated: April 19, 2018.
James Hogan at 571–372–0462. Quad City Heart Walk. This deviation Eric A. Washburn,
SUPPLEMENTARY INFORMATION: It has been allows the bridge to remain in the Bridge Administrator, Western Rivers.
determined that publication of this CFR closed-to-navigation position for [FR Doc. 2018–08625 Filed 4–24–18; 8:45 am]
part removal for public comment is approximately two and a half (2.5) BILLING CODE 9110–04–P
impracticable, unnecessary, and hours on one day until the race is
contrary to public interest because any completed.
public-facing guidance from this part POSTAL SERVICE
was incorporated into another CFR part DATES: This deviation is effective from
sradovich on DSK3GMQ082PROD with RULES
for which public comment has already 8:30 a.m. through 11 a.m. on May 19,
39 CFR Part 20
been taken. Any internal guidance from 2018.
this part will continue to be published ADDRESSES: The docket for this International Mail Manual;
in DoD Directive 5400.07 available at deviation, [USCG–2018–0325] is Incorporation by Reference
http://www.esd.whs.mil/Portals/54/ available at http://www.regulations.gov. AGENCY: Postal ServiceTM.
Documents/DD/issuances/dodd/ Type the docket number in the
ACTION: Final rule.
540007p.pdf. ‘‘SEARCH’’ box and click ‘‘SEARCH.’’
VerDate Sep<11>2014 16:26 Apr 24, 2018 Jkt 244001 PO 00000 Frm 00021 Fmt 4700 Sfmt 4700 E:\FR\FM\25APR1.SGM 25APR1](https://thefederalregister.org/doc/83_FR_17993/page/9.svg)
Document Created: 2018-11-02 08:17:05
Document Modified: 2018-11-02 08:17:05
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Rules and Regulations | |
| Action | Final rule. | |
| Dates | This rule will become effective June 25, 2018. | |
| Contact | Matthew Dale (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6826, [email protected] Kevin Ryan (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6840 [email protected] | |
| FR Citation | 83 FR 17913 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR